In May this year, WannaCry ransomware shut down operating systems in May of this year, crippling organizations such as Britain’s National Health Service along with thousands of smaller businesses. The next big attack could target fintechs, and insurers are hoping to cash in on the need for coverage – but they are finding it difficult to convert this into real business.
Fintech companies are considered at risk because of the nature of their businesses.
“I’m now spending more than half my time on cyber,” Jason Kelly, head of liabilities and financial lines at AIG Asia Pacific, told DigFin.
How big is the risk? Perceptions of fintechs as a vulnerability are rising. On December 11, the Depository Trust & Clearing Corporation released a semi-annual survey of financial market participants that saw 15% of respondents say fintech may pose a significant risk to financial stability. (DTCC didn’t say how many people participated).
More generally, 36% named cyber risk as the biggest threat to the global economy.
“Fintechs will need insurance,” said Murray Wood, head of financial specialties for Asia at Aon Risk Solutions, speaking at the Singapore Fintech Festival in November.
Fintech companies deal with a mix of customer data, transactions and access to money just like a big financial institution – but without a bank’s I.T. security or risk management.
This makes them juicy targets, even small ones. But they may struggle to afford traditional insurance, because they also lack an established institution’s claims history or record of dealing with losses, factors that contribute to pricing risk.
There is no evidence that fintechs are buying protection against cyber crime in any great measure. Data is sketchy. Aon Risk Solutions says in 2017, the global insurance industry sold $1.5 billion to $4.5 billion in cyber-insurance premiums, but there is no breakdown of customers by sector.
According to Allianz, 90% of these sales have been in the U.S. Aon estimates annual premiums will reach $20 billion by 2020 (other estimates say that figure won’t be reached till 2025).
The big one
The fear among insurers is that one big cyber event could wipe out all of those premiums. They specifically worry about ‘accumulation’, when a cyber event impacts many companies at once, as WannaCry did. If a private cloud service suffers an outage, it could generate losses of up to $53 billion, says Aon. “That’s equivalent to the largest natural catastrophe,” Wood said.
The insurance industry will survive 2017, with its hurricanes, floods, earthquakes, fires and other calamities, because the property & casualty business is well capitalized and enjoys strong earnings – and because governments are prepared to backstop the industry with emergency measures.
The same isn’t true of cyber. “$53 billion is a big number for an insurance market in its infancy,” Wood added.
In other words, the insurance industry can’t deal with an outlier event in cyber, not so long as accumulation remains a big risk.
Waiting for government
“I don’t think we’ll do much cyber until governments decide to back it, just like they do for natural disasters,” said an executive at a global reinsurance company. He told DigFin that the numbers he had seen among the reinsurer’s primary clients suggested not a lot of cyber is getting underwritten.
The U.K. has been proactive. Its Financial Conduct Authority is mandating fintechs purchase professional liability insurance. Insurers are responding by developing cyber products that incorporate aspects of traditional coverage for smaller businesses.
Singapore’s Monetary Authority hasn’t yet taken the same step but industry officials say it is mulling the idea. Aon says more insurers are coming to Singapore for cyber-related business.
For example, Markel International, a subsidiary of U.S.-based Markel Corporation, is taking its U.K. cyber product to Singapore, says Simon Moi, Asia head of professional and financial risks.
He says U.K. authorities are worried about peer-to-peer networks and crowdfunding, where trading activity could lead to breaches. “Many fintechs think they don’t carry any risk,” Moi told DigFin, adding Markel is targeting businesses with a maximum turnover of $5 million.
Desirables and deplorables
AIG, Markel and others are offering coverage against data breaches, data security liability, and network interruption. Extras include bundles with traditional small-business protections, consulting to prevent hacks, forensics in the wake of attacks, and ransom coverage.
Less clear is whether any of these insurers will provide full cyber coverage to big financial institutions. And they are avoiding large technology companies like the plague. No one has figured out how to price a breach or outage at an Alibaba, an Amazon or an Uber, so these companies have to rely on their (large) balance sheets to pay for any problems.
It is possible that insurance brokers or consortiums such as Lloyd’s will find a way to pool such risks. “But it’s hard to understand the risk when these new companies are growing so fast and expanding into new markets,” AIG’s Kelly said.
Another set of untouchables: crypto-currency companies, including blockchain players. The volatility of bitcoin and other crypto assets, and their dodgy reputations as facilitators of crime, make these fintechs uninsurable.
The new edge for fintechs?
Even if governments don’t follow the FCA and make professional liability insurance mandatory for fintechs, having coverage will become a competitive necessity, particularly in the B2B space. Financial institutions don’t want to be exposed to a fintech’s risks. Big tech companies such as Google already insist on small tech partners being insured, so banks may well follow.
“Fund managers [in Singapore] need to have professional liability insurance,” said Moi. “Maybe fintechs will too?”
The European Union is going to make indemnity insurance mandatory for financial institutions, and it’s not a leap to imagine Brussels adding cyber crime to the list. Nor is it hard to imagine venture capitalists start to consider insurance in their investment decisions.