Capgemini, a leading technology consulting company, and Efma, a non-profit financial industry consultant, partner each year to publish the World Insurance Report. The recently released 2019 edition highlights trends that present the greatest risks to both insurance companies and their customers, and finds that cyber insurance companies tend to lag behind both the protections that their customers are asking for and the development of emerging threats.
Cyber insurance and developing risks
The report focuses on the five leading emerging risks for insurance companies and their customers:
- Disruptive environmental patterns
- Business environment changes
- Technological advancements
- New medical and health concerns
- Evolving social and demographic trends
Both insurers and their customers report that they do not feel entirely prepared for these developing risks. Fewer than 25% of all business customers and 15% of individual policyholders reported feeling that they have enough coverage for any one of the five risks listed above. And fewer than 40% of life and health insurance providers feel that their new products are sufficient to address the most recent risks impacting the insurance landscape.
The market is ready for new cyber insurance packages that cover risks such as data loss, denial of service and cyber extortion – 55% of customers said they are open to a new insurance model, but only 26% have sufficiently updated their coverage. 37% of customers also reported being open to sharing more personal data if it leads to better coverage against emerging risks, but only 27% of insurers currently have the technological capability to implement such a plan.
Additionally, 83% of insurance customers have medium to high exposure to cyber attacks, but only 5% have coverage sufficient for medium risk and 3% sufficient for high risk. In total, only 18% of the businesses surveyed were comprehensively covered for the cyber risks that they face.
How insurers can improve
The study identifies a number of technologies that can help cyber insurance companies close this significant coverage gap.
For example, machine learning and artificial intelligence offer boundless possibility for improvement in terms of pattern recognition and risk assessment. However, the study found that only 57% of insurance companies are using these tools, and only 29% have automated risk assessment processes in place.
Of course, there is a competing interest in this area: data privacy. Data mining services are a wonderland of personal information for insurers to use in risk assessment, but much of it is out of bounds (or is soon likely to be) due to privacy laws. Some finance companies are experimenting with incentives in trade for access to non-traditional consumer information as an answer to this. For example, US credit monitoring agency Experian recently instituted a program that provides a credit boost for good telecom and utility bill payment history; the trade-off for the consumer is that they have to give Experian access to their bank account to track this history. More limited activity-specific programs have more of an established track record of success in the insurance industry, such as installing a metric-tracking device in a car for auto insurance discounts. The idea of life and health insurers offering discounts to customers who share fitness information is also being seriously considered.
The study also identifies a shift in approach to that of a consumer partner as a way forward for cyber insurance companies. This dovetails with data privacy concerns; consumers will need to feel comfortable with the company’s handling of data and security practices to share the information they can use to make agile analytical processes work. Of particular note here is the emphasis on cyber insurance companies also becoming a “preventer”, proactively offering advice and consulting for risk management to their customers.
Seth Rachlin, Executive Vice President and Chief Innovation Officer, Insurance, at Capgemini summed up the issue as follows:
“Insurers have traditionally operated in a world where risks are well understood, where loss history is abundant, where products are relatively standard, and where coverage is prescribed and often mandated by regulators and state governments. None of these apply to the world of data privacy, protection or cybersecurity where the nature of risk and the potential size and scope of associated insurable losses continue to change rapidly. Insurers looking to respond to this opportunity need to 1) Leverage analytics to develop coverage and pricing models that are prospective and not retrospective. 2) Partner with technology providers to integrate indemnity cover with risk mitigation and management services. 3) Modernize their technology infrastructures to permit faster product time to market and agile feature experimentation to support the rapidly evolving needs of customers.”
Unique insurance opportunities and challenges
Smart home devices are an obvious point of interest for cyber insurance companies, given all of the advanced analytics data that they can potentially provide. Aside from offering discounts to entice consumers into providing this data, insurance companies have the opportunity of moving into the “partners and preventers” role by using this data to also give customers helpful maintenance tips and advance warnings of potentially serious problems. This information may also be able to help customers more quickly and successfully file claims with their insurance company.
However, customers will have natural reticence about having their home monitored in this manner. This may be too tough of a sell until the general state of “internet of things” cyber security improves. The Mirai botnet attack of 2016 should have put the world on notice. Almost three years later it is still not uncommon for devices to ship with remote access enabled by default, and sometimes without the ability to change a default password (or even use a password at all). Small businesses and individuals will need to treat all of their IoT devices like a computer system, ensuring that they get regular patches to remain protected from a security breach. Given human nature, a lot of the onus for this will likely fall on manufacturers and retailers to steer consumers toward proper security practices, something that is still far from happening.
While that is something of a long-term project, in the short term there is little stopping cyber insurance providers from updating their products to meet customer demand and protect policyholders from emerging threats. The numbers from this survey make clear that insurance providers have much room for improvement in identifying modern cyber threats and providing appropriate coverage options, as well as setting up voluntary data collection systems for customers who are willing to opt in to them.
One major challenge for cyber insurance companies appears to be standardization. The rapid evolution of both technology and cyber threats have made it difficult for companies to craft legal definitions and terms to encompass everything. With insurance companies experiencing great internal confusion about what they’re actually offering, naturally the communication with the policyholders is unclear. One big initial step will be to simply offer coverage that is adequate for the amounts that companies can realistically expect to lose to business interruption and data breaches in the current landscape. From the policyholder end, the best rates will inevitably go to those that are focusing on cyber resiliency rather than just defensive security measures.