The cyber insurance market in Sweden
Abstract
This article is a characterization of the cyber insurance market in Sweden. As empirical in- vestigations of cyber insurance are rarely reported in the literature, the results are novel. The investigation is based on semi-structured interviews with 10 insurance companies active on the Swedish market, and additional interviews with 2 re-insurance companies and 3 in- surance intermediaries. These informants represent essentially all companies selling cyber insurance on the Swedish market. Findings include descriptions of the coverages offered, including discrepancies between insurers, and the underwriting process used. Typical annual premiums are found to be in the span of some 5–10 kSEK per MSEK indemnity limit, i.e. 0.5–1% of the indemnity limit. For business interruption coverage, waiting periods are found to be relatively long compared to many outages. Furthermore, insurance companies impose information and IT security requirements on their customers, and do not insure custom- ers that are too immature or have too poor security. Thus cyber insurance, in practice, is not merely an instrument of risk transfer, but also contains aspects of avoidance and miti- gation. Based on the findings, market segmentation, pricing, business continuity, and asymmetry of information are discussed, and some future work is suggested.
Introduction
Modern society is becoming increasingly dependent on IT ser- vices. Functioning IT services now underpin aspects of all human endeavors, from work to leisure, from private to public sector, and from Andorra to Zanzibar. When these services stop functioning, whether by non-malicious mistakes or by mali- cious attacks, consequences are immediately felt and effects ripple through interconnected IT service orchestrations, inte- grated supply chains, and interdependent businesses processes across the globe. In this sense, IT services are becoming a criti- cal infrastructure, much like roads, electricity, tap water, and financial services.
As a result, there is much research dedicated to prevent- ing IT outages and ensuring business continuity. Whereas in the early years of computing hardware outages were the main culprit behind downtime, since the 1980s, IT administration and software errors have become predominant causes of outages (Gray, 1990) along with human errors (Pertet and Narasimhan, 2005). With the advent of service oriented and cloud computing, much effort has gone into the investiga- tion of how to optimize quality of service in these settings (Casalicchio et al., 2013), including how to learn from past in- cidents in order to offer better future services (Kieninger et al., 2013). From a traditional reliability engineering perspective, risk management of IT outages have been endowed with studies of statistical distributions of IT outages and the importance of knowing them (Franke et al., 2014; Snow and Weckman, 2007; Snow et al., 2010). To prevent or mitigate malicious attacks, re- search is constantly ongoing in areas like intrusion detection systems (Liao et al., 2013), threat detection (Virvilis and Gritzalis, 2013), and cyber security in industrial control systems (Knapp and Langill, 2014).
However, with the realization that all threats, security breaches and IT outages cannot be prevented by technical means alone, financial risk management through so called cyber insurance has become an increasingly discussed comple- ment. Its relevance has been further increased by the trends of outsourcing and cloud computing: whenever IT is not op- erated in-house, it is difficult to manage risk through technical or organizational measures, further underscoring the role of making financial risk management. This has traditionally been solved by requiring external IT service providers to maintain an errors and omissions insurance. However, many large service providers have strict service level agreements (SLA) that limit their liability. Therefore, cyber insurance is often used to cover the gap between the insurance coverage and contract limita- tions of the service provider and the full loss of the client.
This growing interest in cyber insurance is reflected in many ways. IT strategy consultancies like Gartner provide guidelines for how to use it effectively (Wheeler et al., 2015). Insurance industry forecasts predict expected growth in premiums from around 2 billion USD in 2015 to some 20 billion USD or more by 2025 (Wells and Jones, 2016). International organizations like the EU (ENISA, 2016) and the OECD (OECD, 2016) are conduct- ing studies aiming to better understand the potential of cyber insurance. National governments like the British are support- ing the growth of the cyber insurance market to improve cyber security risk management (Cabinet Office, 2014).
It is against this background that the research reported in this article was conducted. Its focus is the cyber insurance market in Sweden. This may seem like a provincial concern, but there are reasons why this is interesting beyond Swedish borders as well. First, most of insurance companies active on the Swedish market are global companies. Even though their products are adapted to local markets, they are also bound to have much in common across the globe. Second, Sweden regu- larly scores top results when countries are evaluated in terms of digital and ICT maturity. For example, Sweden was ranked 3rd in the World Economic Forum’s Networked Readiness Index 2016 (World Economic Forum, 2016), 3rd in the EU Digital Economy & Society Index 2017 (European Commission, 2017), and 3rd in the International Telecommunication Union’s ICT Development Index 2013 (ITU, 2014). It is reasonable to assume that the cyber insurance experience of mature countries such as Sweden might offer valuable and relevant insights for other countries as well. Third, the findings include results concern- ing pricing and premiums that are unique in the literature and thus merit attention in this respect.
