Insuring emerging cyber risks
Cyber insurance cover is a rapidly-growing sector within the general insurance industry. Actuaries can add real value by helping insurers to understand how cyber risk can impact their portfolios, but more sophisticated scenario modelling is required for the $20 billion industry. Jeremy Waite and Peter Yeates report.
In the World Economic Forum’s Global Risks 2016 report, cyber risk is firmly positioned as a major risk in terms of likelihood and impact:
’Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Such a risk could be deliberate, unintentional or operational.
Organisations are potentially vulnerable to both direct impacts, as well as the effects on key companies in their supply chain or their extended enterprise. For insurers, these considerations extend to their insureds via insurance claims.
“The cyber market is growing by double-digit figures year-on-year, and could reach $20bn or more in the next 10 years.” – Nigel Pearson of Allianz – A Guide to Cyber Risk
Cyber insurance cover is a fast-growing sector within the general insurance industry. We estimate that, in 2014, the global premium income for standalone cyber insurance increased by 50% as compared to the previous year, and now totals around $2 billion -representing 0.1% of the premium pool. This is estimated to reach $20 billion in the next 10 years .
The Growth of Cyber Insurance Products
The early growth in cyber insurance was driven by US federal and state regulations requiring disclosure and notification of breaches of personal data. As a result, 90% of premiums are currently written in the US. This situation is expected to change rapidly with the recently finalised EU General Data Protection Regulation scheduled to come into force in mid-2018. This legislation is expected to create a similar level of demand for insurance cover in Europe. Australia is currently consulting on draft legislation.
Prevention of cyber-attacks is preferable to collecting insurance payouts after they occur. However, global cyber security spending is estimated to be in excess of $80 billion p.a. (expected to increase to an estimated $170bn p.a. by 2020) and high profile targets continue to be breached. In this context, the spending of $2 billion on post-event insurance looks small in comparison. A further driver of growth is likely to be a strong uptake in the SME sector where insureds have fewer resources to devote to cyber security and brokers are increasingly highlighting the value of the cover.
Cyber insurance products are not yet standardised, but typical designs reflect their origins in covering data breaches. They provide cover for first party losses and forensic investigation triggered by data breaches or cyber-attack, as well as for third-party exposures, notification and regulatory costs. Cyber gaps and exclusions in traditional policies, together with the emergence of stand-alone cyber insurance solutions for new risks, often create a complex picture, where businesses struggle to fully understand the boundaries of their cover.
In the US, cyber cover is marketed in part as a service offering, more akin to kidnap and ransom, with insurers providing access to panels of service providers who are experienced in responding to cyber-attacks. This is designed to help the insured access services which mitigate the claims, manage disclosure and notification requirements as well as providing a shield legal privilege. As well as mitigating after-the-event damage, the hope is that these measures will also limit the ultimate cost to the insurer.
Aggregation Risk – a Burden for Insurers?
The non-physical nature of cyber risk makes it possible for insurers to suffer losses from a vast number of clients spread across different industries and geographies as a result of a single event. This aggregation risk could result in insurers or reinsurers finding themselves burdened with catastrophic losses which they cannot afford to pay.
While a cyber-attack at scale – i.e. a ‘black swan’ or ‘cyber 9/11’ event – has yet to occur, it should not be an excuse for inaction. Experts increasingly assert that it is only a matter of time until such an event occurs and fear that most countries, including the UK, are ill prepared.
Aggregation can occur when one cyber event triggers multiple cyber insurance claims over a diverse range of insureds (for example by penetrating a common service provider) or by triggering multiple types of policies (for example reputational risk, Property Damage, Professional Indemnity, and Directors Errors & Omissions) for a smaller group of insureds.
Quantifying these aggregations is an emerging area. The PRA has asked UK insurers to run a simple retail scenario; Lloyd’s requires managing agents to submit three different cyber Realistic Disaster Scenarios (RDS) at the end of Q1 2016; AM Best now requires separate reporting of cyber insurance written.
