Cyber losses could be as large as major natural catastrophe events, with worst case scenarios showing economic impacts as high as $120 billion or greater, while the aggregation risk is likened to that seen from catastrophes making reinsurance solutions and ILS ever more relevant.
A new report from Lloyd’s of London and cyber specialist Cyence shows that multi-billion dollar cyber loss events are possible and that a huge gap would be left uninsured. The report also describes cyber loss aggregation as a key risk, showing that reinsurance capital is clearly required and re/insurers could benefit from thinking about cyber as they would large catastrophe exposures.
One scenario used in the report shows that a major global cyber-attack could result in $53 billion of economic losses, roughly equivalent to a major natural disaster like 2012’s Superstorm Sandy.
Two main scenarios are used as examples in the report, a hack attack of a cloud service provider that results in estimated economic losses of $53 billion, and computer operating system attacks that impact a large number of businesses around the world that could cause losses of $28.7 billion.
But the majority of these modelled cyber losses would be uninsured currently, demonstrating the job that insurance and reinsurance players have to do in order to cover the risk more effectively, as well as the potential for the capital markets to play a key role in support.
Inga Beale, the CEO of Lloyd’s, commented on the release of the report, saying; “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.
“We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”
The insurance-linked securities (ILS) and catastrophe bond market was created to support the re/insurance industries need for risk capital and risk transfer to help it better manage natural catastrophe exposures. Given the potential size of these cyber loss scenarios it seems likely that ILS and the capital markets will have a role to play as this segment matures.
The first and larger loss scenario, of a cloud service cyber attack, results in expected economic losses of between $4.6 billion to $53 billion for a really extreme event, but with the expected insured loss likely much lower at just $8.1 billion for the more extreme end of the scenario.
However, this is only the average modelled loss derived from the scenario. Due to the uncertainty surrounding the aggregation of cyber losses the report shows that the economic loss could actually be as $121 billion, or as low as $15 billion, which clearly demonstrates the catastrophic potential of a major cyber loss.
So as much as $45 billion of the cloud services loss scenario could be uninsured, so only 17% of the economic losses would actually be covered by insurance. The other scenario, while a lower economic loss, could be even less insured, with $26 billion uninsured for the mass vulnerability scenario or just 7% of the economic losses covered.
The report suggests that as cyber loss events could be as large as major natural catastrophes, with all the issues of aggregation and liability that we see from an event such as a hurricane, the cyber underwriting process needs to take this into account and reinsurance needs to be used to minimise exposures.
“Insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes,” the report explains.
Going on to say; “For the insurance industry to capitalise on the growing cyber market insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage.”
This is precisely the kind of issues that pushed the traditional re/insurance market to look to the capital markets in the first place, when the very first catastrophe bonds were issued. It was to cover the kind of events that would make a massive dent in the traditional market’s balance-sheet, which a cyber catastrophe sized event would certainly do.
Trevor Maynard, Head of Innovation at Lloyd’s, explained; “This report’s findings suggest economic losses from cyber events have the potential to be as large as those caused by major hurricanes. Insurers could benefit from thinking about cyber cover in these terms and make explicit allowance for aggregating cyber-related catastrophes. To achieve this, data collection and quality is important, especially as cyber risks are constantly changing.”
Business interruption is another factor to consider, as the cascading effect of cyber losses due to business interruption and contingent business interruption could be enormous, likely what would take a loss to the 95th percentile $121 billion level.
Additionally, critical infrastructure level cyber attacks could result in enormous financial impacts, which again would be significantly underinsured right now but in years to come will require a major effort from traditional re/insurers and the capital markets to both structure the necessary products and provider the risk capital to cover them.
Cyber risks have the potential to cause really enormous losses, on both an economic and insured basis. This it the kind of peak risk that the capital markets and insurance-linked securities (ILS) thrive on, we just need to develop the mechanisms and understanding required to enable the risk transfer to flow.
Parametric triggers for cyber risk are often discussed and being a line of business awash in data and inputs it is possible that this could address some of the cascading and interruption loss issues, and could become an area the capital markets shows an appetite for.
But underlying all of this is a need for better data to support better pricing and for re/insurers to cost this risk accurately so as to build up premium to a level where support from the capital markets is required.
Right now, many cyber insurance policies are insufficient in their coverage, do not address the really major cyber risks that are faced by society and so the sector is not taking advantage of the opportunity or narrowing the gap. All of this needs to happen, with efficient reinsurance capital a likely source of support.
In the end it is likely that re/insurers will look to ILS and the capital markets to support capacity needs for cyber risk underwriting. It’s hard to see the traditional market addressing this exposure on its own.
But it’s also a significant opportunity for traditional players right now.
Could cyber be the risk that enables the re/insurance market to put its excess capital to work profitably, while also working more closely and in synergy with the capital markets on solutions that allow both traditional and alternative capacity to profit?