Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • The Actuary Issues
  • March 2022
General Features

Held to ransom: Understanding cyber risk

Open-access content Wednesday 2nd March 2022
Authors
Justyna Pikinska
Simon Cartagena
Visesh Gosrani

Insurers need to step up their understanding of cyber risk, warn Visesh Gosrani, Simon Cartagena and Justyna Pikinska

kyudf

During the past decade, we have seen increasing concern from boards and regulators over cyber risk’s potential to impact insurer balance sheets. Headline-making incidents are becoming common, but the actual impact of cyber events has not resulted in the ‘cyber armageddon’ predicted by Swiss Re CEO Christian Mumenthaler at the 2017 Monte Carlo Rendez-Vous, when he stated that cyber is “probably not insurable”. His comment followed a series of ransomware attacks that had occurred in 2017, stemming from the EternalBlue vulnerability. These caused major disruption, but lucky outcomes limited the spread of the malware, which could have caused significantly more damage than it did.

A dominant threat

Ransomware has risen in dominance during the past few years. A large increase in the frequency of attacks in 2017 was ignited by Bitcoin, with the key attraction being the anonymity afforded by this form of payment. This was followed by a ‘quiet’ period during 2018 and 2019, highlighting the unpredictability of the frequency and severity of attacks (see bit.ly/Ransom_Attacks).

Rising ransom activity drew greater regulatory attention and led insurers to review the risk from their cyber portfolios. This resulted in significant premium rate increases from 2019 onwards, reflecting rising potential losses from cyber insurance and reducing the projected loss ratios. The simultaneous reduction in regulatory approval for new entrants has helped insurers implement these price increases by empowering a disciplined approach.

While the limited supply is enabling a hardening of the underwriting cycle, it is also resulting in a 25% shortfall in supply versus demand. In 2021, we saw a US$100m reduction in supply from existing writers compared with 2020, with new entrants only bringing US$50m back. This has resulted in a US$300bn shortfall in coverage, versus US$1.1trn in demand for coverage.

An accessible and lucrative ‘career’

Cybercrime is estimated to have cost the global economy US$3trn in 2015, and this is projected to rise to US$10.5trn in 2025 due to an increasing number of attacks – the number quadrupled between 2016 and 2021. Attacks now impact a much wider variety of organisations than previously.

The criminal organisations perpetrating the attacks need a suite of skills, many of which are now available on a specialist outsourced basis, making this type of criminal ‘career’ more accessible and thus driving increasing frequency. Furthermore, the attack success rate is increasing as bad actors take the time to find the ransom request figure that is high enough to make the attack worthwhile, but low enough to be worthwhile for an organisation to pay. This cycle results in a lucrative path, attracting more to the ‘profession’ while increasing the resilience of those who are already in it.

Insurers’ awareness of the threat environment and its evolution can facilitate decision-making when it comes to adapting their underwriting approach so it aligns with their own risk appetite, as threat actor activity levels and/or capabilities evolve.

Evolution across attack vectors

There were several themes to the cyber incidents in 2021, with attackers taking advantage of the disruption caused by COVID-19. These included:

  •  Outages for widely used cloud services, including Microsoft, Google and Facebook

  •  Trusted access was used to gain access to systems such as Solar Winds and Kaseya.

There was also a step-change in critical infrastructure attacks; previously, intruders had been discovered but attacks had not been as impactful as they were in 2021. Two significant events included:

  • The Colonial Pipeline in the US having to be shut down, causing fuel supply concerns

  • A dangerous level of sodium hydroxide being added to the Florida water system; fortunately this was reversed before damage occurred.

The insurers CNA and AXA were also targeted by ransomware, possibly because of their public statements about their strategy towards ransomware payments.

It is important to note that a wide range of policies could have been impacted by more severe versions of the attacks seen in 2021. These include life policies, as well as business interruption covering the potential impacts of critical infrastructure attacks.

Use vendor models with caution

The limited level of data and the need to extrapolate to adverse events results in significant differences in the modelling done by model vendors. Figure 1 shows that results for two models are similar whether looking at catastrophe losses only, or at catastrophe and attritional losses. Model vendor 3 shows a significantly greater impact from attritional losses at more remote outcomes. As a result, it is important to engage with the chosen model vendor to understand what they expect to be driving the risk, and use this to inform your selections.

The types of scenarios captured by vendor models vary significantly, and it takes effort to understand the limitations and how they impact your organisation. As a result, more work is required to understand vendors’ cyber models than natural catastrophe risk models, in order to use them for capital modelling. In addition, the impact of cyber risk on other risk areas, such as operational risk, reinsurer counterparty and market risk, needs to be considered. At the tail, it is possible that the correlation between them starts to increase.

Insurers will need to find a pragmatic way to incorporate vendor model estimates into their capital models to ensure they are adequately allocating capital for the risk. The changing threat and risk landscape present new challenges for capital modelling, as the risk could dramatically change from year to year depending on external factors. As such, insurers need to clearly assess their comfort in the capital estimated for writing cyber and correlations with their traditional portfolio.

“Collaboration with cybersecurity experts is crucial to bridge knowledge gaps so that the risk is understood as it evolves”

​6ir​

A multidisciplinary approach

Cyber risk impacts an insurer in too many ways for a small team to fully grasp. The specialist disciplines within an insurer, tackling different areas of cyber risk, must bring their perspectives together and form a more complete understanding.

Many insurers have set up cyber ‘centres of excellence’ and use these to ensure that there is collaboration between different areas of expertise. The performance of these centres will be key in managing the long-term performance and resilience against adverse events.

Cyber risk is clearly a discipline where actuaries cannot work independently from cybersecurity experts. Collaboration is crucial to bridge knowledge gaps so that the risk is understood as it evolves. Actuaries can work more dynamically on cyber risk as it evolves to give comfort and confidence to underwriters, boards and regulators.

The insurance ‘cake’ is at risk of being eaten by customers

Some insureds are reacting to price increases and limited capacity by increasing the sophistication of their cyber risk assessment. This improves the rationalisation of their IT spend versus their insurance budget. One improvement is in the modelling of ‘what if?’ scenarios to better understand and quantify the impact of events, with the most sophisticated corporates using vendor models such as those used by insurers.

Insurers that can find ways to recognise the significant effort made by some customers, and better differentiate against those of limited maturity, will cherry pick quality insureds and reduce their flight from insurance.

Visesh Gosrani is head of actuarial at the Medical Protection Society and chair of the IFoA Cyber Risk Working Party

Simon Cartagena is deputy CRO at SCOR UK and Channel

Justyna Pikinska is head of analytics at Gallagher Re

Image credit | Shutterstock

Actuary Banner march6.png
This article appeared in our March 2022 issue of The Actuary.
Click here to view this issue
Filed in
General Features
Topics
Risk & ERM
Technology

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Life Actuarial Trainee

England
Up to £55000.00 per annum
Reference
145815

Catastrophe Manager - Top Performing Syndicate

England, London
£70000 - £94000 per annum
Reference
145814

Senior Pricing Analyst

London, England
£40000 - £80000 per annum
Reference
145813
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