The WannaCry ransomware attack in over 150 countries has revealed the widening scope of corporations’ cyber risk exposures, and this is likely to increase the demand for related insurance protection, Fitch Ratings said.
Thousands of organisations worldwide were caught off guard by the ransomware attack on 12 May, encrypting users’ personal data and demanding a ransom of between US$300 and $600. The cyber attack infected more than 200,000 computers across the globe.
Insurers are in a unique position to assist customers in addressing the cyber threat, the ratings agency said.
However, a cautious approach to adding cyber exposures is warranted as there is considerable uncertainty in pricing and underwriting this risk. Aggressive expansion by individual underwriters into the segment could be credit-negative.
Tallying the costs from recent attacks will take time. However, increasing corporate anxiety from cyber-related threats amid regular reports of data breaches and other information system intrusions will spur demand for cyber protection and solutions, including insurance protection.
Furthermore, compliance with developing regulations is likely to increase the demand for coverage, the agency said.
Insurers are playing an expanded role in countering the cyber threat, utilising traditional expertise in risk management and claims services. They are also gaining more technical expertise in cyber-threat testing and prevention and post-event resolution through acquisitions or alliances with cyber security vendors.
Cyber coverage, therefore, increasingly includes a service and advisory component, as well as insured loss limits.
Besides cyber extortion and ransomware attacks, cyber-related events may include systems hacking, data theft and denial of service attacks.
These events may lead to economic losses from damage to systems and property, remediation costs, lost revenue due to business interruption and reputation damages, Fitch said.
Hacking events could also generate third-party liability exposures triggered by errors and omissions or failure to protect data.
Professional liability exposures, including potential claims against directors and officers for failing to manage risks and prevent cyber incidents, are also possible.
US insurers wrote approximately $1.3 billion in cyber coverage in 2016. This amount could grow more than 10-fold to $14 billion by 2022. Leading underwriters of cyber risk include AIG, XL Group Ltd and Chubb.
Many insurers have taken a cautious approach to introducing cyber coverage, particularly with regard to liability coverage. Underwriting experience relating to cyber coverage, as reported by insurers, has appeared relatively favourable for insurers in the past two years, but the market remains untested.
Insurers’ reluctance to write more cyber coverage lies with challenges in establishing actuarially robust pricing and coverage terms for cyber-related risks, given still-limited data from historical claims losses, Fitch said.
The evolving nature of events and uncertainty regarding the source and range of potential losses add further challenges. Premium growth in cyber products may also be dampened somewhat by contrasts between the coverage insurers are currently willing to offer and the policyholders’ expectation of the nature of their cyber risk and protection needs. Over time, these differences will likely converge as the market matures.
Given these challenges, aggressive growth in stand-alone cyber coverage, or movement to high portfolio concentration in cyber would be viewed negatively for an insurer’s credit profile. Underwriting, pricing and reserving uncertainties would outweigh the potential earnings growth benefits, said the agency.
Controlled growth as part of a diversified portfolio, coupled with continually enhanced underwriting standards, would generally be neutral for their credit profiles. M