Considerable effort is currently going into producing cyber scenarios which can be used to evaluate and quantify an insurer’s cyber exposure. Scenarios under active development include breaches or business interruption of cloud servers, mail services and payment providers, power grid attack and remote activation of sprinkler systems. The following are some more detailed scenarios currently available:
Data breach at major retailers
Last year the PRA required UK insurers to consider an aggregation of their 15 largest retail clients, assuming that all policies without cyber exclusions suffered losses of at least 90% of policy limits. This represents a model of the classical data breach with associated response and third party impacts. While the scenario may appear simple, the process of calculating it requires insurers to identify industry groups, aggregate exposure to specific insureds and consider whether policy wordings appropriately include sub-limits or exclude cyber losses.
Cambridge Centre for Risk Studies (CCRS) has produced the Sybil database cat scenario, which considers a widespread, long-term corruption of a widely used database system such as Oracle or SAP. This necessitates reconciliation and rework across a wide range of industries, impacting both insureds and insurers, as well as causing wider economic losses, with potential market impact.
This scenario highlights the potential involvement of several risk categories and is grounded in the types of attacks which have been seen in the past, albeit on a wider scale.
While the scenario describes economic losses in great detail, using it to calculate insurance losses requires a lot of additional assumptions.
Electricity grid attack
CCRS, together with Lloyd’s produced the Erebus Business Blackout scenario with a cyber attack shutting down the northeast US electricity grid, affecting 93 million people and a third of US economic output. Power remains out for up to 2 weeks. This leads to losses from direct damage, loss of revenue, supply chain disruption and lost economic output. This has close parallels with the recent events in Ukraine .
This scenario helps us think more broadly about how cyber threats might affect a typical insurance portfolio. While the original trigger is a cyber-attack, the proximate cause of most of the damage is loss of power or supply chain interruption.
This scenario includes a detailed methodology to calculate the insurance losses.
Modelling the aggregation of physical risks is well established. For example, a large amount of historical data is used to build probabilistic models with regard to natural catastrophes. This data does not exist for cyber risk, which means that insurers have to rely on experts making educated assumptions when assessing the severity and frequency of possible cyber catastrophe scenarios. This has led to there being an extremely wide range of estimates for the likely cost of each of the scenarios.
Actuaries can help insurance companies here by understanding the risks and scenarios and the key influences on the assumptions that can lead to working/coverage both for the insurance and reinsurance of such risks.
With the rapid growth of cyber insurance and the growing scrutiny on managing the aggregation of cyber risk, there are opportunities for actuaries to identify the impact of cyber threats on insurers and insureds; develop better models for cyber risk aggregation; and design products to manage these risks appropriately.
Actuaries outside of general insurance firms can ensure that cyber risk is integrated into their risk management strategy and not siloed into the IT department. Cyber insurance should be considered as part of the discussion of cyber risk appetite. The opportunity for insurance growth and upside and downside is large, and Actuaries have much to add in this emergent insurance class.
If you are interested in joining the Cyber Insurance working group please contact Peter or Jeremy.
 Nigel Pearson of Allianz “A Guide to Cyber Risk”, http://www.agcs.allianz.com/insights/white-papers-and-case-studies/cyber-risk-guide/
 Exposure Draft – Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 https://www.ag.gov.au/Consultations/Pages/serious-data-breach-notification.aspx
 Kaspersky quoted by Gibbs, 2014 http://www.theguardian.com/technology/2014/may/01/eugene-kaspersky-major-cyberterrorist-attack-uk
 Required in the 2016 Supplemental Rating Questionnaire (SRQ) http://www3.ambest.com/ambv/bestnews/PressContent.aspx?altsrc=14&refnum=23530
 PRA General Insurance Stress Test (2015) http://www.bankofengland.co.uk/pra/Documents/supervision/activities/generalinsurancestresstestingjuly2015.pdf
 Sybil Logic Bomb Cyber Catastrophe, CCRS (2015) http://cambridgeriskframework.com/page/25
 Erebus Business Blackout http://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.