It was the impacts to pharmaceutical giant Merck as well as silent cyber exposure that drove the insurance and reinsurance industry loss from the 2017 Petya / NotPetya cyber attack, according to PCS, providing a further warning of how cyber losses can hit multiple business lines.
When we last covered the Petya / NotPetya cyber attack the industry loss was said to be around $3 billion. We now understand the industry impact is actually around 10% higher than that, somewhere just slightly below $3.3 billion.
This cyber attack event has provided a valuable lesson for insurance and reinsurance interests in how cyber risks can creep into areas of their underwriting portfolios that were not expected.
In the case of Petya / NotPetya, PCS now believes that around 90% of the total industry loss from the Petya related cyber attacks will be attributed to silent cyber exposure, with the rest down to affirmative.
In the case of pharmaceutical giant Merck, which was the hardest hit corporation when the Petya / NotPetya malware spread in June 2017, the firm has been the source of roughly $2 billion of the total impact to re/insurers, $1.75 billion of which is silent exposure and expected to rise further, while $250 million was from the firms affirmative cyber insurance policy that paid out.
On top of the huge Merck related exposure that the insurance and reinsurance industry has to Petya / NotPetya, PCS said that there were three other major risk losses of over $100 million each, that totaled around $1 billion together.
Other smaller losses combine to take the total nearer to the $3.3 billion we understand.
But even these smaller losses begin to show better the way that cyber loss events can impact multiple lines of business and it’s not just the property insurance related business interruption, that has driven most of the Merck silent cyber, either.
In fact, PCS said that its has seen some losses creeping into other lines of business, including small losses through errors & omissions (E&O) and also kidnap and ransom (K&R) policies.
But it is property insurance policy business interruption that has driven the majority of the Petya / NotPetya industry loss it seems, which further highlights the fact that some ILS strategies will have exposure to silent cyber risks, if they happen to be providing reinsurance capital to back affected programs.
In that scenario it was a major dam attack and the potential for losses to fall to flood coverages, resulting in exposure for ILS markets.
But we’re aware that a number of ILS markets are providing backing for broader primary property coverage, which suggests that were a major cyber loss event to trigger numerous major corporate property programs, through business interruption clauses, an element of the loss would now likely be picked up by the capital markets.
If nothing else, a major cyber loss event that resulted in a significant silent cyber property insurance market loss, would also hit the capital markets through quota shares and sidecar vehicles as well, we’d imagine.
The Petya / NotPetya cyber attack therefore should provide a warning to the market on how cyber losses can emanate outwards from the affirmative coverage that should capture it, into much broader re/insurance market exposure and the potential for ILS loss.