Capital One cyber attack designated as PCS Global Cyber loss event

The recent Capital One cyber hack attack and resulting significant data breach could lead to a significant cyber insurance and possibly reinsurance market loss, leading Property Claim Services (PCS) to designate the event.

Our sister publication Reinsurance News explained over a week ago that U.S. and global banking and personal finance group Capital One had reported a hacking of its systems and the loss of data for more than 100 million of its applicants and customers.

Capital One revealed one of the largest ever losses of customer data in the financial world on July 29th, saying that an individual accessed its IT systems and as a result it lost some personal data associated with 106 million applicants or customers, 100 million in the United States and 6 million in Canada.

With an insurance tower providing roughly $400 million of cyber insurance coverage, the re/insurance market has been closely watching the fall-out of this hacking and data breach, in case it turns into a major cyber market loss.

Data lost included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income, as well as portions of credit card customer data including, credit scores, credit limits, balances, payment history, contact information, as well as fragments of transaction data covering 23 days during 2016, 2017 and 2018.

In addition 140,000 Social Security numbers of Capital One credit card customers were also accessed during the hacking and data breach, along with around 80,000 linked bank account numbers of secured credit card customers, plus in Canada roughly 1 million Social Insurance Numbers were also accessed in the hack and resulting data breach.

Capital One originally said that the data breach may result in incremental costs of approximately $100 to $150 million in 2019, which the $400 million cyber insurance tower would be expected to cover at least some of. The cyber cover is subject to a $10 million deductible and also standard market exclusions.

At the time of the initial article, Tom Johansmeyer, Co-Head of Property Claim Services (PCS), told Reinsurance News that his team were watching the event closely and if it looked like the cyber insurance market loss would rise above $20 million it would be designated and reported on.

Now, PCS has officially designated the Capital One data breach as a Global Cyber industry loss of interest, meaning it will now monitor the cyber loss event and provide reporting on the industry exposure in due course.

As a designated PCS Global Cyber event, the company will now monitor the Capital One cyber loss and eventually collect insured claims data on it, providing that back to its subscribers.

This also meaning the reinsurance and ILS market can use the resulting industry loss estimate as an input to any cyber industry loss warrants (ILW’s) or other industry loss triggered risk transfer instruments, of which we understand there to be a small number in existence.

The Capital One data breach and hacking already has the potential to be one of, if not the largest cyber insurance market loss in history, should the firm eat significantly into its $400 million cyber insurance tower.

AIG is the cyber insurance policy’s lead underwriter, while also exposed are said to be insurance and reinsurance players AXIS, Berkshire Hathaway, Chubb, CNA, Nationwide, and Sompo International.

But, as also reported by our sister publication, the alleged hacker behind the Capital One data breach is also thought to have hit other major companies, which if that transpires has the potential to turn this into the largest cyber loss event the insurance industry has ever seen.

In designating the event under the PCS Global Cyber product, its severity has been confirmed and now it will be a waiting game until actual losses are reported, while the industry tries to understand whether the exposure will be contained within the cyber tower, or whether there is any chance of it moving beyond that, as has been seen with some other cyber market losses.

Right now, it looks as if it will be contained, unless it proves accurate that the hacker behind the Capital One breach has hit other firms that also make cyber insurance claims.

It’s impossible at this stage to know whether any reinsurance capital could be affected from this event, but given the $400 million size of the tower some losses might be expected to fall to reinsurers should that tower be eroded significantly.

Speaking to Reinsurance News and Artemis, Johansmeyer of PCS commented, “We’re monitoring the event for cyber catastrophe implications, but this sort of development can take a long time.

“LockerGoga is a recent example of this. Even when companies are affected, it can take time for them to decide whether to claim and against which programs. While the industry tends to focus on development of the loss once the reporting starts (we see this in property catastrophes a lot), with cyber, it can take a while to see if claims will even occur.

“If there is a cat here, it’s going to take some time. For now, PCS has designated a global risk loss, and we are not jumping to conclusions about cat.”

The prospects of cyber catastrophe events also underlines the need for reinsurance capital to support the market, when the really big cyber loss events eventually hit which seems inevitable given the exposures and values-at-risk. That implies significant opportunity for the ILS market, as it develops an appetite for cyber risk as well.

“Even the possibility of a cyber cat highlights the importance of new sources of capital to supporting both the affirmative cyber sector and the risks associated with cyber ad a peril. Eventually, a series of close calls should result in an actual cyber catastrophe.

“Until that happens; we can either enjoy the relief that follows near misses or take positive action for the future,” Johansmeyer said.

Johansmeyer also noted the importance of hedging tools, believing that the cyber industry loss warranty (ILW) could be a valuable product for the re/insurance industry.

He explained, “When it comes to cyber catastrophe — my predilection for propaganda notwithstanding— there really is no substitute for the ILW right now.

“Insurers and reinsurers are struggling to understand the non-affirmative cyber risk they carry, and without that understanding, traditional risk transfer (especially quota share) just isn’t realistic. Without understanding the full scope of the underlying risk, UNL on non-affirmative cyber cat is but a blind play.

“The ILW makes sense in this case because the transfer of risk isn’t tied to a company’s own loss experience. Both cedent and market can work with an independent third party, which obviates the need for spending the time and effort (lots of both, by the way) to try to approximate the non-affirmative cyber exposure.”

It’s an interesting time in cyber risk right now and events like the Capital One data breach only serve to reinforce the fact that the capital markets seem a likely home for some cyber exposures in years to come.

How that is structured and the risk transferred remains to be seen, but ILW’s on cyber risk appear a valid tool for re/insurers looking to hedge out some of their exposure to the largest cyber catastrophe events.

Johansmeyer closed, “Ultimately, the ILW is probably the best tool right now for either hedging an I know risk or assuming the other side of that hedge. The PCS Global Cyber index has been up and serving the market for a bit already. That plus our 70-year track record of truly independent loss reporting can help cedent find almost immediate relief.”