Swiss Re Insurance-Linked Fund Management

Xactanalysis Insights and PCS

Market unprepared for ‘silent’ cyber loss aggregation: Welsh, Sciemus


Insurance and reinsurance companies are in the main, not sufficiently equipped to underwrite and model cyber exposure and lack the required capacity to address the rising threat of an aggregation of losses from ‘silent’ cyber attacks, according to Rick Welsh of Sciemus.

Insurtech image from Insurance.meWelsh says that the uncertainty surrounding so-called silent cyber exposures suggests that steps must be taken to deepen the market’s technical understanding of the potential exposures

‘Silent’ cyber attacks were discussed recently by the Bank of England’s Prudential Regulation Authority (PRA) in a consultation paper and, in response to the paper and to provide some insight into the expanding world of cyber risks, Welsh, Chief Executive Officer (CEO) of Sciemus, spoke with Artemis.

‘Silent’ cyber risks, which can be thought of as catastrophic losses from cyber-attacks on policies that don’t actually state whether cyber-attack is covered or excluded, is an area that needs urgent attention and has the potential to be seriously deleterious to re/insurance capital. An important issue raised by the PRA is the distinction between silent cyber issues and non-fortuitous cyber risk and whether cyber risk is being improperly conflated with broad operational risk.

“Our belief is that unless steps are made to employ the requisite expertise and modelling techniques that ‘silent’ cyber exposure presents a significant risk for financial contagion, particularly with the confluence of indeterminate operational risk within open-ended reinsurance structures such as stop loss reinsurance,” said Welsh.

For insurers, reinsurers, and increasingly insurance-linked securities (ILS) players, as the space expands its remit, ‘silent’ cyber exposures are on the rise, as the increasing interconnectedness of the world, and the transition to a truly digital world dials up the potential for cyber-attacks to be far reaching and damaging to all industries, both directly and indirectly.

Furthermore, the inclusion of cyber cover in property and casualty policies that is not understood, or in some cases the reinsurer may be unaware of the inclusion of cyber all together, can leave re/insurance capital dangerously overexposed to an accumulation of cyber risks.

“This concentration of risk is pooled within the reinsurance market (as illustrated by the prevalence of stop loss covers above traditional treaties), together with traditional non-cyber towers of property and casualty ingesting cyber risk that is little understood,” explained Welsh, highlighting that cyber risk can be written by property insurers within energy and property all risk programs, and aviation insurers can also write unintended cyber exposure.

“Cyber-risk aggregation will not manifest itself, and therefore be able to be modeled, as well as the underlying, original property or aviation risk,” Welsh told Artemis.

In situations where traditional insurance (i.e. non-cyber) assumes ‘silent’ cyber exposures either willingly or otherwise, Welsh explained that technical pricing, rate adequacy, and therefore capital adequacy, is insufficient.

For the most part, Welsh stressed that cyber security expertise in underwriting or with the modeling of cyber exposures is limited and scarcely deployed, something that needs to be improved if the risk transfer world is serious about addressing one of the most continually evolving yet ill-understood exposures in the world today.

“The key to modeling in cyber is designing a clear, scientific approach to event modeling in conjunction with the cyber security community. Aggregation modeling is only part of the solution and cannot be agnostic of the underlying event causation; in the main, the reinsurance market’s existing concept of causation that underpins property aggregation does not hold with cyber,” said Welsh.

By their very nature cyber attacks are extremely complex and until advanced modeling techniques are developed and the risks are better understood the insurance, reinsurance, and ILS space could struggle to adequately and effectively provide solutions.

Affirmative and ‘silent’ cyber threats appear to be expanding all the time, and with policies continuing to include cyber risks when it’s understanding is limited, companies are in real danger of being overexposed to an aggregation of cyber losses that they might well be completely unaware they were exposed to in the first place.

As technology advances this will also increase the potential of cyber attacks in the majority of business lines, but at the same time should provide the industry and catastrophe risk modelers with more ability to develop the right solutions, ultimately mitigating the cyber threat, and expanding distribution of risk in this area.

Join Artemis in New York on February 3rd 2017 for ILS NYC
Artemis ILS NYC 2017

Register today for ILS NYC 2023, our next insurance-linked securities (ILS) market conference. Held in New York City, February 10th, 2023.

Artemis London 2022 - Insurance-linked securities conference in London

Get a ticket soon to ensure you can attend. Secure your place at the event here!

Print Friendly, PDF & Email

Artemis Newsletters and Email Alerts

Receive a regular weekly email newsletter update containing all the top news stories, deals and event information

  • This field is for validation purposes and should be left unchanged.

Receive alert notifications by email for every article from Artemis as it gets published.