The insurance industry risks being unprepared when the next cyber-catastrophe hits, according to Ben Hobby, a partner at forensic accounting firm RGL Forensics.
Speaking at a Nov. 13 Insurance Institute of London lecture at Lloyd's of London, Hobby noted that 2017's NotPetya malware attack, which hit companies across a variety of industries and geographies, could have cost cyber insurers in excess of $1.5 billion, had the exposures been fully insured.
It is "safe to say" the market will suffer another event on the scale of NotPetya, he said, and although it is not clear when, he expects it to occur before the market has fully assessed the risks.
"This is where the threat to the cyber market sits — that the shock occurs before the market is ready for it," he said.
According to Hobby, understanding a company's network and databases is "absolutely critical" to identifying the risks it faces.
"The question is: Is that happening in the cyber [insurance] market? From the various conversations I have had with underwriters, claims managers and brokers, unfortunately, that isn't occurring," he said. One positive, he noted, is that the industry recognizes that it needs to close this information gap, but he added: "Is there enough premium to fund this type of risk analysis? The market feedback is: 'Not at present'."
Premiums are being driven down as more insurers jump on the cyber bandwagon in search of good underwriting profits. Hobby cited figures from broking group Aon that showed that the U.S. cyber insurance market reported a loss ratio of just over 60%, and estimated that the U.K. loss ratio would be even lower.
"The effects of this are going to be significant because that potentially results in more new entrants coming into the market, resulting in more competition, potentially resulting in lower premiums," Hobby said.
