The Evolving Cyberrisk Landscape and the Insurance Industry


Rapidly developing computer technologies and the unrelenting evolution of cyberrisks present one of the biggest challenges to the (re)insurance sector today. Liabilities from cyberattacks and threats to the data security of cloud computing and social media have become key emerging risks for carriers. The unprecedented rise in cyberattacks, in addition to the threat cyberrisk poses to global supply chains, has seen the cyberinsurance market grow significantly in recent years.

Client demand for cyber coverage has been growing, on average, 30% annually in the United States over the past several years, according to Marsh. While demand varies by industry, the one constant has been that more clients are investigating and analyzing existing traditional insurance coverage and whether they need standalone cyberrisk insurance coverage.

Because cyberrisk is associated with the use of technology and the handling of all data and information, the threat transcends a company’s information technology (IT) department as well as what is confined to the internet. To help overcome some misconceptions that still exist for cyberrisks, some clarity around business exposures is needed to understand the scope of the threat.

Cyberattacks pose a danger to global supply chains

Cyberrisks are not isolated and are usually connected to other risks. Many companies that are exposed to cyberrisks are, for example, also exposed in turn to risks to their supply chain. Due to technological innovation and advances, many parts of a company’s or industry’s supply chain have become interconnected and automated.

Most commercial entities today are exposed to these risks as a growing number of businesses become more interconnected globally. A single cyberattack has the potential to put an entire company’s supply chain at risk. Therefore, cybersecurity and supply chain risk management must be considered in conjunction with one another.

There are a range of risks when it comes to online/computer security. Cyberattacks can result in first party liability, including business interruption, computer security breaches, privacy breaches of confidential information and even third-party liability losses. Technology failures have begun to outpace adverse weather, fire and social unrest as the major force in disrupting a corporate supply chain, according to a recent Guy Carpenter report.

Everyone is at risk – individuals, companies and governments

In 2014, cyber issues have become more of a concern for companies that once felt they had relatively little exposure. In fact, cyberattacks were ranked fifth among the top five global risks in terms of likelihood in this year’s World Economic Forum’s annual Global Risks 2014 report.

Governments consider cyberattacks to be among the most serious economic and national security challenges now facing them. And through the ubiquitous use of the internet, mobile devices and social media, companies of all sizes and in all nations are now finding themselves at risk of falling prey to the full range of cyber perils. Such attacks can run from hackers shutting down a company’s network, gaining access to customers’ and employees’ personal and financial information, to the theft of business trade secrets.

More data laws and regulations in place

High-profile data breaches and other cybersecurity incidents have become more commonplace with increasingly onerous outcomes. Target, one of the largest retailers in the United States, suffered a massive cyberbreach late last year which involved the theft of approximately 40 million credit and debit card account details as well as personal data of nearly 70 million customers. The breach reportedly occurred when hackers used the retailer’s heating and cooling vendor’s system to navigate their way into the retailer’s records. The resulting publicity cost the company a significant amount in lost sales, loss of reputation, class action lawsuits, and may have contributed to the ouster of the chief executive officer. And most recently, a U.S.-based online auction site announced that hackers accessed the company’s 145 million user accounts and urged customers to change their passwords.

More recently, home improvement chain Home Depot became the victim of another credit card data breach and the FBI is reportedly investigating cyberattacks at some of the largest banks in the United States.

As cyber incidents affect both consumers and institutions, governments everywhere are putting more data privacy laws and regulations in place in regard to disclosure and other related safeguards. In the United States, there are laws that require the protection of both personal financial and health information. Last year, the U.S. Securities and Exchange Commission, which oversees publicly-traded companies, adopted a directive requiring certain regulated financial institutions and creditors to adopt and implement identity theft programs in light of the new cyber threats.

Risk mitigation and insurance

With governments considering and enacting new laws in response to the rising number of cyber events, companies, especially those in the United States, are taking a closer look at cyberrisk mitigation, including insurance coverage of breaches and attacks.

