Operational resilience: Lessons from a fuel crisis
The fuel crisis reinforced the importance of operational resilience.
The U.S. market for cyber liability insurance coverage was estimated to be $2 billion in 2015, according to the Insurance Information Institute. A recent projection by Allianz has this market increasing to $20 billion within a decade. To put this in perspective, $20 billion, after adjusting to today’s dollars, would propel cyber insurance to become the seventh largest property and casualty (P&C) insurance line of business in the United States. After years of stagnation, criticism, and questions regarding the relevance of P&C insurance in the modern economy, insurers are once again players in the high-tech digital game.
Criticism and concerns have arisen, however, regarding the extent of industry capacity and exposure to cyber liability insurance. AIG CEO Peter Hancock, as quoted in the Wall Street Journal, warned that the capacity offered for most risks are too low to provide adequate protection for potential billion-dollar losses to policyholders (typical policy limits for large policies can be between $100 million and $200 million). At the same time, however, rating agencies are warning insurers that the accumulation of cyber risk may negatively affect their ratings. Indeed, several current challenges in the cyber liability insurance market are limiting the capacity offered and raising the concern of regulators and rating agencies. Challenges including difficulties regarding risks, exposure, coverage, and pricing are often acknowledged but perhaps overlooked or underestimated by brokers and current markets.
A possible solution to address these concerns would be the formation of an industry cyber liability insurance pool or pools. This mechanism could result in greater capacity for the market and less risk to individual insurers. As most insurers would agree, there is strength in numbers.
Within the current market for cyber liability insurance, there are several challenges faced by policyholders and insurers alike that may limit capacity and raise concerns of regulators and rating agencies. Some examples include:
These challenges may prevent more insurers from offering cyber liability insurance and may pose barriers to customers seeking to purchase cyber liability insurance but finding policy forms and coverage options too difficult to navigate.
Pools historically have been a mechanism employed to provide greater insurance capacity for risks, particularly those with exceptionally high levels of insurance values. Some current high-profile examples of insurance pools include aviation pools and nuclear risk pools. Many aviation insurance pools were formed in the early days of flight and still exist today. While the pools were formed in reaction to some of the same issues facing cyber liability insurance today, they continue to function as part of an overall competitive market serviced by many individual insurers and underwriters. Nuclear liability insurance has been provided to the U.S. nuclear power industry since the late 1950’s by a pool of insurers through a program that provides roughly $12 billion in protection to compensate the public in the event of a nuclear accident. While there is no market for nuclear liability insurance beyond the pool, the existence of the pool allows for a more efficient spread of the risk to the U.S insurance market as well as to the global reinsurance market (two-thirds of currently liability exposure is ceded to reinsurers).
The exposure to loss for risks covered by cyber liability policies is often difficult to determine and is sometimes only understood in terms of full policy limits in place. A pool (or pools) for cyber liability would allow the industry to provide the necessary coverage needed today, but would also allow for stability of capital in the market, aggregation of information, and credible loss data for rate-making. In short, a pool would allow the industry the proper time needed to move up the learning curve and recover from any potential early missteps.
In its simplest form, a cyber liability insurance pool could be operated on a voluntary basis, sponsored by insurance companies or other financial entities, each with assumed shares. There could be limits on membership related to financial strength and limits on pool participation. The time frame for the existence of the pool could be limited—perhaps more of a tool to help develop the early market, keep it stable and growing, and avoid potentially unnecessary growing pains. A small number of large pools would allow for greater risk diversification, but multiple smaller pools would address specific industries with different risks and exposures, such as healthcare, retail, finance, manufacturing, etc. Within the pool, committees could be formed to address underwriting, finance, claims, technology, and security issues.
There is already historical precedent for the projected evolution from pool to competitive market—the formation of accident and health (A&H) reinsurance pools in the late 1970s. The growth for these pools was driven by market demand. Pool managers formed new and different facilities to provide coverage to similar classes of business. Some of the participating companies recognized the profit potential and left to enter the marketplace as independent reinsurers. More companies and pools led to greater competition and more attention to underwriting, claims handling, and reserve adequacy.
There have also been many state and international catastrophe insurance pools and programs that were established following an extreme event to stabilize a market until the private sector was willing and able to provide appropriate coverage. A recent example of this is flood insurance in the United States. Flood insurance coverage is currently provided through the National Flood Insurance Program, but there is a push for privatization because there have been advances in risk modeling for this peril.1
While there are many advantages to using a pool or pools in the early years of a volatile coverage such as cyber liability insurance, there are also some potential disadvantages:
There is an obvious need for cyber liability insurance today. The P&C insurance market is racing to meet the demand. The benefits of potential growth in premium resulting from providing cyber liability insurance on an individual insurer basis, though, may be tempered by the impact of adverse loss experience because of naïve pricing, exposure accumulation, and lowered financial ratings resulting from the uncertainty of the business. There is also the potential for unforeseen extreme large losses, which could devastate the entire fledgling market. Rating agencies, regulators, and even some insurers are waking up to the very real potential dangers of providing cyber liability insurance. Pools would allow the industry to learn, test, measure, and adjust the coverage provided, perhaps in a less risky way. The gains of the individual insurer firm may be temporarily sacrificed for the good of the industry as a whole and its policyholders.