Printer Friendly

WATCH THE CONCENTRATIONS With a fast-growing cyber insurance marketplace and the rising threat of global cyber shocks, insurers must have a robust cyber accumulations framework.

Today's complex digital landscape increasingly exposes organizations to cyber incidents that seem to be escalating in both frequency and intensity. We see this in the high-profile data breaches and distributed denial-of-service attacks impacting entities such as the United States Office of Personnel Management, Mossack Fonseca, Dyn and Equifax.

The OPM attack caused nearly 4 million federal employees to be exposed to identity theft, the Panama law firm Mossack Fonseca incident resulted in 2.6 terabytes of stolen data within the Panama Papers, and technology provider Dyn suffered multiple DDoS attacks impacting major internet platforms and services across Europe and North America for almost 3 1/2 hours. Other recent global attacks indiscriminately crippled major organizations and seized control of their systems for ransom, most notably the Petya and WannaCry ransomware attacks. And most recently, 145.5 million people's Social Security numbers and other personally identifiable information were stolen during security breaches at Equifax.

Risk Economic Impact

A joint report by McAfee and the Center for Strategic and International Studies estimates cyberattacks cost the global economy some $445 billion each year. A United Kingdom government report gauged the insurance industry's global cyberrisk exposure in the region of [pounds sterling]100 billion ($150 billion) in 2014, more than a third of CSIS's estimate of annual global losses from cyberattacks.

Growing demand for cyber insurance offers a significant commercial opportunity. For example, the Insurance Information Institute assessed the U.S. cyber insurance market at $3.25 billion in 2016 with projections reaching $5 billion in gross written premium by 2018, and $7.5 billion by 2020. However, such demand exposes insurers to severe losses as cyber incidents become more frequent and more extreme. As a result, there are increasing concerns among insurers about cyberrisk concentrations and the ability to efficiently manage those concentrations over time.

Accumulations Management

Insurance companies began tracking property accumulations in earnest following Hurricane Andrew in 1992, and workers' compensation accumulations following the Sept. 11 terrorist attacks in 2001. These events brought a harsh awakening to insurers regarding the necessity to prepare financially and physically for both natural and manmade disasters. Insurers today use a variety of models and frameworks to facilitate property and workers' compensation accumulations management, but cyberrisk poses a unique challenge.

For example, insurers use large amounts of historical data to build probabilistic and scenario-based accumulation models. Such data currently does not exist for cyber (or is not readily accessible because it resides within governmental cyber functions). However, even if the data was available to assess cyberrisks, it would likely be impossible to model given the ever-evolving nature of cyber exposures. Tracking accumulations on tangible perils such as earthquakes, for example, is enabled scientifically due to the dynamics of plate tectonics; in contrast, cyber has no underlying physics. Similarly, tracking workers' compensation accumulations is facilitated via specific target locations, which also do not exist in cyber.

The above is significant for as Adm. Mike Rogers, director of the National Security Administration and commander of U.S. Cyber Command, said:"I think it's only a matter of time until we see destructive offensive actions taken against critical U.S. infrastructure."

Fortunately, there has not yet been a systemic "catastrophic cyber event." However, a joint report on data breaches and the global interconnections of cyberrisk by the Atlantic Council and Zurich Insurance estimates that more global cyber shocks (e.g., a cyber Hurricane Andrew) are coming due to the nature of the internet. Therefore, the time has come for insurers to begin identifying their accumulated cyber exposures and actively manage sizable concentrations.

Accumulating Cyber Exposures

Insurers must devise a standard approach for capturing gross and net cyber exposure data. This approach will facilitate the aggregating, reporting and monitoring of cyber exposures under different dimensions to facilitate risk management analyses.

To begin, insurers should identify all of their policies that could trigger a cyber-related claim. Such policies could include:

* Stand-alone cyber insurance policies.

* Policies that cover data breach liability, property damage and other losses resulting from a cyber incident.

* Cyber insurance endorsements that extend the coverage of traditional insurance policies to cover cyber-specific losses.

* Silent cyber exposures resulting from a lack of explicit exclusions for cyberattacks in all-risks policies or from gaps in the terms and conditions of traditional policies that could trigger a cyber claim. Efforts to assess silent cyber exposures include a review of relevant contract language compared to cyber-related case law on the books as well as expected legal trends.

