Cyber Accumulation Risk: What it Is + Why it Matters
Ransomware, malware, and data breaches have become part of today’s business vernacular. Iconic brands like Marriott, Facebook, Yahoo, and Home Depot are not safe from today’s digital peril.
The National Research Council defines a cyber-attack as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”1 Three key areas of cyber risk are business interruption, loss or theft of data, and reputation damage. A Company’s need to insure against these risks has grown exponentially over the last decade.
The market for cyber insurance coverage is increasing, and other types of coverage are being asked to include cyber. The insurance industry is taking on an extraordinary amount of additional risk.
While it is true that all insurance coverages were considered novel at some point, there are aspects of cyber that make it unusual and fraught with pitfalls for the insurance industry. Accumulation risk posed by the cyber threat is a major reason insurance carriers offer for being cautious about expanding capacity. Cyber is a fairly new threat with a comparatively short claims history; the threat is constantly evolving. News reports are full of high-profile data breaches like Facebook, Yahoo and Equifax. A fear is that the cyber threat is rapidly scalable; a single virus can reach thousands of companies and their customers with one click of a mouse. There is limited ability to quantify a probable maximum loss. This restricts capacity and the ability to utilize risk capital efficiently.
All underwriting models need to understand the risk presented. In property classes, for example, the exposures are readily quantifiable and stable over time. In the digital economy, exposures are neither stable nor quantifiable. This uncertainty results in non-standard policy language, wide variation in premiums and potential gaps in coverage.
There is very little experience to base underwriting and policy pricing decisions for the cyber product. The earliest cyber policies were designed to address mechanical system failures and not the sophisticated and sustained cyber-attacks of today.
Initial attacks were aimed mainly at retailers followed by hospitality, healthcare and banking.
The four distinct characteristics of cyber risk that face underwriters are:
- Constantly changing and hard to define and measure exposure bases
- Limited historical claims data
- Ever-evolving threats that can spread widely
- High degree of interconnectivity
A main fear at the moment is an attack on infrastructure and power sector. This attack could be catastrophic and far-reaching.
Historically, policies have focused on stolen data and the underlying data breaches. The actual coverage provided compensation for a portion of the expertise requirements and an ever-expanding list of expenses following the breach. These days, cyber policies include coverage for ransomware attacks and the business interruption that can follow. Ransomware attacks will continue to intensify as the hacker community becomes more sophisticated.
Individual insurance carriers use modeling to determine aggregate exposures and accumulation risk, but are they thorough enough? Underwriters must consider not only the policy limits and reinsurance commitments on their cyber coverage (including such policy enhancements as contingent business interruption) but also what limits are provided on existing property & casualty policies that may respond to losses because of the cyber-attack. Attacks may be simultaneous and widespread across the globe. Individuals and companies affected by a single attack may be anywhere. A carrier that relies on global diversity to shield its capital can sacrifice that diversification benefit when it comes to cyber-attacks.
A global attack or series of attacks can have substantial capital consequences for insurance carriers that have treated their cyber portfolios as narrow, isolated risks rather than as part of a whole portfolio of risk.
Hackers can work alone, be part of a group or even actors of a criminal enterprise or foreign government. This reality must be considered by insurance carriers when structuring coverage contracts.
Developing an effective strategy for cyber insurance requires management of the different levels of accumulation risk across market segments. Recognizing areas of over-saturation, and ensuring that there is adequate diversification across a given market. Insurance carriers need to monitor the amount of risk assumed across various populations of corporate customers, and forecast the possible losses through accumulation scenarios.
Accumulation management requires calculating possible future claims from cyber-related loss. Claim costs resulting from cyber events will change over time.
While the financial effects of past cyber-attacks have been manageable by and large (by both the insurance industry and claimants), there is still concern about the potential for sizable accumulation losses. These concerns will delay the expansion of insurance coverage by insurers that seek to circumvent both the potential of significant accumulation losses as well as the consequences of being too exposed to the risk.
The next ‘big’ data breach is inevitable in today’s digitized world. As such, the cyber risk insurance market will continue to grow. However, the insurance industry has some work to do in this arena. Standardization of underwriting protocols and risk modeling are just some challenges that need to be addressed. Keeping up with the current demand pressure while bracing to withstand any potential major attacks are key focuses for the insurance industry at large.
1 National Research Council, “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” 2009.