Tailoring cyber product at front end could help drive market growth
More structured tailoring of the cyber product by brokers and carriers would lead to a better understanding of risk and mitigate the assumption bias further up the capital chain, according to Alex Podmore, senior cyber broker at Aon.
A lot of attention in the cyber market recently has focused on attracting more reinsurance and ILS capital to help drive market growth. But a focus on how the product is structured at the front end will also help drive this growth, Podmore suggested.
“We tend to talk about the top of the chain and how we source capacity from reinsurers, from ILS funds, and from other sources of capital higher up the chain, in order to support the growth of the original market. And that's one really important part.
“But we can't always have the tail wagging the dog. I think the dog has to play a part as well,” he said.
Podmore suggested that the cyber reinsurance market’s offering will continue to evolve, and said it is important that more capital is brought to the market.
“But equally I think it’s not just a question of getting the capital in at the top to support the growth of the market,” he said.“ Enhanced tailoring of the original cyber insurance product to specific organisational risk would allow for the collection of more structured information, a better understanding of exposures, and the mitigation of the potential assumption bias that goes up through the capital chain – ultimately leading to better business decisions.”
This would mean that insurers have a more precise idea of what they are covering because a policy covers a specific part of the technology stack. Data can then be collected precisely for those characteristics, rather than the default being broad contingent business interruption coverage or system failure coverage, for example.
“Corporations don't necessarily need to name their technology stack, or their suppliers or service providers. But insurers could be more prescriptive in terms of the coverage they are providing and then how they are absorbing structured information and translating it up the value chain to reinsurers and other capital providers,” Podmore explained.
A need to tailor the product
The cyber product is very broad, offering first- and third-party coverages.
On the longer-tail side, there are coverages such as privacy liability, multimedia liability and network security liability.
“But then you also have quite a capital-intensive product that has accumulation potential of first-party losses due to single points of failure, or significant malware events, or service provider failure, or cloud outage, for example,” Podmore said.
He continued: “The product has evolved over time to pull those various components together but it’s not evident we have gone through a meaningful phase of refining product and coverage to help us better communicate catastrophe exposure through structured data. We might have seen some changes in areas such as sub-limits and extortion coverage, but there has been no wholesale meaningful change in terms of the actual scope of the product and how we're thinking about tailoring it at the front end of the market to drive greater confidence in the modelling of risk outcomes.”
Podmore suggested the product could be built to be “more refined and structured within its scope, such that you have better consistency across the market”. He said that more meaningfully structured data points can be captured in the process of underwriting as well as through claims.
Ultimately what this would be trying to do is connect the top end of the market and the bottom end of the market. Having better clarity at the front end will help eliminate assumption bias the further up the capital chain you go, Podmore argued.
“The bottom end of the market is providing valuable and broad solutions for clients’ cyber risk, but perhaps this breadth causes difficulty in enhancing structured data points around the cover,” he said. “Perhaps we can be more specific and bespoke in the way that we tailor the product to the buyers of insurance – be that SMEs, which are relatively under-penetrated, or large corporate risk – that is ultimately going to mitigate the assumption bias as you go up through the capital chain. This will help to reduce volatility in results and build resilience and commitment across capital providers.”
He said this will provide better precision around what the market thinks a really bad scenario could look like once it reaches reinsurance and the ILS market.
There have been some instances of innovation. Podmore said that an example is that some “pockets of the market” are looking at introducing defined benefit payouts on business interruption cover to create greater clarity in the modelling of component costs of already remote catastrophe scenarios which require sophisticated modelling assumptions. This also serves to improve operational claims handling efficiency for customers in a time of distress, which is precisely what the insured requires in their time of need.
Podmore suggested this tailoring could help with contingent business interruption and system failure exposures.
“Cover for contingent business interruption is typically related to unnamed IT service providers and other providers within the goods chain. It's a broad product. And for system failure as well, it’s not just the malicious attacks – some policies also cover non-malicious instances, such as human error and misconfiguration,” he said.
“Ultimately that lends itself to capital providers further up the chain knowing that there’s a breadth of coverage and they will have to make assumptions about how that could manifest its way up the chain for those potential market-wide catastrophic events.
“Having more precision and bespoke tailoring of the product at the front end to ensure there is more structured information and data around the exposure at the point of underwriting will enable elimination to some extent of that assumption bias, and I think that in turn attracts more capital at the top end,” he said.
An example of what Podmore is suggesting includes, for contingent business interruption coverage, understanding how many of the potentially dozens of contract service providers a mid-market business has are actually critical or integral to the business being able to operate as normal.
“As a capital provider, if you can begin to understand and model such dynamics across all of the individual businesses within a portfolio, you're significantly narrowing down the potential scope of accumulation,” he explained.
Another example is the product could be more bespoke by size of the business. Podmore said that an SME does not generally need the same levels of liability coverage as a large corporate that is handling large quantities of personally identifiable data that would be subject to class actions if there was to be a breach of that information.
“So making sure you have a more dedicated and modulated cover for different buyers within the revenue spectrum is also another important part,” he said.
An evolution in reinsurance
The way that reinsurers approach cyber could also evolve.
Podmore suggested that the first- and third-party exposures may not necessarily be reinsured the same way in the future.
“I think what we'll begin to see over the next few years is more of an evolution in the way that reinsurance actually works with respect to the cyber product, in the products that are available and the solutions that are available to support the component parts of the liability spectrum for cyber,” he said.
On one end, there is privacy liability which is more casualty in nature due to the longer development pattern. Reinsurers might be able to generate yield on those cash flows and support such exposure through more dedicated reinsurance products.
On the other end, there are first-party components that are more short-tail in nature, “where you do have the potential for significant accumulations of exposure to any one single point of failure, such as we are seeing with the downstream impacts of the recent attack on Change Healthcare. Reinsurance buying will increasingly focus on the specific characteristics of exposure and consequent liability profile of a portfolio,” Podmore said.