The WannaCry cyber attack, also called WCry or Wanna Decryptor, that hit targets in at least 150 countries across the globe in the last week is an example of the kind of wide-ranging cyber risk exposure that the capital markets and risk transfer instruments in the insurance-linked securities (ILS) space could be a natural fit for, according to Sciemus.
The insurance, reinsurance and capital market underwriting and cyber focused data and analytics company Sciemus Cyber spoke with Artemis about the impact of WannaCry and what it means for insurance, reinsurance and risk transfer markets.
Sciemus, with its unique perspective on cyber risks, believes that WannaCry demonstrates the need for a holistic view of cyber exposures, with greater alignment between business risk and core processes necessary.
The firm also believes that pools of efficient reinsurance capital are the likely home of peak cyber exposures, for events such as these, saying that “non-traditional capital markets and ILS provides a more natural fit for such dynamic and wide-reaching exposures.”
The WannaCry ransomware hit targets in over 150 countries around the globe, which means it is likely the most widespread reported cyber attack in history and raises questions about the ability of insurance and reinsurance markets to cover systemic cyber risks of this type, as well as questions about the re/insurance and risk modelling sector’s approach to understanding cyber exposures.
Sciemus views a cyber event like WannaCry as having the potential to cause meaningful losses to insurance and reinsurance markets in the future. As cyber insurance coverage expands and the market grows, an event such as this could see escalating losses due to interconnections and its ability to self-propagate, causing significant business interruption losses, as well as brand reputation and remediation costs.
It is the unknown scale of the future cyber loss and the uncertainty in how it could manifest and spread, that means risks could become systemic losses, with business interruption likely to escalate as an attack propagates and the potential for cascading losses due to property damages from such cyber attacks also apparent.
A truly systemic cyber attack would have the potential to impact many lines of business and cross classes of insurance and reinsurance, Sciemus’ experts believe, something which has not always been fully considered in underwriting and modelling of cyber risk.
Sciemus explained further on business interruption; “Some of the commentary from insurance carriers and brokers this week has been focused on the implications for traditional cyber insurance policies; largely, that response has been confined to the infinitesimal potential for accumulated ransomware and extortion expenses. However, that ignores the wider implications of the accumulation of “silent” cyber exposures; in this case, the potential for business interruption losses under non-cyber policies caused by the WannaCry worm.”
In fact the business interruption aspect of the WannaCry attack, which has yet to be calculated, could have been much worse, Sciemus feels; “Although the localisation of the threat vector meant that Russia and China at this point in time are more heavily affected than US and European assets and a huge business interruption event averted, this was just a matter of geography.”
The inclusion of cyber coverage within property insurance covers is also a concern, with the potential for some losses to manifest there, according to Sciemus.
“Will property programs respond to the business interruption outage generated by WannaCry for Nissan, Telefonica, Renault, Nissan and FedEx? How will those same programs respond to the business interruption caused by the preventative action by those companies in switching off all systems – both enterprise and industrial systems? Will those same policies respond when attribution at this stage is still unclear, especially when the application of War and Terrorism exclusions is so inconsistent along the insurance spectrum,” the company explained to Artemis.
On the casualty side of the insurance and reinsurance market, Sciemus warns that underwriters may be exposed there as well; “In terms of general liability, there is the bodily injury aspect of exposure that remains silent within medical professional liability programs. Just today, Siemens put out a CERT advisory on medical devices; for the non-medical professional, these are CAT scan machines that use SMB1 with the same Windows XP vulnerabilities exploited by WannaCry. Though we understand no personal injury has been reported in the US as a result of hospital outages, if there were, then liability and regulatory claims will ensue.”
WannaCry could also raise alarm bells in insurance and reinsurance markets where so-called “silent cyber” exposures are included within all-risks policies, and the non-targeted nature of the attack could “create concerns around accumulation” Sciemus believes.
While losses are currently not seen as particularly large, what Sciemus’ insight reveals is that as the cyber underwriting market grows the potential for an event like WannaCry to cause a really major industry loss will escalate rapidly, if the market does not approach this risk with discipline and a robust methodology.
As our sister site Reinsurance News wrote yesterday, “Essentially, WannnaCry forces a new look at cyber and a fresh approach is required. In the context of this type of attack; underwriters cannot rely on catch-all exclusions, including cyber for free in property covers is downright dangerous to underwriters businesses and real expertise is required to understand the method, meaning and mode of cyber attack.”
Sciemus believes that the re/insurance market is not moving fast enough to address the potential for cross-class losses from major cyber attacks.
“Despite these converged exposures, capital and insurance products are not converging at the same pace as risk is converging; in this case, between standalone cyber, general liability and property,” Sciemus explained.
“These are all deeper issues yet to be tackled by the (re)insurance industry, but a more modelled approach to risk, pricing and accumulation can provide more holistic treatment of all of these converged exposures under a more flexible insurance construct, be it bonds or other risk transfer instruments,” Sciemus continued. “This would also provide a natural firebreak to the type of unchecked cyber aggregation which regulators and capital markets are increasingly concerned about.”
Sciemus concludes that the ILS sector has an opportunity to assist with covering these risks, saying; “In that regard, non-traditional capital markets and ILS provides a more natural fit for such dynamic and wide-reaching exposures.”
The potential for natural catastrophe losses to be so large they damaged the insurance and reinsurance industry’s balance-sheet is a key reason that catastrophe bonds and insurance-linked securities (ILS) were designed.
The capital markets were seen as the deepest and most liquid pool of capacity available, with investors willing to accept risk in exchange for a reasonable level of return and financial instruments such as securities seen as the bridge or mechanism to transfer the risks in a form investors would like.
This discussion of peak catastrophe risk transfer and the depth of the capital markets from back in the 1990’s is particularly reminiscent of the discussions regarding cyber risks of the silent, propagating and systemic variety today.
There are risks which are just too large for the traditional re/insurance market to bear on its own and when the capital market is actively looking for new insurance-linked risk investment opportunities, it would be foolish not to consider the potential for ILS and collateralized reinsurance players to take on elements of the industry’s cyber exposures.
It’s the nature of how cyber attacks such as WannaCry can spread that could turn an attack systemic or system wide, and here the capital markets and ILS funds have an opportunity to become partners in back stopping these risks.
There is also a case for the parametric trigger in cyber risks, with such complex exposures that could take a significant time to fully manifest and actually cause a dollar loss to a customer it may be easier to structure hedges or reinsurance transactions based on parameters that are detectable or measurable and could pay out much more rapidly.
The same cautionary words, about needing to take a holistic view of cyber exposures, apply to the ILS sector, as it begins to explore the cyber risk space.
We understand that at least one cyber ILS transaction has been completed in the last year, likely a collateralized reinsurance contract for an ILS fund, and many more are expected as the data, analytics, risk modelling and underwriting for these complex risks gets up to speed.
Join Artemis in Singapore on July 13th 2017 for ILS Asia, tickets on sale here