Cyber insurance has a lower loss ratio than many other lines of business, and there's increasing demand for it from the commercial market, but insurers remain wary of turning on the capacity tap. And rightly so, because there's a sting in the tail.
No one has yet seen a true cyber 'catastrophe' — a cyber campaign or event that could cause thousands of companies to have large claims on their cyber cover. But recent trends have come close and provided hints at the way that this could happen.
|Looking back to move forward
NotPetya and WannaCry were wake-up calls across the industry: WannaCry, in May 2017, was a malware attack that caused 300,000 infections across 150 countries, with hundreds of infected businesses suffering business interruption from failures of manufacturing processes, dispatch and ordering systems, telephone exchange equipment, and other system failures. Businesses lost around half a billion dollars, but insurance claims were light, thanks to low penetration levels, retentions, and coverage exclusions.
A month later, NotPetya hit a different sector of business with a different piece of malware, this time with 2,000 infections of machines in businesses across 65 countries, with a more vicious disk wiper payload. Over a dozen multinationals reported impacts to their quarterly earnings from infection, and over 30 international companies suffered disruption, including many Ukrainian businesses, amounting to an estimated $2.5 to $3 billion of losses borne by the businesses, but again the cyber insurance industry came off lightly.
These events were examples of systemic risk, or the ability for cyber to scale up a loss process across a portfolio of insureds and test the accumulation controls of an insurer.
|The breach list goes on
Other recent cyber events have hit large numbers of companies but have similarly not made it to the threshold of causing large insured loss pay outs.
In January 2017, a security bug in MongoDB, one of the most widely used databases, resulted in data being stolen from 'tens of thousands' of installations.
A denial of service attack on Dyn internet traffic management system in October 2016 took out thousands of websites and affected some of the largest names in web commerce. In February 2017, Amazon Web Services suffered an outage of their cloud storage services for several hours, affecting 148,000 websites and almost a quarter of their users. The Equifax data breach in July 2017 saw the theft of 143 million credit assessments of individuals, that had the potential for cascading consequences to many other businesses.
So insurers are reviewing their tail risk: what are the chances of a future cyber event that could trigger thousands of large losses simultaneously to accounts in a cyber insurance portfolio, and damage the loss ratio?
Most critically, this tail risk assessment determines the risk capital allocation to support cyber as a class of business. The capacity that an insurer can make available to providing cyber insurance has to compete for capital with other lines of insurance. In these other lines of business, the tail risk assessment is more assured — there is a longer period of claims experience, and the actuarial and catastrophe models of extreme loss probabilities are more mature and insurers have higher levels of confidence in them. Insurers remain reluctant to allocate big lines of capacity to cyber until they can assess cyber tail risk with more confidence.
The provision of cyber insurance can only grow to meet the demand for it when insurers are comfortable in assessing the tail risk and adequately pricing the catastrophe loading into their pricing.
|Cyber risk analysis strategies
Insurers are applying a number of methods to improve their confidence in assessing tail risk.
Many are reviewing the statistics of past cyber claims, which is steadily lengthening as a historical record, dating back now with some confidence for around 12 years, but extrapolating the observed volatility to long return periods does not capture the potential for unexpected shocks.
Some are deriving parallels from the tail risk characteristics of other classes of insurance that are better understood: Does cyber loss look more like fire risk, liability lines, or natural catastrophe? Others are developing analysis of the ways that future cyber losses could scale with different types of malware or cyber attack technique, building stochastic models of different paths for extreme losses to occur.
What if WannaCry had played out differently — say the malware had gotten into circulation before the Windows patch for the vulnerability had been released, or if it hadn't contained a kill-switch? What if the next malware attack exploits a more common vulnerability, has faster replication, a more virulent mechanism for lateral infection within an organization, and a more destructive payload?
The next generation of cyber analytics is focused on helping insurers allocate their risk capital to cyber through detailed technical assessment of ways that extreme scaling can occur, and the likelihood of large loss to a portfolio.
Insurers are wrestling with the beast that is cyber insurance. Finally they are getting the measure of the thickness of its tail.
Dr. Andrew Coburn is senior vice president at Risk Management Solutions, Inc. He can be reached by sending email to [email protected].
See also:
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
