Silent cyber exposures in the United States property insurance market are accumulating to such a degree that a new report suggests a $12.5 billion industry loss from non-physical damage could flow to property carriers, should a major event occur.
Silent or hidden cyber risk is one of the fears of property insurance and reinsurance underwriters, as this exposure aggregates in commercial lines of business and is often going unmeasured.
A new report suggests that while current levels of cyber exposure within US commercial property insurance remain manageable, this exposure could have a ratings impacts for some of the most exposed carriers.
In fact, the study behind the report, from modeller CyberCube, rating agency AM Best and insurance and reinsurance broking giant Aon, concludes that sufficient cyber risk is accumulating in the US property insurance market to trigger a one-in-100-year loss of $12.5 billion.
At that quantum of loss, AM Best’s analysis suggests that it could cause the Best’s Capital Adequacy Ratio (BCAR) for 18 US property carriers to be downgraded.
CyberCube analysed a sample portfolio based on the US small business property insurance industry and stressing it under certain modeled cyber loss scenarios, quantifying the potential for non-physical damage losses.
AM Best then used this analysis to assess the impact on the balance sheets of 579 US property insurers, while Aon helped in quantifying the risks and exposures written back into property policies and also highlighting best practices for managing these risks.
The analysis suggests that of the 579 property insurers analysed, 12 carriers saw their BCAR drop one level, four dropped two levels, and two insurers each fell three levels and four levels respectively.
While BCAR is not everything, as factors such as reinsurance, diversification, and liquidity are also considered in evaluating balance sheet strength, a significant deterioration in the BCAR assessment can lead to a downgrade of an insurer’s financial strength rating.
With cyber exposure expected to continue expanding rapidly this suggests that the silent exposure in the US property insurance market will grow rapidly too.
This doesn’t consider the potential for silent cyber in residential property portfolios either, which is also a developing threat vector and one that could deliver silent cyber losses in years to come.
CyberCube further explained that its modeled loss figure of $12.5 billion indicates that the US property insurance market is exposed to $9.5 billion of attritional losses and $3 billion of catastrophic losses, at the 1-in-100 year return period analysed.
As a result, it is possible the market is already paying some attritional losses for non-affirmative cyber coverage, CyberCube said.
Sridhar Manyem, AM Best’s Director, Industry Research, commented, “While losses of $12.5bn are relatively low when placed in the context of natural catastrophes, considering these exposures are often unpriced or unaccounted for in enterprise risk management, the impact on carriers can be significant and more importantly, unexpected.”
Jon Laux, Aon’s Head of Cyber Analytics, also said, “As this research shows, quantification of the aggregation potential from cyber-related losses in property policies is very real. With property insurers affirming elements of cyber cover in their policies, insurers are exposed to significant losses, which are not necessarily priced accordingly. Through better information, industry participants will be able to make better decisions about placing cyber risk.”
Of course, the insurance industry has been steadily trying to exclude silent cyber out of the market, as too have global reinsurance firms and also the insurance-linked securities (ILS) market.
But the study suggests sufficient risk exists to create a potentially challenging market loss, that could flow back to reinsurance, even retrocession and also have some ILS market exposure if it occurred.
As the cyber threat landscape continues to evolve and silent exposures remain a focus, we expect that ILS funds will continue to try and exclude this at any opportunity, while it remains possible to do so.
There may come a time when cyber risk is so intrinsic to broader insurance covers, in more lines than property, that it becomes a lot more challenging to exclude, of course. Although we’d hope that would help to stimulate a more functional cyber reinsurance and retrocession market, rather than become a specific issue for the industry.