The general research question addressed in this article is: What does the cyber insurance market in Sweden look like? This broad question is broken down into a few more specific research questions:
- What coverage do typical cyber insurance products offer?
- How many cyber customers and claims do insurance com- panies have?
- How is the market segmented?
- How does the underwriting process look?
- How are premiums determined?
- Are business interruptions treated with mathematical avail- ability modeling tools?
- How does cyber insurance fit into a bigger risk management tool box?
These research questions were investigated using semi- structured interviews with the insurance companies offering cyber insurance products on the Swedish market. At this stage, no demand side investigation, i.e. data collection from buyers of cyber insurance, was conducted. Nevertheless, the find- ings offer an interesting picture of the cyber insurance market in Sweden.
The remainder of this article is structured as follows. Section 2 reviews the literature for related work. The methodology used is described in Section 3, followed by a report of findings in Section 4. Results and implications are then discussed in Section 5, which together with the findings is the main contribution. Section 6 concludes the article with some final remarks and thoughts on future work.
Summary and Conclusions
The results reported in this article offer an interesting picture of the cyber insurance market in Sweden. Market offerings are quite similar in covering both 1st party costs e.g. from busi- ness interruption, and 3rd party liabilities e.g. from data breaches. However, there are important discrepancies in the coverage of non-malicious events, the extent to which events at sub-contractors/service providers are covered, and the cov- erage for subsidiaries and corporate entities in different jurisdictions. The cyber insurance policies offered are not pure instruments of risk transfer, but typically also contain first re- sponse incident management, which is an important sales driver.
The Swedish cyber insurance market is rapidly growing, but cyber insurance in Sweden is currently mostly bought by large companies. This reflects a market segmentation where the standard products come with a complicated underwrit- ing process tailoring offers to large customers, but some niche players are increasingly offering simpler policies aimed at smaller customers. Accurate pricing of cyber insurance is difficult and is based on expert models rather than on historical data. Lack of actuarial pricing is a cause for concern, at least among re-insurers who fear that pricing is wrong. In the long run, there is a belief among market actors that prices will become more accurate and converge, but there is some disagreement on whether this correction will mean lower or higher premiums, and whether it will be benign or a bubble bursting. Anyhow, increased competition has put pressure on premiums on the Swedish market. As a rough indication, the typical annual premium span is some 5–10 kSEK per MSEK indemnity limit, i.e. 0.5–1% of the indemnity limit.
Waiting periods when business interruption occurs are long (6–8–24–36–48–72 hours) compared to many outages. This probably reflects the principle that insurance is about managing large but uncommon risks, rather than small and mundane ones. However, preferences for waiting periods may vary over different customer segments.
Insurance companies are not willing to insure customers that are too immature or have too poor security. To some extent, this can be understood from standard reasoning about adverse selection, but particularities to the cyber market also make for additional complications. Insurance companies impose infor- mation and IT security requirements on their customers, and insurance pricing and underwriting nudge customers in a more secure direction, though practices vary between insurance companies.
While the study is limited to the Swedish market, the results are of broader interest, as some aspects can be generalized to the global arena. While absolute numbers such as deductibles, indemnity limits, number of customers and number of claims cannot be transferred from the Swedish setting, many impor- tant qualitative features can be expected to apply worldwide. This includes the dynamics of the interplay between global and regional insurance companies in other countries that are mature in IT in general, but where the cyber insurance market is still growing fast. It also includes coverage and incident first re- sponse services, underwriting processes, waiting periods, and requirements posed on the insured, at the very least with respect to I2, I3, I4, I5, I6, I7, and I9, which are all global companies.
Though the picture summarized above is interesting, it is by no means complete. A few avenues for future work suggest themselves. First, an obvious road ahead is to comple- ment the supply-side investigation reported here with a similar demand-side one, i.e. to conduct a study with cyber insurance customers. Such a study could corroborate find- ings regarding e.g. premiums, underwriting, and security requirements imposed, as well as answer new questions regarding e.g. insurance as part of wider risk management practices, rationales for procuring cyber insurance, and the role of the insurance intermediary. A second interesting undertaking would be to combine the mathematical cyber insurance models found in the literature with findings from qualitative empirical research such as that reported in the article. A third area concerns cyber insurance decision- making and the preferences of decision-makers. This could be studied e.g. with an experimental economics approach, as has previously been applied to availability service level agree- ments (Franke and Buschle, 2016). A fourth area deals with different markets and would include more detailed investiga- tions of how cyber insurance markets are (i) similar and (ii) different across different countries.