Cyber insurance policies have historically focussed on the costs of restoration (of both systems and data) and PR costs (to protect reputational harm). But as understanding of the peril of cyber attacks widens, the demand for business interruption insurance has grown and is seen as one of the main drivers for the forecast growth in cyber premiums. According to Allianz, global premiums will reach $20bn by 2025 as companies are increasingly looking to protect their balance sheets with bespoke cyber insurance products.
What is interesting is that products are emerging that bypass the traditional insurance approach described above and which are more akin to Alternative Risk Transfer or ‘ART’. ART has traditionally been a byword for captive insurance – whether company owned, or group or protected cell. But in a developing insurance landscape, insurers seek to find new ways of transferring risk.
For example, last year Credit Suisse sold a SwFr. 220m bond tied to its operational risk (and linked to coverage provided by a Swiss insurer) where buyers could earn a coupon of more than 4%. On the downside, those buyers could also stand to lose their investment if the bank were to find itself hit with charges from employee malfeasance, cyber attacks and other operational issues.
It is perhaps not surprising that banks and financial institutions are increasingly looking at insurance differently. The demand stems not only from the recent wave of cyber attacks – think of the Distributed Denial of Service (DDoS) attacks in January this year against Lloyds, Halifax and the Bank of Scotland – but also from regulatory requirements: the largest banks are allowed to use insurance to reduce their capital reserves against operational risk by up to 20%.
Cyber attacks are one of a number of operational risks for banks. But insurers are understandably reluctant to offer insurance cover against operational risk given the high claims that could arise from, for example, rogue trading. Indeed, policies still require a significant retention. As such, banks continue to bear a significant proportion of losses so they do not loosen their control environment. Equally, the insurance industry protects itself against moral hazard.
The threat and reality of cyber attacks is not going away – always a “when” not an “if” nowadays. As ever, the insurance market will evolve in response and perhaps move away from traditional coverage routes – all part of the ART of cyber insurance.