The insurance and reinsurance industry loss from the Petya / NotPetya cyber attack is escalating far beyond the level initially assumed possible, thanks to silent cyber exposure, demonstrating there is a need for a cyber dead cat trading market, according to Tom Johansmeyer, Co-Head, PCS Strategy & Development at ISO.
Silent Cyber Just Happened: Here’s How To Trade out of It
While everyone in the market has been talking about the ‘silent cyber’ threat, it finally happened. And it was big.
Petya/NotPetya appears to be the first cyber event that could qualify as a true cyber catastrophe. It was caused by a cyber attack, had significant insured losses, and affected many insurers and insureds.
While ‘cyber cat’ definitions across the industry vary, Petya/NotPetya probably qualifies under just about all of them.
Petya/NotPetya is interesting for several reasons. It’s the first big one, of course, and the insured losses are both high and unexpected. Who expected an exploit on Ukrainian accounting software to be capable of so much mayhem? Of course, the novelty around those will fade, but there’s one reason the market should take interest in Petya/NotPetya and study it for years to come. The silent cyber losses are big and developing rapidly and substantially, even if the overall cat loss itself is fairly low.
PCS’s informal estimate for Petya/NotPetya’s insured loss currently stands at around US$2.7 billion, moving upward recently because of development in one of the larger underlying accounts. While this is massive for global cyber, it’s a drop in the bucket for the property-catastrophe sector.
Property catastrophes routinely exceed US$1 billion—PCS® has designated 57 of them in the United States and Canada since the beginning of 2008. As a result, we may not have experienced the full weight of cyber cat’s potential yet, but we’re certainly watching the ‘hailstorm’ version of it in real time. And let’s not forget the attritional impact of hail!
What makes Petya/NotPetya particularly worrisome is the component of the insured loss composed of silent cyber.
PCS estimates that just over US$300 million is attributable to affirmative cyber. The rest is effectively cyber risk that insurers and reinsurers may not have been prepared to assume—or weren’t aware they were assuming! Of the silent losses, four have developed to at least US$100 million, with one, so far, well over US$1 billion. The individual losses may have more impact than the aggregate in this case, since the industry likely didn’t see them coming.
So, where does that leave the global reinsurance industry?
It’s staring down an industry cyber cat loss that could move up to US$3 billion or beyond. Individual silent cyber risk losses are troublesome, with one in particular that could account for more than two-thirds of the events. What the industry needs now are alternatives. What can you do when facing a large and truly unexpected property loss from a cyber cat?
Well, this is where the property-catastrophe market can be instructive—particularly in the wake of Hurricanes Harvey, Irma, and Maria. As losses from major events go through the settlement (and PCS development process), ‘dead cat’ trading isn’t unusual. Parties assume and lay off risk using the final PCS loss estimate as the trigger in those industry loss warranties (ILWs). It’s an opportunity to mitigate losses from a catastrophe. And as this trading is going on for the hurricanes of 2017, it may make sense to contemplate a similar strategy for Petya/NotPetya—and future cyber cats.
Silent cyber is a natural fit for dead cat trading, based on what we’ve seen with Petya/NotPetya and assumptions about loss development. Although the loss history for silent cyber is a bit thin, it seems reasonable to believe—along with the prevailing assumption—that we’re in for long development periods with this risk. Longer development periods and uncertainty about outcomes (given the risk of litigation and how new the cyber threat is) translate to the potential for development volatility as well. This means that post-event risk and capital management could become crucial.
Silent cyber dead cat trading would allow insurers and reinsurers to take more control of their risk. Based on their analysis of individual losses and market conditions, cedants could shed risk through dead cyber cat ILW trades, as long as there’s another side to the trade that sees potential for loss development to be constrained.
For dead cyber cat trading to become a reality, the market has two specific needs. First, it has to become more comfortable with silent cyber risk. While the sector is still in its infancy, conversations I’ve had around the market suggest that comfort with silent cyber is beginning to grow (albeit slowly). This will continue over time, which should contribute to a robust dead cyber cat market in the future. Additionally, the market will need an independent cyber cat loss index that covers both affirmative and silent cyber. The PCS team is currently in the later stages of developing that index. We’re working with clients to bring it to conclusion (and we’re open to more discussions on this).
For the time being, affirmative cyber ILWs are fairly easy to navigate, particularly given the low limits in the market relative to economic losses. And the range of other options available is broader, given how small the space is. Silent cyber, on the other hand, is a much larger threat, and we can expect a longer loss development period that could take some unexpected turns. Dead cyber cat trading is exactly what the market needs to help absorb silent cyber risk and make it easier to manage on an ongoing basis.
Author – Tom Johansmeyer:
Tom Johansmeyer is Co-Head, PCS Strategy and Development, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Previously, Tom held insurance industry roles at Guy Carpenter and Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.
This article was contributed by a sponsor.
Register today for ILS Asia 2023, our next insurance-linked securities (ILS) market conference. Held in Singapore, July 13th, 2023.
Get a ticket soon to ensure you can attend. Secure your place at the event here!