Jon Laux, VP of Analytics and Rebecca Bole, Head of Industry Engagement
Cyber is one of the most significant risks facing enterprises in the 21st Century - it is the number one risk for most enterprises today and that risk is ever-increasing. In the decade ahead, we will continue to connect the internet to our homes, offices, manufacturing facilities and cities, with existential risks to businesses and the global economy. That also creates a business opportunity for insurers which is becoming too big to ignore.
As the (re)insurance market creates and modifies products to cover those risks, it is maturing greatly in its approach to underwriting and risk management. However, the catastrophic insurance potential of cyber risk is yet to be fully realized.
CyberCube has conducted research into key catastrophe events as part of the recent launch of Version 5 of CyberCube's Portfolio Manager (PMv5) software-as-a-service platform. Portfolio Manager is a fully probabilistic and data-driven solution modeling catastrophic cyber aggregation events.
Based on that research, we have three key learnings for executives:
- Although cyber events occur regularly, the global economy has proved relatively resilient to material widespread financial loss from attacks to date. Few security issues have become major (re)insurance losses.
- However, the counterfactuals on observed near-miss events suggest that far larger losses are quite plausible.
- As the industry develops new exclusions and widespread event language to limit catastrophe exposure, CyberCube expects carriers' capital requirements to differ significantly.
CyberCube's analysis shows that although global cyber events occur regularly, the economy has proved relatively resilient to material widespread financial loss from attacks to date. Over the past six years, CyberCube has documented over 100 global cyber aggregation events with catastrophic potential - equating to approximately one every three weeks. However, the vast majority of those have been resolved by the cybersecurity community with minimal financial loss to insurers.
Only seven of the documented CAT events, or about one per year, have become an "insurance event" resulting in at least a single-digit percentage loss of cyber insurance premium (see Exhibit 1). Furthermore, during this time period, there has been a single major event - NotPetya in 2017 - resulting in at least a double-digit percentage loss of premium.
CyberCube's model validation process examines events as they occur, for both catastrophic potential and fit against our event catalog. Factual event characteristics suggest that while many security vulnerabilities could have widespread impacts, most are resolved promptly and with minimal resulting insurance claims. This underscores the importance of understanding which data elements should be used for risk selection and portfolio modeling.
Larger losses plausible
While the 2017 NotPetya attack was memorably destructive, the overall impact on cyber insurers was limited. Could things have been worse? CyberCube notes there are credible variants of these scenarios that could occur leading to larger losses.
For example, NotPetya itself could have been considerably worse. The attack leveraged a known vulnerability in Windows operating systems as well as a supply chain exploit in the prominent Ukraine accounting software. This led to substantial losses in Ukraine as well as collateral damage to multi-national companies with operations there.
The total insurance impact of NotPetya has been estimated at $10 billion. Yet if three variables had differed, losses would have been much higher. These variables are:
- a zero-day vulnerability without a patch being used
- the intention being to cause widespread damage to Western enterprises and/or
- a more highly insured segment of the economy being targeted in the US.
There is credible reason to believe each of these three variables could be different in a future attack.
Divergent policy language impacts exposure significantly
In the event of a major cyber catastrophe, CyberCube expects different carriers to have dispersed losses as a result of increasingly divergent policy language limiting exposure to catastrophic events with widespread event language.
New language has been introduced by some carriers to limit exposure to those scenarios notably nation-state, infrastructure and vendor exclusions. Key questions the industry is asking include what role policy language can play to contain insurers' exposure to cat scenarios and what this would do to reduce capital requirements. "Widespread event" triggers are being explored such as sublimits versus exclusions.
Insurers are considering whether to focus on key scenarios or individual Single Points of Failure (SPoFs) - a provider which may disrupt large swaths of companies that rely on them for their business operations if they experience an outage. They are also more broadly weighing the tradeoffs of such triggers between tail reduction and Average Annual Loss (AAL) reduction.
Reflecting these developments, CyberCube has introduced widespread event modeling capabilities to PMv5 to differentiate between portfolios with such policy language, which have material differences to insurers and major impacts on those writing excess of loss (XoL) reinsurance.
CyberCube expects results will vary greatly depending on the approach adopted. Some approaches could yield modest benefits while others could have a more significant result. To illustrate this, an analysis of the CyberCube US Industry Exposure Database indicates that the 1-in-100 year US cyber insurance industry loss could be reduced by between 55-65% with the implementation of the most stringent widespread event language (see Exhibit 2). CyberCube launched the industry's first detailed cyber Exposure Databases in October 2022 to enable (re)insurers and brokers to perform a wide array of benchmarking, sensitivity, and real-time analyses for cyber risks.
Given cyber gross written premium (GWP) is expected to triple in the coming years, the amount of capital needed to support cyber insurance will in part be determined by the prevalence of widespread event limitations and other exclusions.
The insurance industry will need to balance the benefits of more restrictive policy language with the market risks brought on by the real impacts of any specific coverage restrictions. Also critical is the need to understand any resulting changes to their capital requirements, and, if necessary, consider the availability of alternative risk capital. Other considerations will include whether government partnerships provide cover for extreme cyber tail risk. Ultimately, analytics are essential as insurers evaluate how much tail risk to cover.
CyberCube's industry-leading cyber catastrophe model, alongside our broader suite of analytics products and consulting services offering, stands ready to partner with insurance institutions to develop their view of risk and partner to profitably grow in the increasingly important cyber insurance market.
CyberCube has invested over $100 million into our cyber risk analytics platform since it launched in January 2018, with a focus on modeling cyber catastrophes for the insurance industry. CyberCube's catastrophe modeling is used to understand the impact of cyber risk accumulation scenarios by over two-thirds of the global cyber insurance market by GWP.
Find out more about CyberCube here.
CyberCube's report "Cyber Attack Event Analysis - Reflecting trends in CyberCube's Portfolio Manager Version 5" is available here.