AIG UK
Despite a rise in the number of insurers writing cyber risk, an air of trepidation remains, says Jamie Bouloux of AIG
Cyber risk is often characterised as being a high-severity, low-frequency sector. Is this the case and, if so, has it affected uptake?
High-severity, low-frequency events definitely exist—just look at the Target or Home Depot cases in the US—but statistics released by the UK government regarding cyber crime state that the cost of business in the UK is £21 billion and somewhere between eight and nine out of 10 small- to medium-sized enterprises (SMEs) in the UK have had some sort of cyber security issue. I think it’s fairer to say that, while high-severity, low-frequency events do not necessarily represent the majority of claims, they do tend to get all of the headlines.
We are expanding quite rapidly in the SME space. One thing that insurance companies battled with was getting the right pricing for that space and making cyber affordable—but I think that has happened now. At AIG, we have backed the UK Cyber Essential programme with the view that, for companies that understand and mitigate their cyber security exposures by getting accredited through the UK government-backed initiative, we wanted to be able to offer them indemnification and support in the event that they do suffer. When we first entered the market, cyber was only purchased by companies that really needed it (or those who were perceived to) such as financial, telecommunications and retail institutions.
What are the main differences between first- and third-party losses? Is one more common than the other?
It depends on the geographic split of where the particular organisation is domiciled or earns revenue. A retail company in Europe, the Asia Pacific or Australasia would probably be more concerned with the first-party loss associated to them, rather than the third party. By that I mean that business interruption, cyber extortion, data restoration, and IT forensic support are the biggest reasons we are talking to companies about cyber—in the European Market Infrastructure Regulation (EMIR)-affected region, at least.
There is a gap within traditional property and casualty policies that has allowed a first-party cyber market to develop in Europe, especially around concerns where we cover the non-physical business interruption associated with networks being taken offline and, subsequently, entities not being able to trade via the internet.
If you look at the situation with Target, the experience is very different in the US. There were first-party costs to the entity in cleaning up the system and launching an investigation into what data was stolen and how. Also, in the US, affected individuals have to be notified via post and credit and identity theft insurance provisions have become the norm and were provided. However, there was a huge third party element to it as well. Affected parties of the breach filed class actions against Target from individuals whose personal data was exposed, to banks looking for recourse, to various other affected vendors and, ultimately, the shareholders themselves.
So is the industry as a whole still reluctant to write cyber? If so, is there a reason for this?
I don’t think this is necessarily the case either, to be honest. If you look at the US, there are more than 50 insurance markets offering cyber insurance and in London we’re not that far behind. For some carriers there is an element of trepidation to offer large limits or make the investment to hire an underwriting team that understands the risk to be able to underwrite to a profit, which is why we are seeing the growing strength of cyber-specific managing general agents in this space.
This model allows insurance carriers that don’t want to invest in the capital to underwrite this class on a standalone basis to get a piece of the growing pie. The reality, however, is that the market believes this is the next essential insurance, and all I am seeing at the moment is more carriers coming to market.
What are the capital requirements and premiums associated with this kind of risk?
In the most basic sense, the capital requirements vary and there are many factors that affect this. For example, I might look at a $2 billion manufacturing risk against a $300 million retail risk and decide the retail is higher exposure due to collecting and transacting personal information and credit card details. A manufacturer’s exposures tend to be tied to the non-physical business interruption element of cover (such as attacks against supervisory control and data acquisition (SCADA) systems). This means that while the retailer earns less revenue than the manufacturer, a primary limit would potentially cost the retailer more than the manufacturing client as there is more incentive for a malicious insider or third-party criminal to steel credit card information for use or to sell on.
That would mean the smaller company would pay the higher premium and we would expect better risk management around the exposure because you are dealing with individual consumers, as opposed to the corporate clients that the manufacturer might be dealing with, in the event of a breach.
That being said, we would certainly underwrite to the disaster recovery and mitigation plans that the manufacturer employs. It is important that we understand the risk management around dealing with an event so we can offer meaningful limit options for the client and price accordingly.
Has the sector become more populated by clients and providers in recent years?
The growth numbers are phenomenal. If you look at AIG alone, in 2013 we saw 1500 submissions and in H1 2014 we’ve seen 1300 submissions. We are expected to double the submissions for this year versus last year and this is indicative of more and more people understanding the risk of cyber and subsequently coming to market.
Unfortunately, this means there will also be a lot of competition. We are already seeing the pricing squeeze in this area, which is a concern because, with a new product, you would hope to be able to build up a substantial pool of clients and premiums to be able to offset the large amount of claims that are inevitable in this space. Luckily, AIG has the critical mass that we are able to do this but I worry that some of the other insurance carriers that ultimately might feel the effects of a few more large breaches like Target or Home Depot.
The competition is healthy and also drives innovation in this space. It is hugely important that new products do not remain static, that they understand the risks of the client and continue to adapt and grow.
As companies look to become more global and serve clients in jurisdictions where they might not have as much of a presence, the way that they execute their business plans is becoming more virtual, which has its own inherent risks. Consumer protection laws and other administrative regulatory actions also need to be understood.
Some parts of the world are inherently more exposed to the elements and, therefore, catastrophe risk claims than others. Are there any particular countries that are more susceptible to cyber risk?
I think you’ve raised two issues here, the geographic and the systemic. In terms of the geographic issue, the US is the biggest cyber market to date, because there are 47 different individual state laws about notifying individuals. There is also guidance, such as that from the Securities Exchange Commission, which requires any company listed on a US stock exchange to identify what the operational and financial implications of a cyber breach could be and disclose whether they are buying insurance to offset that risk. By having this guidance and mandatory notification, you are already opening up the potential for systemic loss, as you have to report and notify.
In Europe, that does not necessarily happen, as we are still waiting for the EU data legislation to be passed, which will offer mandatory notification requirements. That will change the landscape of cyber in UK and across Europe and other EMIR-affected areas. The conversation will move from business interruption and first-party costs to the company, to first-party costs affecting individuals.
As far as real systemic loss, the insurance industry is moving towards covering third-party outsourcing services. There was a survey that indicated that by 2015, something like 98 percent of SMEs across Europe will use some form of outsourcing. This has invited huge pressure on insurance industry to look at the business enterprise risk of outsourcing and provide some kind of insurance solutions—whether that is business interruption cover or electronic data retrieval insurance.
