Insurers are becoming more selective about the risks they cover as they reach a better understanding of cyber exposure for the airline sector. While prices are rising and coverage is potentially becoming less comprehensive, it’s not all bad news for airlines looking for cyber insurance, suggested Olivia Lovitt and Jamie Monck-Mason, both members of WTW’s specialist cyber insurance team, speaking at the fifth session of the 2022 WTW Airline Webinar Series.
“Clients need to understand what they are covered for, and perhaps more importantly what they are not covered for.”
Jamie Monck-Mason
Executive Director, Cyber, WTW
“Cyber insurance is a very complicated product,” Monck-Mason observed. “Clients need to understand what they are covered for, and perhaps more importantly what they are not covered for.”
To help achieve this, the session offered a brief overview of how the cyber insurance market has evolved since its inception at the turn of the millennium. It then focused on the specifics of the airline sector and why insurers have become particularly careful when supporting an airline risk.
Cyber insurance evolved during the late 1990s dot-com bubble. It initially focused on data protection in the US in response to local legislation, but quickly stimulated innovation across the global insurance markets.
It kept evolving to keep up with the global regulatory environment and its scope expanded to encompass other gaps in traditional lines of insurance, such as non-damage cyber business interruption.
Established lines of insurance offered insurers little potential for bottom-line growth, but as a relatively new and still evolving product, cyber insurance became recognised as a complementary opportunity where insurers could grow strongly and quickly. The market’s lively competition kept prices low and the appetite for innovation high.
“With hindsight, it is possible that some insurers were too keen to get into the market and didn’t necessarily have a handle on the risks that they were supporting,” Monck-Mason suggested to delegates. “The scrutiny of risk in some cases was relatively cursory even as recently as 2019. Unfortunately, from the point of view of the insurance buyer, that situation could not continue, particularly after a spate of well-publicised cyber incidents. Over the last couple of years premiums have been rising exponentially and insurers becoming far more selective.”
The changing environment also reflects the growing maturity of the cyber insurance sector. There have been some significant claims in several industries and insurers are getting a better understanding of the nature of cyber risk. One of the things that has become clear though, is that the airline sector offers some very specific challenges.
For example, cyber insurance was originally created to cover the risk of data breaches, as airlines collect and manage a significant amount of personal data including payment card information. Airline passengers can also come from a variety of countries, which complicates the regulatory and liability exposure.
“The growth in ransomware attacks is also impacting how insurers are viewing potential clients.”
Olivia Lovitt
Lead Associate, Cyber, WTW
In addition, airlines are vulnerable to high business interruption losses after a system outage. “There have been several incidents that have led to flights being grounded following IT outages”. This could be the result of a cyber incident on airline’s own IT network or even the network of one of its IT partners, Lovitt explained. “The growth in ransomware attacks is also impacting how insurers are viewing potential clients and means that they are being far more critical when considering airlines.”
Airlines, and particularly flag-carriers, are also a critical component of national infrastructure, making them high-profile targets for hacktivists, extortionists and even state sponsored cyber-attacks.
Aggregation is also a very significant concern. Airlines by their nature are dependent on third party supply chains, and several airlines can be reliant on the same IT provider for a range of online services. A single breach can impact numerous airlines globally, meaning that an insurer could be exposed to the same loss across multiple programmes.
The session went on to explain that as a result of all of these factors, insurers’ appetite for writing airline cyber insurance had fallen significantly over the last couple of years with premiums inevitably rising and coverage terms often becoming less favourable.
“While this is not good for clients, premium was at unsustainable levels and prices needed to rise to ensure that the cost reflected the risk and that insurers could remain in the market,” Lovitt said. “This is a period of readjustment. Airlines are increasing their self-insured retentions and insurers are asking for more detailed information and putting minimum standards in place with regards to IT controls. Where insurers feel that these aren’t met, they are stepping away.”
The harder market conditions create an opportunity for airlines to work with their insurance brokers and other consultants to enhance their cyber security profile
The harder market conditions create an opportunity for airlines to work with their insurance brokers and other consultants to enhance their cyber security profile. Insurers have made it clear what they are looking for and there is capacity to support well managed risks that engage positively with the market. WTW regularly work with their clients to review the specific areas of IT security concern highlighted by insurers. It is important for your broker to work with insurers to help them clearly understand your IT environment. For example, where you may not implement an IT control that is considered an insurer’s minimum IT standard, your broker will need to understand what mitigating controls you have in place in their absence to best position your risk to insurers, Lovitt observed.
This evolution of the broker role from sales to a more advisory position has been happening in parallel with the development of cyber insurance over the last two decades. In this respect, the comments of the WTW cyber insurance team echo some of the discussions that took place during the third session of the WTW Airline Webinar Series, which provided perspectives on the value of data.
The best advice in the current climate is not to rush to market but to make sure that you can present your IT security in the best light.
In the view of the WTW cyber insurance team, the best advice in the current climate is not to rush to market but to make sure that you can present your IT security in the best light. The insurance market has capacity and willingness to support exposure, but as it has matured insurers have developed a better understanding of the risk and how they need to respond in the event of a claim. On balance, that could be seen as a good thing.
The ‘state-of-the-industry’ webinar series scheduled by WTW, supported the aviation sector by providing an opportunity for the industry to convene and discuss a broad spectrum of risk and insurance issues in what are proving to be challenging times for airlines.