Challenges Faced in Cyber Reinsurance

In the previous article, we have already seen what cyber reinsurance is. We also found out why calculating and quantifying the risk is difficult in the case of cyber reinsurance. However, the inability to quantify risk is not the only challenge faced while doing cyber reinsurance.

There are several other challenges that are routinely faced by reinsurance companies when they try to provide cyber reinsurance. This article provides a brief overview of the various challenges which are faced by the industry.

  1. Lack of Internal Readiness: Cyber reinsurance is very different from other types of reinsurance. The threat as well as the risk factors are man-made in the case of cyber reinsurance. It is for this reason that, if different companies will suffer different degrees of losses even if they face the exact same external event. This is because cyber risk depends upon the internal cyber readiness of the companies.

    Reinsurance companies find it challenging to provide cover to companies because many of them are not internally and do not have internal risk mitigation procedures in place.

  2. Actuarial Paradox: Cyber reinsurance companies are faced with a situation called the actuarial paradox which is peculiar to cyber reinsurance. The actuarial paradox means that if a company has undergone a cyber attack in the past, it is likely that they have seen horrendous negative impacts and hence is more likely to be better prepared. This better preparation in turn makes them less vulnerable to attacks in the future. This is paradoxical because, for other lines of business, the existence of previous loss events points towards higher risks.

    At the same time, for cyber-related reinsurance, the existence of previous loss-related events points towards lower possible risk in the future. Hence, the models to predict risks and therefore derive premiums work differently for cyber reinsurance-related companies.

  3. Prevention vs Reinsurance: Companies which provide cyber reinsurance are aware of the fact that companies have limited budgets when it comes to protecting themselves from cyber risks.

    Most companies use the same budget for reinsurance as well as for prevention. The ceding insurer is in a position to check the preventive measures being taken by each of their clients. However, when it comes to reinsurance, the policies are bundled up and there is always a chance that the risk becomes obscured in the process.

    Reinsurance companies have found out that once companies receive coverage, they often become complacent about cyber-related loss events since they feel that the insurance company will cover their expenses. Cyber reinsurance companies do not have sufficient information about the preventive measures being taken in order to make informed decisions.

  4. Worldwide Event: Reinsurance provides support to existing insurance companies. The general idea behind reinsurance is that even if a natural calamity does occur, it is likely to be concentrated in a few parts of the world. It is very unlikely that a natural calamity will impact the entire world with the same intensity worldwide.

    For instance, even though coronavirus was a worldwide pandemic, it affected different parts of the world differently. However, this cannot be said to be true in the case of cyber events.

    It is completely plausible that a certain cyber event may impact many different countries of the world simultaneously. In such cases, the reinsurance company may have to pay out all the claims without having any recourse. This could lead to the bankruptcy of the reinsurance firm! Even though there has not been a worldwide cyber event as of now, the possibility of it happening creates large-scale ramifications for reinsurance companies across the world.

  5. Less Regulation: Regulators who help keep the risks of reinsurance companies in check generally create regulatory policies based on past risk events. Hence, the absence of systematic and organized data regarding past risk events creates a challenge for regulators as well.

    The end result is that the field of cyber reinsurance has very less regulations in place. This allows many reinsurance companies to take excessive risk with this line of business which threatens the overall stability of the company and even the industry.

  6. No Geographical Coverage: In the case of other lines of business, reinsurance companies are able to clearly define the risks that they will undertake based on the geographical boundaries where the risk arises. However, in the case of cyber reinsurance, geographical boundaries are virtually meaningless. Hence, whenever a reinsurer decides to provide coverage, they are actually providing global coverage to their clients.

    The reinsurers can have limitations regarding the location of the business. However, a cyber attack can be launched from almost any place in the entire world!

  7. Hidden Exposures: Cyber reinsurance is not only a direct line of business. In many parts of the world, it is common for standard reinsurance policies to have some basic element of cyber risks covered.

    Hence, it is possible for reinsurance companies to have multiple such small exposures with different ceding insurers. These exposures can be difficult to keep track of and hence create a significant challenge for the reinsurance industry.

  8. Untested Policy Wordings: Reinsurance companies have created many prototypes of legal contracts for providing cyber reinsurance. However, in the absence of any major cyber event, the validity of these policy wordings can not be trusted.

    It is likely that with the passage of time, reinsurance companies may face litigations that will help them refine their policy wordings further. The legal implications are much clearer in other lines of business as compared to cyber reinsurance.

In short, it can be said that cyber reinsurance is a very complicated form of reinsurance that has several challenges.

Reinsurance companies must have plans in place to deal with these challenges before they start underwriting cyber reinsurance policies.

❮❮   Previous

Authorship/Referencing - About the Author(s)

The article is Written and Reviewed by Management Study Guide Content Team. MSG Content Team comprises experienced Faculty Member, Professionals and Subject Matter Experts. We are a ISO 2001:2015 Certified Education Provider. To Know more, click on About Us. The use of this material is free for learning and education purpose. Please reference authorship of content used, including link(s) to and the content page url.