Risk Management

Cyber-Risk Costs Resist Overall Trend

Businesses' total cost of risk declined again in 2017, but cyber insurance costs moved in the opposite direction, rising 33%.
Cyber-Risk Costs Resist Overall Trend

A measurement of businesses’ total cost of risk (TCOR), primarily used by the insurance industry, declined for the fourth year in a row in 2017, according to The Risk Management Society (RIMS).

Despite record-setting natural catastrophes, the average total cost of risk (TCOR) trended lower for the fourth year in a row — a 3% decrease, according to the newly released 2018 RIMS Benchmark Survey. 

A Better Way to Do Ecommerce

A Better Way to Do Ecommerce

Learn how Precision Medical leveraged OneWorld to cut the cost of billing in half and added $2.5M in annual revenue.

TCOR (defined as the total cost of insurance premiums, retained losses [deductibles/uninsured losses], and internal/external risk control costs) decreased from $10.07 per $1,000 of revenue in 2016 to $9.75 per $1,000 of revenue in 2017.

The marginal decline was driven by decreases in property, liability, workers’ compensation, management liability, and professional liability costs, as well as a fall in overall risk management administration costs, RIMS said.

cyber-risk costs

“Market conditions are favorable for insurance buyers,” stated David Bradford, co-founder and chief strategy officer of Advisen. “A competitive insurance market resulting from a chronic overabundance of risk capital strongly contributed to TCOR decreasing steadily since 2013.”

One area bucking the trend of lower costs, however, is cyber insurance.

Over the last six years, the proportion of companies buying cyber insurance has risen from 35% in 2011 to 65% in 2017.

The average cost of cyber insurance per $1,000 of revenue rose 33% in 2017, to $0.28, up from $0.21 a year earlier. Average insurance premiums per employee increased by 9%.

Insurance costs typically rise when carriers experience higher than expected losses or there is a change in the regulatory environment.

Cyber liability coverage used to be an element of errors and omissions (E&O) coverage, but it is becoming more specialized and complex.

Coverage forms are evolving rapidly, encompassing components such as identity theft as a result of security breaches, costs associated with damage or breach to data records, and the cost of credit monitoring services for people impacted by a security breach, according to RIMS.

Data breach coverage continued to be the kind of coverage most sought by businesses, followed by cyber business interruption, cyber extortion, funds transfer fraud, and system failure.

“In the past, common rationalizations for not buying cyber insurance included such things as ‘the company does not deal with consumers,” ‘the company is too small to be of interest to hackers,’ and ‘the IT department has everything under control,’” according to the RIMS report.

However, “recent events have shown that almost every company, regardless of size or industry group, has a cyber exposure, and that no company, no matter how good its IT department, is immune to successful attacks.”

According to a recently released survey of 500 senior executives of U.S. companies by The Risk Institute at Ohio State University, 33% of companies judge their business to be at “extremely high risk” of a cyber security breach.

In 2017, coverage limits for cyber insurance varied substantially by revenue size. Most companies with revenue below $1 billion purchased policy limits of $10 million or below. Most of the largest companies in the survey ($10 billion or more in revenue) bought cyber liability coverage with limits in the $41 million to $150 million range.

Average retention (assumption of risk of loss by means of noninsurance, self-insurance, or deductibles) increased for most kinds of coverage, RIMS said.

Measured by premium volume, AIG held the largest market share in the cyber market, followed by Lloyds of London, Beazley PLC, Aspen Insurance Holdings, and XL Catlin, according to RIMS.

The education, banking, and health care industries were the top buyers of cyber insurance last year.

Image: Thinkstock