OECD STUDY ON SUPPORTING AN EFFECTIVE CYBER INSURANCE MARKET Leigh Wolfrom, Policy Analyst, Directorate for Financial and Enterprise Affairs, OECD OECD Expert Workshop on Improving the Measurement of Digital Security Incidents and Risk Management 12-13 May 2017 Swiss Re Centre for Global Dialogue
Cyber insurance project - context • Insurance and Private Pensions Committee brings together insurance regulators and ministries of finance from OECD members countries • Interest in insurance sector as target (IAIS) but also as a means of encouraging cyber risk management • Project launched in 2015 to look at: – the coverage available for cyber risk – challenges to market development – initiatives aimed at addressing challenges • Based on questionnaire responses from 24 governments and 47 (re)insurance companies 2
Cyber insurance – risk management contributions • Main interest is in potential for the insurance market to contribute to cyber risk management: – Requiring those seeking insurance to assess their risk (and bringing sector expertise to support that assessment) – which also provides risk estimates for use in decisions on prevention investments – Sharing expertise in risk reduction/encouraging compliance with security standards – Encouraging investments in risk reduction through pricing – Reducing losses through crisis management support 3
Cyber insurance market: growing fast Europe United States Global Premiums (USD billion) 25 20 15 10 5 0 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 Source: The premium data for Europe and the United States for 2012 to 2015 is from Advisen, reported in Eling and Wirfs, 2016. The 2016 figure for the United States is the mid-point of estimates by PwC, 2015b; Betterley, 2015; Marsh, 2016b. The 2016 figure for Europe is the mid-point for estimates by Thomas and Finkle, 2014; Marsh, 2016b. The projections for the global market are from PwC, 2015b (US, 2018); Insurance Information Institute, 2015 (Europe, 2018); the mid-point of Allianz, Advisen, PwC and ABI as reported in Swiss Re, 2017b (global, 2020) and Allianz as reported in Swiss Re, 2017b 4 (global, 2025). Other years were calculated based on the compound annual growth rate between two projections.
Cyber insurance market: responds to most common incident types 5
Cyber insurance market: provides a wide range of coverage RMS/CCRS review OECD review Bodily injury Physical asset damage Intellectual property theft Reputational damage Financial theft and fraud Cyber ransom and extortion Network security failure liability Communication and media liability Business interruption Data and software loss Breach of privacy compensation Fines and penalties Regulatory and legal defense costs Incident response costs 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0% 100.0% Source: “OECD review" includes: ( i) eight policies provided or described in the context of the OECD's survey questionnaire (SHA and Hollard from South Africa; QBE Europe and CFC Underwriting from the United Kingdom; Munich Re (Corporate Solutions) from Germany; General Re from the United States; Zurich Insurance from Switzerland; and Delta Insurance from New Zealand); and (ii) publicly available information on fifteen policies provided by insurance companies, brokers and other related providers (CNA Insurance, QBE North America, AIG , Chubb, ISO, Tokio Marine HCC and XL Catlin from the United States; Tokio Marine Kiln, Marsh, Hiscox and Beazley from the United Kingdom; Hiscox from France; Allianz Global Corporate and Specialty from Germany; and Swiss Re (Corporate Solutions) from Switzerland). "CCRS/RMS review" is from Risk Management Solutions, Inc. and Cambridge Centre for Risk Studies (2016) and 6 included 26 stand-alone policies. In the case of both the OECD review and the CCRS/RMS review, many (but not all) of the policies are those that are made available on a global basis.
Cyber insurance market: small relative to other insurance lines Cyber 2.5 The cyber insurance market is a fraction of the General Liability 171 size of other insurance lines Property (Residential & Commercial) 277 0 50 100 150 200 250 300 Estimated Gross Written Premiums in OECD countries (2015, USD billion) Source : Estimates for general liability and property are from OECD Insurance Statistics (2017). The estimate for cyber is based on PwC, 2015b; Betterley, 2015; Marsh, 2016b Germany 30% Levels of penetration are also relatively low – UK 36% especially outside the US US 55% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Share of companies that have cyber insurance 7 Source : Hiscox (2017). The question asked was: “Do you currently have cyber insurance”
Cyber insurance market: relative underinsurance Share of potential loss covered by insurance 70% 59% 60% One estimate suggests a 50% much lower level of 40% 30% insurance for information 15% 20% assets (relative to PPE) 10% 0% PP&E Information Assets Source : Ponemon Institute, 2017 Typical insurance limits purchased by a US company with USD 5 billion in revenues (USD millions) 600 The amount of 500 500 coverage being 400 purchased is much 300 200 lower for cyber risk 100 34 0 Property limit Cyber limit 8 Source : Lathrop, A. (2016), "Does traditional coverage apply when cyber attacks cause physical damage?", Property Casualty 360°, 29 December.
Cyber insurance market: impediments to demand It is confusing….. Source : JLT Re Cyber-Insurance Price Index Commercial P&C Index 140 120 It is relatively 100 expensive…3x 80 cost of GL and 6x 60 cost of property – 40 20 and increasing 0 2013 Q1 2013 Q2 2013 Q3 2013 Q4 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2 2015 Q3 2015 Q4 faster 9 Source : Marsh (2014a, 2015c, 2016a) (2012=100); Council of Insurance Agents and Brokers (2013, 2014, 2015b, 2016b) (2012 Q4=100).
Cyber insurance market – impediments to supply • Aggregation risk (i.e. common vulnerabilities) • Evolution of risk (e.g. changing methods, IoT, etc.) • Lack of data for quantification high premiums (uncertainty premium) low limits (ceiling on exposure) risk selection (loss and sector exclusions) 10
Underwriting data for natural hazards • Decades of data on the occurrence of natural hazards (including physical characteristics like wind speed, seismic magnitude, etc.) • Hazard maps to identify at-risk areas • Weather stations, seismographs, river gauges to monitor hazards in real time • Exposure databases on buildings and infrastructure • Engineering studies to estimate damage based on physical characteristics of hazard • Years of claims experience in many countries and claims data aggregators • Competing catastrophe models that provides estimates of probable financial losses • Scientific studies that examine evolution of risk (e.g. climate 11 change)
Underwriting data for natural hazards • Decades of data on the occurrence of natural hazards (including physical characteristics like wind speed, seismic magnitude, etc.) • Hazard maps to identify at-risk areas • Weather stations, seismographs, river gauges to monitor hazards in real time • Exposure databases on buildings and infrastructure • Engineering studies to estimate damage based on physical characteristics of hazard • Years of claims experience in many countries and claims data aggregators • Competing catastrophe models that provides estimates of probable financial losses • Scientific studies that examine evolution of risk (e.g. climate 12 change)
Recommend
More recommend
