Cyber insurance has a lower loss ratio thanmany other lines of business, and there's increasing demand for itfrom the commercial market, but insurers remain wary of turning onthe capacity tap. And rightly so, because there's a sting in thetail.
|No one has yet seen a true cyber 'catastrophe' — a cybercampaign or event that could cause thousands of companies to havelarge claims on their cyber cover. But recent trends have comeclose and provided hints at the way that this could happen.
|Looking back to move forward
NotPetya and WannaCry were wake-up calls acrossthe industry: WannaCry, in May 2017, was a malware attackthat caused 300,000 infections across 150 countries, with hundredsof infected businesses suffering business interruption fromfailures of manufacturing processes, dispatch and ordering systems,telephone exchange equipment, and other system failures. Businesseslost around half a billion dollars, but insurance claims werelight, thanks to low penetration levels, retentions, and coverageexclusions.
|A month later, NotPetya hit a different sector of business witha different piece of malware, this time with2,000 infections of machines in businesses across 65 countries,with a more vicious disk wiper payload. Over a dozen multinationalsreported impacts to their quarterly earnings from infection, andover 30 international companies suffered disruption, including manyUkrainian businesses, amounting to an estimated $2.5 to $3 billionof losses borne by the businesses, but again the cyber insuranceindustry came off lightly.
|These events were examples of systemic risk, orthe ability for cyber to scale up a loss process across a portfolioof insureds and test the accumulation controls of an insurer.
|The breach list goes on
Other recent cyber events have hit large numbers of companiesbut have similarly not made it to the threshold of causing largeinsured loss pay outs.
|In January 2017, a security bug in MongoDB, one of the mostwidely used databases, resulted in data being stolen from 'tens ofthousands' of installations.
|A denial of service attack on Dyn internettraffic management system in October 2016 took out thousands ofwebsites and affected some of the largest names in web commerce. InFebruary 2017, Amazon Web Services suffered an outage of theircloud storage services for several hours, affecting 148,000websites and almost a quarter of their users. The Equifax databreach in July 2017 saw the theft of 143 million credit assessmentsof individuals, that had the potential for cascading consequencesto many other businesses.
|So insurers are reviewing their tail risk: what are the chancesof a future cyber event that could triggerthousands of large losses simultaneously to accounts in a cyberinsurance portfolio, and damage the loss ratio?
|Most critically, this tail risk assessment determines the risk capitalallocation to support cyber as a class of business. Thecapacity that an insurer can make available to providing cyberinsurance has to compete for capital with other lines of insurance.In these other lines of business, the tail risk assessment is moreassured — there is a longer period of claims experience, and theactuarial and catastrophe models of extreme loss probabilities aremore mature and insurers have higher levels of confidence in them.Insurers remain reluctant to allocate big lines of capacity tocyber until they can assess cyber tail risk with moreconfidence.
|The provision of cyber insurance can only growto meet the demand for it when insurers are comfortable inassessing the tail risk and adequately pricing the catastropheloading into their pricing.
|Cyber risk analysis strategies
Insurers are applying a number of methods to improve theirconfidence in assessing tail risk.
|Many are reviewing the statistics of past cyberclaims, which is steadily lengthening as a historical record,dating back now with some confidence for around 12 years, butextrapolating the observed volatility to long return periods doesnot capture the potential for unexpected shocks.
|Some are deriving parallels from the tail risk characteristicsof other classes of insurance that are better understood: Doescyber loss look more like fire risk, liability lines, or naturalcatastrophe? Others are developing analysis of the ways that futurecyber losses could scale with different types of malware or cyberattack technique, building stochastic models of different paths forextreme losses to occur.
|What if WannaCry had played out differently — say the malwarehad gotten into circulation before the Windows patch for thevulnerability had been released, or if it hadn't contained akill-switch? What if the next malware attack exploits a more commonvulnerability, has faster replication, a more virulent mechanismfor lateral infection within an organization, and a moredestructive payload?
|The next generation of cyber analytics is focused on helpinginsurers allocate their risk capital to cyber through detailedtechnical assessment of ways that extreme scaling can occur, andthe likelihood of large loss to a portfolio.
|Insurers are wrestling with the beast that is cyber insurance.Finally they are getting the measure of the thickness of itstail.
|Dr. Andrew Coburn is senior vice president at RiskManagement Solutions, Inc. He can be reached by sending emailto [email protected].
|See also:
||Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
