Cyber coverage gap won’t be fixed with more of the same

In last week’s CyFi™ note, we covered an overlooked issue in cyber: economic losses. What’s the point in taking stock of these events and the actual and potential losses? It’s important to understand the nature of this gap to then focus on creating better solutions to address it.  This is a central topic in the forthcoming October edition of our monthly research note, The Intangibles.

 

Recent cyber events have only served to highlight the disparity between insured and economic loss. While the ‘coverage gap’ has been receiving more attention in recent months, the issue for Chief Information Security Officers (CISOs) and Risk Officers is what to do about it. Contrary to conventional wisdom, the answer is not necessarily larger coverage limits or to increase security budgets.

 

Change Healthcare highlights the growing coverage gap

The Change Healthcare incident in February was designated a cyber catastrophe by Verisk Property Claim Services (PCS), the insurance industry’s standard setter and primary source of loss data for catastrophic losses. According to Tom Johansmeyer, Global Head of Index Classes at Price Forbes Re and previously the head of PCS, the event is likely to result in at least $250 million in insured losses across the industry.

 

However, United Healthcare, Change Healthcare’s parent, disclosed economic loss numbers of just over $3 billion across Change Healthcare and Optum Health.

 

This doesn’t even touch the wider impact on the US healthcare system according to the American Medical Association.  Any significant loss recovery from insurance is vital for the company involved, and the cyber market is better equipped to absorb a large loss event than it was a few years ago.

 

 

But the $250 million insured loss set against the estimated $3 billion-plus in economic loss means the company will manage to recover only around 8.3% of its real loss.

 

“Yes, but maybe Change is on the outer edge of the coverage gap spectrum,” one might say. Unfortunately not.

 

Clorox reported just under $400 million in economic losses from its BI event in FY24. It disclosed its total insurance recovery of $30 million – less than 10% of total economic losses.

 

Labcorp experienced costly breaches in 2019 and 2020 that cost the company over $119 million in losses and disclosed $9.1 million in insurance recoveries, or ~7% of total losses. The CEO, CFO and board also faced shareholder lawsuits.

 

This isn’t to say that sizeable payouts have not been made. The disclosed annual loss ratios of insurance carriers alone – 44% for US Standalone in 2023 – prove that clearly they have. Some large payouts like Capital One following its July 2019 breach that resulted in $138 million in incremental costs (excluding legal settlement) were offset by $73 million in insurance recoveries (of a policy with a $400 million limit). The company later settled class action lawsuits for an additional $190 million. 

 

But despite sizeable claims being paid, the coverage gap is only growing wider.

 

Given this reality, the post-breach question of “Did our cyber insurance as a product respond as designed?” is insufficient. The more important question is, “How relevant is my cyber insurance in its current form as a risk management and transfer tool?”

 

When considering a response to that question, contemplate how acceptable it would be if a company incurred a $1 billion property loss following a flood or fire and the risk team reported $100 million in insurance recovery. This is where we are currently with cyber.

 

According to data from Aviva, cyberattacks are five times more likely than a fire. The average cost of a fire for commercial properties is $35,000 compared to cyber where the average event costs ~$4.88 million.

 

The central questions in risk and insurance are: 1. How often does something occur? And 2. What does it cost when it does? The facts suggest what the two markets should look like for insureds in terms of risk transfer options, and yet, while the fire insurance market is $81 billion, the cyber market is ~$14-15 billion in GWP as of the end of 2023.

 

Risk and Security Teams deserve better options

In the face of this growing gap, the focus should be on what can be done to close it. Contrary to conventional wisdom, the answer is not necessarily larger coverage limits or to increase security budgets.

 

Governments can do more to incentivize stronger corporate cyber resilience, and there is a need for closer public-private partnership especially as it relates to the protection of critical infrastructure. But contrary to recent calls from some insurers and brokers, a government backstop is unlikely.

 

As we said in our last CyFi™ note, the answer for risk and security teams isn’t necessarily simply to buy more insurance or just spend more on security. It is why we don’t believe that even if the cyber insurance market was worth $20-$25 billion globally, insureds would necessarily be in a better place in terms of economic loss exposure without changing how the risk is assessed and products structured. In other words, most companies know that they won’t necessarily be better off if they double the size of their coverage limit.

 

We have already seen how companies are not continuing to just buy more insurance even in the face of this past year’s record number of attacks and breaches. Intangic Founder and CEO Ryan Dodd addressed the demand problem recently at the RVS in Monte Carlo. Companies have hundreds of millions and in some cases billions of dollars in retained risk on their balance sheets.

 

Changing business models outpacing risk models

 

The market would do well to recognize today’s rapidly changing business models. For instance, Halliburton still provides oil and gas services like it did over 100 years ago when founded in Oklahoma by Erle Halliburton, but it does so today with increasing reliance on digital technology. This is why their recent cyber incident is likely to be far more costly than it would have been even five to ten years ago.

 

Business models have changed at breakneck pace, but risk models haven’t kept up. One result is that companies sometimes retain far more risk than they realize – an important blind spot that needs to be addressed. Intangic is helping companies get better clarity on the amount of economic loss they have at risk, as well as their potential insured loss.

 

Building bridges and giving you more control

 

It’s time to build a stronger bridge between risk and security teams and shift the focus towards loss prevention rather than loss recovery. This is why we advise risk and security teams on how best to allocate resources in both security and risk transfer programs, based on real-time insights into the risks most relevant to the business.

 

These are all factors that drove Intangic to build the CyFi™ Platform to help companies better understand their blind spot and better structure their risk. It helps bring risk and security teams together not just during annual policy renewals or in response to a large breach. Whether it’s looking at the company, the supply chain or other aspects of the risk, the Platform enables risk and security teams to avoid cyber losses, determine their risk appetite and achieve better financial outcomes.

 

This is particularly important as more Risk Officers increasingly moving towards alternative strategies, including taking more control by putting cyber risk into captive structures.