Cyber insurance is set to take off in the wake of high-profile hacking scandals but the emerging business line also carries new risks for insurers, says Fitch Ratings in a report published Wednesday.
Insuring cyber risks has been a profitable business line for the first companies to offer coverage in this area, the report notes, and the market is growing fast. Global premium volume set will jump by six- to eight-times current levels over the next 10 years, the report predicts.
Currently, the global market for stand-alone cyber coverage is estimated to be between US$2.5 billion and US$3.5 billion annually.
"Growth is being driven by increasing risk and awareness of cyber attacks, such as the recent theft of an estimated 143 million individuals' personal data from credit monitoring agency Equifax," the report says. "More active cyber regulation in the U.S. is a prime factor behind an estimated 90% of global cyber premium originating there."
The development of cyber regulation in Europe and elsewhere "is likely to spark demand for coverage," the report predicts. For example, European rules will take effect in May 2018 that will impose tougher notification requirements, it says, thereby increasing public awareness of the prevalence of cybersecurity breaches.
With this expected growth, the report also notes that cyber insurance poses unique, new risks for insurers. "Limited historical loss data creates difficulty in pricing coverage. The nature of cyber risk and the wide variety of potential cyber events add to challenges in quantifying risk aggregations and catastrophe loss potential," it says.
Indeed, it may be difficult to identify large risk accumulations at particular insurers until it's exposed by a major event, the report says, and geographic diversification is not necessarily relevant in the cyber insurance context,.
"Recent ransomware attacks show that digital interconnectedness across the world can lead to a very wide geographic footprint for a single cyber disaster. Risk concentrations may be more correlated to factors other than industry or geography, such as concentrated exposure to one electronic payment processor or firewall system," the report notes.