Media reports of serious data breaches have prompted more companies to buy cyber coverage of $100 million or more compared to the prior year, Marsh said in its March 2014 report Benchmarking Trends: Interest in Cyber Insurance Continues to Climb.

Traditional insurance products often do not cover risks that cover damages resulting from an incident like a computer breach. As such, specific cyber liability insurance may be necessary.

The very process of applying for cyberrisk insurance is a constructive exercise for raising awareness and identifying potential vulnerabilities. By engaging in that process, a company can perform a review of information security protocols with respect to access control, physical security, incident response and business continuity planning.

As a result, businesses and other institutions are finding that cyberinsurance products have been broadened to include coverage that now addresses nearly all aspects of technology-based risk faced by today’s companies. Carriers have been adapting their policies to include a variety of loss prevention and risk mitigation tools, ranging from turnkey breach response teams to pre-emptive risk analytics.

As cyberthreats become more severe, more frequent, and continue to change along with technological advances, the (re)insurance industry will continue to stay one step ahead by creating new forms of cyberrisk coverage to meet the needs of their clients.

July 1 Renewals See Double-Digit Declines

Insurance buyers should expect improved rates and extended terms and conditions, as July 1 renewals saw price decreases across most geographies and lines of business, “many in the double-digit range,” according to Guy Carpenter.

“While the impact on property renewals, especially in the U.S., has been well documented, a wide variety of lines including marine, aviation, casualty, workers compensation and healthcare experienced improved terms and abundant capacity,” said Lara Mowery, managing director and head of Global Property Specialty for Guy Carpenter. “As a result, we have seen continued discussions around the expansion of terms and flexibility in adapting solutions to provide more client-specific tailored coverage that extend well beyond property.”

U.S. property renewal price decreases averaged in the mid-to-high teens. Changes in coverage, more diverse product offerings and an increase in multi-year options “enabled companies to better tailor their coverage to meet their risk management needs,” Guy Carpenter said.

In the U.S. casualty market, rates and terms continued to soften significantly on post-Jan. 1, 2014 quota share reinsurance program renewals. This trend was driven by reinsurers’ desire to diversify their writings as a result of an ongoing reduction in property catastrophe premiums.  In addition, loss ratios improved on the underlying business as a consequence of rate increases and reserve releases.

Guy Carpenter noted that growth in catastrophe bond issuance was strong through the first half of 2014, with a record-setting half-year issuance of $5.7 billion of 144A property catastrophe bonds. Outstanding total risk capital is now at an all-time high of $20.8 billion (excluding private placements). “In fact, even with no further activity for the remainder of the year, 2014 would still register as the fourth largest year in terms of new issuance,” the company said.

The Insurance Information Institute reported that profitability in the property/casualty insurance industry “retreated modestly” in the first quarter of 2014, as a result of higher underwriting losses. These were in part due to elevated catastrophe claims resulting from the polar vortex last year, and an abrupt drop in U.S. economic activity that caused lower premium growth and investment income. “Despite these headwinds, the industry registered a respectable return on average surplus of 8.4% in the quarter, compared to 9.6% in the first quarter of 2013 and 10.3% for all of 2013,” the III said.

Jan. 1 Reinsurance Renewal Rates Drop

New capacity, rate reductions and competition are a few factors contributing to a softer market and an 11% drop in reinsurance rate on line—a calculation of reinsurance premium divided by reinsurance limit—almost across the board, according to Guy Carpenter.

Much of this was driven by a decline of 15% in the United States, while property catastrophe pricing in Continental Europe and the United Kingdom fell by 10% and 15%, respectively, Guy Carpenter said.

Willis Re said in its “1st View” report that soft market conditions are not unique to the property catastrophe market. The report found that “with few exceptions rates are down on most lines at Jan. 1.”

Key influences on the Jan. 1 renewals were over-capacity and a number of other converging factors. “Rate reductions, new capacity, new market entrants, low interest rates, greater retention of reinsurance premiums by large buyers, diminishing reserve releases, expansion in terms and conditions and the increasing tempo of regulatory oversight” were issues facing reinsurers entering 2014. New capital from non-traditional capital market sources has grown to reach $50 billion. Compounding the situation, reinsurers are seeing lower demand from buyers, the report said.

