It’s commonplace now to hear horror stories about cybercrime. That’s because the problem is getting worse. It’s not all bad news, as many fintechs and cyber specialists are using the same tools as the hackers to fend off attacks. But the number of attacks continues to grow as more enterprises and activities go digital.
This raises the question of how likely it is that companies can buy insurance against cyberattacks.
Another way to put this is, can insurers make a market in this business?
The answer is yes, but with a lot of caveats. In Asia, cyber coverage remains limited compared to the US. The situation is improving but it’s still difficult.
How much capacity?
Arati Varma, Singapore-based head of financial lines and casualty at QBE Asia, says the carrier is expanding its cyber underwriting in the region. It’s been writing policies in Asia since 2017.
“There’s more capacity out there,” she said. “It’s been a difficult market and we’ve seen some insurers scale back. But it’s now possible to secure limits of $100 million or even $150 million in Asia.”
That size is now commensurate with policies written in the US, although big deals like that are rare. Even in the US, most businesses are limited to $5 million or less. For larger customers, $100 million is now typical, and the biggest enterprises can acquire ‘insurance towers’, multiple policies stacked together, providing coverage of $500 million or more.
In 2022, global cyber insurance premiums reached $12 billion, according to S&P Global Market Intelligence. That’s starting to become sizeable income for insurance companies – but the risks are also considerable, and some insurers are shying away from underwriting for high-risk industries like healthcare.
FIs under threat
Financial services are also heavily targeted by criminals, but Varma says these are also often the most sophisticated groups when it comes to cyber security.
“Banks are the most sophisticated about cybersecurity and have the most robust hygiene,” she said, referring to standard protocols such as protecting passwords and encrypting data, as well as having a playbook for when a hack occurs.
Insurance companies themselves are also targets, given the vast amounts of data they process, from health records to underwriting details.
Financial institutions are especially reliant on trust. They have the most to lose so they tend to pay more attention to cybersecurity. But Varma says awareness of best practices remains spotty.
Demand > supply
To obtain insurance coverage requires an enterprise to prove it has a solid cybersecurity framework. Insurers such as QBE also provide advice on best practices – which if followed means they are more likely to make a market in cyber cover.
The demand for cover right now probably well exceeds what insurers are willing to underwrite, however. The sums are simply too vast.
For example, last summer, a security vendor, CrowdStrike, botched a software update. It accidentally led to mass outages among PC users, including many airports. Cyber criminals had a field day stealing data and extorting victims. QBE says that incident cost big corporations $5.4 billion of damage, plus the loss of $25 billion in share value – and that doesn’t include whatever damages accrued to Microsoft, CrowdStrike’s parent.
Another recent incident, one affecting financial services, was the 2023 attack on ICBC’s US arm by a hacker group, LockBit. The chaos prevented ICBC’s brokerage unit from settling trades of US Treasuries, disrupting the entire market. Eventually ICBC’s Beijing parent had to inject $9 billion into the US entity to return to normality.
The prevalence of Russian, North Korean and other state actors makes cybersecurity an even greater menace. QBE reckons 2024 saw around 80 ‘deniable state-aligned incidents’ and 120 attacks made directly by states.
Artificial intelligence and the use of deepfakes have made these attacks even more insidious.
Sadly, most victims end up paying the ransom.
Wanted: more data
Varma says the biggest impediment to underwriting cyber is a lack of data. This keeps reinsurers from supporting carriers, which tend to rely on traditional property insurance information to form a view of a company’s risk.
She notes that industry associations and specialist groups, as well as regulators, are collating information on incidents to improve profiling of claims and payouts. This isn’t happening in Asia in a systematic way, so it’s harder for insurers and reinsurers to price risk or help clients measure it.
The situation is gradually improving, thanks to AI, which is making it easier to gather and summarize lots of complex information.
But the global nature of crime and fallout adds to actuaries’ headaches. “Cyber is a global risk,” Varma said. “Vendors, IT forensics, and insurers are collecting more data but it’s a work in progress.”
The biggest question in cyber insurance – the one most critical to there being a market for this kind of protection – is whether that $12 billion in global premiums is profitable to insurers.
Is QBE making money from this line? Varma wouldn’t be drawn on specifics. “We have our pricing and rating models, and the business keeps evolving,” she told DigFin.
Companies large and small that want cyber protection can improve their profile to insurers if they are rigorous about security protocols. There’s a balance between security and other business needs, but the likelihood of attacks on financial institutions and fintechs, and the damages caused, suggest demand for cyber protection is only going to increase.
