ENISA publishes ‘Recommendations on cyber-insurance’, a study on the commonality of risk assessment language in cyber-insurance, which proposes recommendations for achieving a higher level of language harmonisation.
The study provides a comprehensive analysis of the factors that influence the harmonization, or lack thereof, of risk assessment language in cyber-insurance, its practical impact on the growth prospects of the cyber-insurance market and forthcoming trends.
‘Recommendations on cyber-insurance’ is based on feedback provided by multiple insurance carriers, brokers and other key industry stakeholders. Its recommendations are intended to support the cyber-insurance industry and policy makers to leverage the key market drivers towards harmonisation of the language used in underwriting and insurance coverage policies.
Prof. Dr. Udo Helmbrecht, Executive Director of ENISA, said: “Standardising policy language will help insurers and customers to mutually understand what they are selling and buying and increase buyer understanding and trust in cyber-insurance products.”
In spite of the significant overlap in topics examined as part of the insurance companies’ risk assessments, the language used in these documents is yet to be harmonised across the cyber-insurance industry for various reasons.
This fact is not in line with other types of insurance (e.g. car insurance). Therefore, this potentially reduces the customers’ appeal for cyber-insurance products and limits the possibility of added value offerings, on top of more or less standardised products.
Since customers do not have a common point of reference to better understand and compare products, this may lead to reduced trust towards cyber-insurance offers. The lack of a common risk assessment language may also affect the opportunities and prospects of insurance companies that are currently in the process of entering the market.
Through this report, the industry is encouraged to standardise policy language and underwriting questionnaires, to promote data sharing between stakeholders, to develop industry standards, and to build in-house expertise in cybersecurity.
Also, the industry is advised to contribute to the collection of data on aggregated loss scenarios, to build offerings around information security and privacy regulations, and to adopt a sectorial approach in harmonising language. Last but not least, the industry should address the needs of the SME market and improve the overall data quality by integrating various heterogeneous sources.
On the other hand, the European Union and its Member States’ policy makers are encouraged to create minimum coverage requirements per type of coverage, to leverage the upcoming mandatory incident reporting schemes via the NIS Directive and the GDPR to produce meaningful data, to create a central EU repository of incident data, to increase demand and buyer maturity and to develop guidelines for cyber-insurance.
The study also reveals that competition between carriers will shift to pricing and added value offerings. In order to keep up with the impact of evolving technological advancements, this will consequently lead to the acceleration of different levels of innovation. For the industry, harmonisation will simplify the quotation process, leaving a clearer framework for developing cyber-insurance products.
The main drivers that are expected to act as catalysts behind the language harmonisation are:
- the adoption of regulations and standards: will provide the common framework for the harmonization of terminology and offerings;
- the increasing availability of data: will allow better understanding and modelling of cyber risks;
- the evolution of the demand side: will create the need for more standardised and easily comparable products;
- the overall market maturation: will naturally resolve a number of market frictions.
ENISA understands the importance of supporting the cyber-insurance market growth without limiting the carriers’ ability to innovate and provides recommendations in this sense. These recommendations were developed by engaging multiple key industry stakeholders via interviews, online surveys and a validation workshop. This report is the latest in a line of studies that ENISA has conducted to provide useful and actionable guidelines to support the effective growth of the cyber-insurance market.
Cyber risks are becoming a worldwide priority, so organisations across the globe are looking into cyber-insurance to transfer residual cyber risk. Cyber-insurance can help a company survive a major economic impact from a cybersecurity incident e.g. by compensating for revenue losses due to ransomware. This way, organisations can avoid bankruptcy caused by cyber-attacks.
Moreover, the cyber-insurance market is expected to grow from an estimated USD 3 – 4 billion (generated in premiums annually) to USD 20 billion by 2025, making it one of the fastest growing segments of the industry and a huge economic opportunity for the EU. Still, the EU market is considered to be in its early development stages and far from reaching its full potential. This fact is attributed to a number of challenges, among which one of the most important is the lack of harmonisation in the language used by insurers.
For full report: Commonality of risk assessment language in cyber insurance