[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Cyber: don’t catch your tail in the door 

Insurers and reinsurers should transact in cyber risk now to gain the advantage in this class of business, says Tom Johansmeyer



Nearly every conversation I’ve had about large cyber losses has taken on a doomsday quality. There is chat about the grid going down, financial markets in disarray, total mayhem in every conceivable way. While plenty of bad stuff can happen without sending the world into crisis, it’s hard to get past the ugly with cyber. But if the cyber insurance market is going to reach its full potential, we will need to understand what ‘bad’ means, without going straight to ‘the end of the world as we know it’.

Cyber is generally assumed to be a long-tail class of business. In the case of ‘silent’ cyber, when a cyber event triggers a loss to a non-cyber programme, the potential for complexity, dispute and expense can grow the tail even more. However, counter-intuitively, large ‘affirmative’ cyber risk losses are less likely to be litigious, in the short term at least. That is because cyber insurance is woefully underpenetrated – which explains the massive growth projections predicted around the global insurance industry. For the time being, this means there should be many events for which economic losses are unprotected and some where the economic losses are far larger than the insurance protection secured.

So, thanks to the potential for outsized economic losses relative to smaller programmes, cyber is currently effectively a short-tail line – despite prevailing market views to the contrary.

Let’s take a look at two concrete examples: the recent Equifax and Southwest Airlines cyber attacks. Both are designated as PCS Global Cyber loss events from 2017, in that they exceeded the US$20m minimum threshold on affirmative cyber. With economic losses far in excess of coverage limits, Equifax was easy to understand. It was clear early on that the cyber tower (threshold) would be fully utilised. Southwest, on the other hand, is a bit more challenging. Currently, PCS Global Cyber has the industry loss below the limit available, and there is talk of further movement. 

Present and future 

Of the eight loss events in the PCS Global Cyber historical database that originated in 2014, seven are not only closed but blew through the top of the tower. While the overall economic loss situation may have been difficult to understand and estimate, the insured loss was relatively easy to ascertain. Meanwhile, the Southwest loss is indicative of future challenges because it falls below the top of the tower. As a market, we are now stuck waiting for all the difficult work to be done before we can understand the magnitude of the insured loss. 

To understand what the future holds, multiply the numbers involved in the Southwest insured loss event by 10. Think about a US$1bn loss that requires loss adjusting for an event that could reach to many hundreds of millions of dollars. That sort of future may be a few years off, but there are plenty of signs that it is coming. Already, affirmative cyber programmes placements have begun to exceed US$500m, meaning that, under current conditions, past major losses would have been far more complex to settle. 

Today’s short tail provides a learning opportunity for tomorrow’s long tail. Insurers and reinsurers can transact in cyber risk now (particularly on an industry loss warranties or ILW basis) to begin to gain practical experience in this class of business. As the tail on cyber grows, though, the door closes on the short-tail opportunity. Until that happens, reinsurers and insurance-linked securities (ILS) funds have the chance to write what’s effectively short-tail business while also buying time to better understand the underlying risk, enabling them to continue to write it as the tail gets longer. 

In the end, the industry will be able to evolve alongside the risk. As insurance penetration increases and losses become more complex, experience and data will fill the gaps to help underwriters make better decisions; from evaluating original risk to transferring what they don’t want to keep on the books. 

This is a rare dynamic: being able to trade early to understand a difficult risk later. To pass on this opportunity is to play catch-up when competitors will have already learnt the game.

Tom Johansmeyer is assistant vice-president and co-head, PCS, at Verisk Insurance Solutions