Insurers need to step up their understanding of cyber risk, warn Visesh Gosrani, Simon Cartagena and Justyna Pikinska
During the past decade, we have seen increasing concern from boards and regulators over cyber risk’s potential to impact insurer balance sheets. Headline-making incidents are becoming common, but the actual impact of cyber events has not resulted in the ‘cyber armageddon’ predicted by Swiss Re CEO Christian Mumenthaler at the 2017 Monte Carlo Rendez-Vous, when he stated that cyber is “probably not insurable”. His comment followed a series of ransomware attacks that had occurred in 2017, stemming from the EternalBlue vulnerability. These caused major disruption, but lucky outcomes limited the spread of the malware, which could have caused significantly more damage than it did.
A dominant threat
Ransomware has risen in dominance during the past few years. A large increase in the frequency of attacks in 2017 was ignited by Bitcoin, with the key attraction being the anonymity afforded by this form of payment. This was followed by a ‘quiet’ period during 2018 and 2019, highlighting the unpredictability of the frequency and severity of attacks (see bit.ly/Ransom_Attacks).
Rising ransom activity drew greater regulatory attention and led insurers to review the risk from their cyber portfolios. This resulted in significant premium rate increases from 2019 onwards, reflecting rising potential losses from cyber insurance and reducing the projected loss ratios. The simultaneous reduction in regulatory approval for new entrants has helped insurers implement these price increases by empowering a disciplined approach.
While the limited supply is enabling a hardening of the underwriting cycle, it is also resulting in a 25% shortfall in supply versus demand. In 2021, we saw a US$100m reduction in supply from existing writers compared with 2020, with new entrants only bringing US$50m back. This has resulted in a US$300bn shortfall in coverage, versus US$1.1trn in demand for coverage.
An accessible and lucrative ‘career’
Cybercrime is estimated to have cost the global economy US$3trn in 2015, and this is projected to rise to US$10.5trn in 2025 due to an increasing number of attacks – the number quadrupled between 2016 and 2021. Attacks now impact a much wider variety of organisations than previously.
The criminal organisations perpetrating the attacks need a suite of skills, many of which are now available on a specialist outsourced basis, making this type of criminal ‘career’ more accessible and thus driving increasing frequency. Furthermore, the attack success rate is increasing as bad actors take the time to find the ransom request figure that is high enough to make the attack worthwhile, but low enough to be worthwhile for an organisation to pay. This cycle results in a lucrative path, attracting more to the ‘profession’ while increasing the resilience of those who are already in it.
Insurers’ awareness of the threat environment and its evolution can facilitate decision-making when it comes to adapting their underwriting approach so it aligns with their own risk appetite, as threat actor activity levels and/or capabilities evolve.
Evolution across attack vectors
There were several themes to the cyber incidents in 2021, with attackers taking advantage of the disruption caused by COVID-19. These included:
- Outages for widely used cloud services, including Microsoft, Google and Facebook
- Trusted access was used to gain access to systems such as Solar Winds and Kaseya.
There was also a step-change in critical infrastructure attacks; previously, intruders had been discovered but attacks had not been as impactful as they were in 2021. Two significant events included:
- The Colonial Pipeline in the US having to be shut down, causing fuel supply concerns
- A dangerous level of sodium hydroxide being added to the Florida water system; fortunately this was reversed before damage occurred.
The insurers CNA and AXA were also targeted by ransomware, possibly because of their public statements about their strategy towards ransomware payments.
It is important to note that a wide range of policies could have been impacted by more severe versions of the attacks seen in 2021. These include life policies, as well as business interruption covering the potential impacts of critical infrastructure attacks.
Use vendor models with caution
The limited level of data and the need to extrapolate to adverse events results in significant differences in the modelling done by model vendors. Figure 1 shows that results for two models are similar whether looking at catastrophe losses only, or at catastrophe and attritional losses. Model vendor 3 shows a significantly greater impact from attritional losses at more remote outcomes. As a result, it is important to engage with the chosen model vendor to understand what they expect to be driving the risk, and use this to inform your selections.
The types of scenarios captured by vendor models vary significantly, and it takes effort to understand the limitations and how they impact your organisation. As a result, more work is required to understand vendors’ cyber models than natural catastrophe risk models, in order to use them for capital modelling. In addition, the impact of cyber risk on other risk areas, such as operational risk, reinsurer counterparty and market risk, needs to be considered. At the tail, it is possible that the correlation between them starts to increase.
Insurers will need to find a pragmatic way to incorporate vendor model estimates into their capital models to ensure they are adequately allocating capital for the risk. The changing threat and risk landscape present new challenges for capital modelling, as the risk could dramatically change from year to year depending on external factors. As such, insurers need to clearly assess their comfort in the capital estimated for writing cyber and correlations with their traditional portfolio.
“Collaboration with cybersecurity experts is crucial to bridge knowledge gaps so that the risk is understood as it evolves”
A multidisciplinary approach
Cyber risk impacts an insurer in too many ways for a small team to fully grasp. The specialist disciplines within an insurer, tackling different areas of cyber risk, must bring their perspectives together and form a more complete understanding.
Many insurers have set up cyber ‘centres of excellence’ and use these to ensure that there is collaboration between different areas of expertise. The performance of these centres will be key in managing the long-term performance and resilience against adverse events.
Cyber risk is clearly a discipline where actuaries cannot work independently from cybersecurity experts. Collaboration is crucial to bridge knowledge gaps so that the risk is understood as it evolves. Actuaries can work more dynamically on cyber risk as it evolves to give comfort and confidence to underwriters, boards and regulators.
The insurance ‘cake’ is at risk of being eaten by customers
Some insureds are reacting to price increases and limited capacity by increasing the sophistication of their cyber risk assessment. This improves the rationalisation of their IT spend versus their insurance budget. One improvement is in the modelling of ‘what if?’ scenarios to better understand and quantify the impact of events, with the most sophisticated corporates using vendor models such as those used by insurers.
Insurers that can find ways to recognise the significant effort made by some customers, and better differentiate against those of limited maturity, will cherry pick quality insureds and reduce their flight from insurance.
Visesh Gosrani is head of actuarial at the Medical Protection Society and chair of the IFoA Cyber Risk Working Party
Simon Cartagena is deputy CRO at SCOR UK and Channel
Justyna Pikinska is head of analytics at Gallagher Re
Image credit | Shutterstock
