Although cyber insurance is seen as one of the biggest opportunities in insurance and reinsurance right now, the risks to insurers and insureds could be equally large. One significant threat is ‘cyber risk aggregation’.
What is ‘cyber risk aggregation’?
Risk aggregation in the insurance industry refers to multiple claims being generated by the same or a related event (such as the large number of claims that might follow a natural disaster). In the same way, ‘cyber risk aggregation’ involves the possibility of a large number of claims being made simultaneously in response to a single cyber-attack.
For insurers, it is important to understand the aggregation of risks in order to appreciate and limit potential exposure.
Why is it important to be aware of cyber risk aggregation?
The cyber insurance industry is experiencing significant growth on the back of companies demanding cover in response to high profile incidents such as the WannaCry attack which struck over 300,000 computers in more than 150 countries in early 2017. The estimated economic loss from WannaCry has been found to be as much as US$8 billion. These costs can include paying ransoms, business interruption due to system downtime, and losses associated with damaged or destroyed data.
What makes aggregation risk such a confronting issue in the cyber space is the uniqueness of the risk. For example, consider the follow features of cyber risk:
- Geographic limits – Cyber risk is completely non-geographic. Unlike natural disasters or even pandemic risks, there’s no way to know when and where a cyber-attack will occur and what the geographic spread will be.
- Indiscriminate threat – A cyber-attack could target all users of a specific operating system, or it could attack a single company and all of its offices across the world.
- What’s the damage? – The damage flowing from an attack is difficult to quantify given the distinction between technical and business impacts.
- Reporting lag – It may take months or years to discover a cyber-attack.
- Changing threat – The motivation of attackers and the nature of cyber-attacks is constantly evolving.
These underlying characteristics make insurers’ task of trying to estimate their exposure to aggregation risk particularly challenging. And, unlike other lines of insurance, cyber insurers cannot rely on years of historical data to hedge risk.
Given the meteoric rise in the take-up of cyber insurance, there is a further concern in the industry that insurers may have rushed in to meet the demand without a firm grasp of prospective risk aggregation. With the inception of every additional policy, the problem of cyber risk aggregation continues to grow. According to Munich Re, the global cyber insurance market grew to about US$3.4 billion in premiums in 2016/17 and it is estimated that premiums could rise to between US$8.5-10 billion by 2020.
To illustrate the magnitude of the risks this growth presents, a recent joint report by Lloyd’s of London and cyber risk analytics firm, Cyence, found that a hypothetical catastrophic cyber-attack targeted against a cloud service provider could result in losses of US$53 billion in just 2-3 days. In the most extreme situations, it was estimated that an attack could cost US$121 billion, greater than the total losses from catastrophic natural disasters such as Hurricanes Katrina and Sandy.
What can/should be done?
As illustrated above, one successful attack on a system such as a cloud server could cause losses to hundreds of thousands of parties who hold their data within the cloud, putting insurers at risk for huge claims. The problem for the underwriting community is gathering the data to map aggregation.
In response to this problem, those insuring cyber risk should consider:
- Adopting new technology –use AI and data analysis to interrogate clients’ policies, to map out and plot geographic aggregation, system aggregation, cloud service provider dependence and any other common target points;
- Tailoring policies for individual insureds – policies that are not expressly intended to cover cyber risks (e.g. financial crime or property damage policies) should contain exclusions to ensure that losses arising from cyber incidents are not inadvertently covered;
- Protecting themselves – seek reinsurance cover; and
- Work with insureds – identify areas of an insured’s business that are particularly vulnerable to cyber breaches and help with addressing the vulnerability.
While the data on cyber risk has been relatively limited so far, we expect that will change as the market experiences an increasing number of claims over the next few years. We will continue to monitor the claims landscape and provide updates as new information becomes available.