Peter Hearn, Willis Re chairman said in a statement, “Faced with these market headwinds, reinsurers are adopting a variety of strategies. Larger reinsurers are using their balance sheet strength and technical ability to offer more capacity and more complex, multi-class, multi-year deals. Others are expanding into specialty lines and many have developed multi-channel capacity offerings seeking to use their underwriting expertise to deploy capacity on behalf of capital markets. Additionally, we have seen the rise of pooling arrangements that give smaller reinsurers the opportunity to access business they might not otherwise see in their local markets.”

The United States is seeing a softening market as increased capacity from non-traditional capital providers and retained earnings from a benign catastrophe year pressures traditional reinsurers to offer significant price reductions to compete for business.

Also in the U.S.:

• Risk-adjusted price reductions are being seen in all sectors

• There are wide variations for regional and state specific programs, depending on loss experience and reliability of vendor models

• Multi-year contracts and market facilities are becoming more routine for reinsurers wishing to lock in business

Time to Get Serious About Climate Change Risks

While arguments from climate change deniers have subsided, there is still discussion about the cause of climate change—natural or man made? But these arguments are mere time-wasters. Right now it’s critical to put the focus on managing this risk.

Insurers have it right. For years they have been pointing to the urgent need to deal with the issues surrounding climate change. Insurers know this global risk needs to be dealt with now—and in the future—and they can’t afford to get it wrong.

Johnny Chan, Ph.D., director of the Guy Carpenter Asia-Pacific Climate Impact Center said it best: “The debate on climate change and global warming has been intensely polarized. A great deal of this ‘noise’ has clouded the very real and emerging issues that we as an industry and society need to address. In order to adapt to climate change and the changing risk landscape, it is necessary to cut through this noise and focus on objective decisions to mitigate both the financial and social risks associated with climate change.”

Guy Carpenter said in a study on the risks of global warming that the biggest threat is rising sea-levels. According to the report, the greatest concern is coastal flooding, projected to increase as sea levels rise at least one to two feet by the end of the century. In other words, storms such as Superstorm Sandy on the U.S. East Coast and Cyclone Nilam in Eastern India are expected with greater frequency and severity.

Post-Sandy, we’ve seen how far-reaching the effects of a mega-storm can be. In fact, 25 miles or so away from the New York/New Jersey shoreline, northward along the Hudson River where I live, homes, businesses and communities were devastated by the storm surge. A number of businesses have closed and damaged homes still stand boarded and empty.

Bloomberg Businessweek reported that as the Federal Emergency Management Agency moves forward with its plans to update flood maps nationally, 350 coastal counties—and 32,000 homes—will be impacted. Homeowners and business owners are reeling from the price of flood insurance, which will escalate even more in designated areas unless they raise structures. One couple in Old Greenwich, Conn., will pay $300,000 to raise their home 15.5 feet, according to the article. Residents of towns that elect not to adopt the maps will not be eligible for National Flood Insurance Program coverage.

Hard-hit New York and New Jersey are taking the threat of rising seas seriously with announcements that a number of coastal structures will need to be raised. New York City Mayor Michael Bloomberg in June declared a sweeping plan to help combat future flooding. The plan, which would include building flood walls, levees and bulkheads along 520 miles of coast, was projected to initially cost $20 billion.

Guy Carpenter’s report recommends that coastal areas re-examine their flood strategies including dykes and seawalls. Inland urban communities aren’t immune, as winds and heavy rains can cause flooding. These areas need to have storm water management infrastructure in place to accommodate larger volumes of rainwater and should upgrade codes and standards for infrastructure and land use that permits rainwater catchment basins.

While these preparations should be a priority for governments, they also compete with the need to replace aging infrastructures everywhere. Bridges, roads and water systems need repairs or replacement in every corner of the country. But many communities, crippled by debt and shrinking workforces, no doubt are focusing on needs as they arise. Hopefully the two can go hand-in-hand so that risk managers can build in flood control and other upgrades as they make the improvements so badly needed.