Similarities between property and cyber markets present an opportunity

At first glance, the property and cyber markets don’t have much in common, with the property’s scale of losses in the last year of $123 million far exceeding those of cyber. But there are some parallels that can help risk officers present a cohesive risk management strategy to the C-suite and board across both risks with the common objectives of more efficient risk financing and avoiding losses.

 

The widening protection gap – property

 

Both markets are seeing a growing protection gap. While not news to any risk manager, recent statistics from Gallagher provide an instructive scene-setter. The global commercial property sector has seen an increase in companies with inadequate cover at a time when property replacement costs have increased 45% per year between 2020-23.

 

Buyers in the property sector haven’t been able to secure adequate limits to protect themselves against these rising costs – often due to an inability to determine adequate limits at commercially viable prices.

 

The urgency of the problem is only growing as the frequency of large losses has accelerated: between 1980-2022, the sector globally saw on average 8.1 billion dollar+ claims event per year. Between 2018-2022, that number grew to 18 events on average.

 

As a result, the market is looking at alternative approaches that include more robust risk management approaches by insureds, increased risk retentions, and alternative risk transfer solutions.

 

The widening protection gap – cyber

 

As we talked about recently, the protection gap in cyber is also growing – put at $900 billion last year by the Global Federation of Insurance Associations. Unlike property though, cyber has been in a soft market over the past couple of years. Even with rates stabilizing and loss ratios improving for insurers, the right amount of cover has been elusive, especially for large organizations.

 

Similar to property, the frequency and scale of cyber losses grew to record levels in 2023. Similar to property, risk officers are increasingly looking at alternative approaches to both risk management and risk financing, including increased risk retentions and alternative transfer solutions. On the latter, organizations are looking to captive structures, as we talked about a few months ago.

 

Captives as a solution

 

Faced with the same challenge as property of being unable to secure adequate limits at commercially viable prices, cyber moved towards captives for reasons outlined by a FTSE100 risk officer:

 

“We lost confidence in the value of the product the market was offering. We were being put in the wrong risk bucket by the market. Our best solution was running cyber through the captive.”

 

For this approach to work and to transition from being ‘insurance buyers’ to ‘sellers of risk’, risk officers need a validated answer to the question: ‘how much risk should we retain?’ That’s why this question is at the core of what Intangic does.

 

Highly protected risk status

 

Similar to property, the other part of the equation is the drive for risk teams to have the organization be defined as a ‘highly protected risk’ (HPR) for cyber.

 

There’s no doubt that robust controls play an important role in preventing breaches, just as fire protection systems, surveillance cameras, and access controls do in property. But as we highlighted last week, it’s not enough.

 

Apart from cyber being a more dynamic business risk, a key difference between cyber and property is the strong working relationship required between the risk officer and Chief Information Security Officer (CISO) or Head of Security to first transparently validate the risk, then manage it. This includes the risk officer providing up-to-date information (and resources as justified) to the security team such as whether the company is being more targeted by attackers than peers. This is information that will help prevent a loss, improve that first layer of protection and help companies achieve and maintain highly protected risk status.

 

Navigating the headwinds 

 

Risk officers, whether they are looking at cyber or property, know they can’t change the macro forces that shape the markets they work in. But early adopters of new approaches to risk financing that emphasize prevention and loss avoidance will help navigate the headwinds better, be they inflation, rising building costs, increased prices, shrinking capacity, or a constantly changing cyber threat environment.

recent cyber notes

July 22

Companies can better manage supply chain risk when the CRO and CISO work together

Recent supply chain-related breaches highlight need for a more proactive approach to managing the risk

July 29

Slowing US cyber insurance market prompts need to further invest in risk prevention

In 2023, direct written premium in the US rose by only 0.1% according to recent numbers reported by AM Best. Intangic explores how a deceleration in the speed of cyber market expansion points to the need for a new approach.