The rise in cyber-attacks during the COVID pandemic has exacerbated the holes in the insurance industry’s response to the threat according to S&P Global Ratings.

In its latest report the ratings firm warned the rapid development of stand-alone cyber insurance products would benefit both insurers and policyholders, given the experience of recent months.

It added that although cyber-attacks and the resulting financial losses are on the rise, the cyber insurance market is underdeveloped. Cyber cover is often bundled into existing property or liability insurance policies, and in some cases, the policies do not explicitly include or exclude cyber cover at all. This gives rise to “silent cyber”, or the risk to insurers of losses from cyber-related claims on existing property or liability insurance policies.

“Even when the inclusion of cyber cover is explicit, a lack of transparency in both the policy’s definition of cyber events and its terms and conditions creates uncertainty about the scope of the cover,” added the report.

“In S&P Global Ratings’ view, the development of stand-alone cyber insurance products would reduce the problem by clarifying the scope of the cover. Such products would also be better suited to the complex and dynamic nature of cyber risk,” it added. “Even better would be the development of a stand-alone cyber line of business managed via a cyber centre of excellence.

“This would have many advantages for insurers, chief among them preventing cyber-related claims accumulating across many different lines of business, as well as the difficulties in handling such claims. It would also allow insurers to mitigate the risk of silent cyber, as well as take a centralized and coordinated approach to data collection and research, which is vital for accurately calculating risk-adequate premiums.”

The report explained the “pandemic year of 2020” saw a step change in the complexity and sophistication of cyber-attacks and, therefore, in the nature of cyber risks. The financial consequences for the victims of such attacks are huge. According to the Hiscox Cyber Readiness Report 2020, the median cost of a cyber-attack rose almost sixfold worldwide between 2019 and 2020.

Yet only 26% of the firms sampled in Hiscox’s report have a stand-alone cyber insurance policy, it added. Most rely on generic insurance policies or have no cyber insurance at all.

“The cyber insurance market therefore has huge growth potential, but insurers lack the products to appropriately meet expected future demand,” added the report. “Insurers with sophisticated risk management frameworks and those that invest appropriately in cyber expertise are best placed to provide specific cyber insurance products and reap the benefits.”

S&P said the importance of transparency and clear wording in policies became evident last year, when some insurers suffered reputational damage after rejecting policyholders’ business interruption claims amid the pandemic.

Insurers are making progress on developing specific cyber insurance policies with clear terms and conditions and are starting to build stand-alone cyber business lines that can handle the challenges associated with underwriting this type of cover,” said the report. “However, they still have some way to go to meet policyholders’ needs.

“At the very least, their progress needs to keep pace with the evolution of cyber risk. On the other hand, aggressive expansion into the cyber without effective risk controls could also be detrimental to our assessment of insurance companies’ balance sheets.

“In our rating framework, we not only assess the insurer’s current state of play, but also the journey it may take to build up a sustainable cyber line of business. Should an insurer expand aggressively in the cyber market without proper management of cyber risks and effective risk controls, it could change our view of the insurer’s risk exposure, capital and earnings, or governance scores.”

S&P said the importance of transparency and clear wording in policies became evident last year, when some insurers suffered reputational damage after rejecting policyholders’ business interruption claims amid the pandemic.