Next, insurers should identify cyber accumulations by product line, industry/business sector and various subsectors as the characteristics, scope and intensity of cyberrisks can vary from one area of dimensionality or accumulation zone to another. The Cambridge Centre for Risk Studies defines accumulation zones by enterprise size, business sector and jurisdiction. In cyber insurance, these zones could be thought of as the equivalent of CRESTA (or Catastrophe Risk Evaluation and Standardizing Target Accumulations) zones that are used in the natural catastrophe risk management.

Cyber scenarios can then be created and accumulated against. Such scenarios could include both severe examples of how cyber losses may impact a portfolio of insurance policies as well as the tracking of select emerging cyberrisks that seem to be developing. It is important to create scenarios that have different impacts on different business sectors and different enterprise sizes.

The Cambridge Centre for Risk Studies indicates that cyber accumulation scenarios should include the following:

* The systemic release of confidential customer records from many enterprises (data exfiltration). For example, it is estimated that the recent massive data breach at Equifax that compromised the personal information of about 143 million people could cost billions.

* Attacks to disable websites and/or disrupt online activity across companies (denial-of-service attack).

* Multiple companies that have business operations disrupted due to a cloud service provider failure.

* The theft of large sums in cyberattacks on multiple enterprises that carry out financial transactions (financial transaction interference).

* Many companies that are held to ransom by hackers disabling IT functionality (extortion spree).

To parameterize the scenarios, insurers should consider the rising costs of data breaches and incident responses over time, as well as the ever-changing macro, legal and regulatory environments with respect to cyberthreats. The cost of a data breach today is 60% higher than it was in 2006 and U.S. firms have seen the cost of data breaches rise at the rate of 9% a year since 2012, according to Aon's 2017 Global Cyber Market Overview.

The next step is to create governance processes around cyber accumulations, which include the careful tracking of cyber accumulation changes over each period of analysis (e.g., monthly, quarterly), as well as the identification of options to mitigate sizable concentrations, such as strategic uses of reinsurance, hedges and/or actively working sizable accumulations down. Models could be used to help facilitate these processes. Catastrophe modeling vendors have developed or are developing models to evaluate cyberrisks. Modeled output could be useful in the procurement of ceded reinsurance and retrocession.

A study by Aon Benfield indicates that only a few stand-alone cyber reinsurance treaties were placed in the market prior to 2015. However, large distributed denial-of-service attacks, such as the Dyn attack in October 2016, are increasingly forcing insurers to look for reinsurance mechanisms to transfer some of their cyber exposure.

A number of insurers are also exploring the possibility of providing risk mitigation solutions and incident response services through establishing partnerships with cybersecurity firms. Insights provided by such firms could enable a deeper understanding of cyber exposures as well as the costs resulting from cyberattacks over time.

Steps to Take

With a fast-growing global cyber insurance marketplace, and a constantly evolving cyberthreat landscape, insurers must have a robust cyber accumulations framework.

Several insurers are hesitant to expand their cyber insurance portfolios due to the rapidly shifting nature of cyberrisks, lack of historical loss data, uncertainty around risk accumulation processes and nascent cyber reinsurance/retrocession markets.

But the growing demand for cyber insurance presents a significant commercial opportunity. Insurers that are able to consistently capture structured cyber exposure data, develop scenarios and analytical capabilities, and are able to efficiently manage their cyber accumulations risk, will be in a better competitive position to profitably expand their cyber insurance capacity over time.

While assessing cyber accumulations is a challenge, insurers can make progress by taking the following measures. Uniformly capture cyber exposure data. Measure all aspects of the data product line, industry/business sector and various subsectors as the characteristics, scope and intensity of cyberrisks can vary from one area of dimensionality to another. Work with cyber underwriters and people with specialized knowledge of cyberrisk to create a variety of scenarios to track their cyber accumulations against.

Scenarios should factor in the increasing frequency and magnitude of data breaches as well as the rapidly rising cost of data breaches over time. And finally, incorporate accumulations analyses into a cyberrisk governance process that is designed to mitigate the potential impact of catastrophic cyber events over time.

by Joseph Calandro Jr., Kumarappan Sundaram and Christopher Lima

Contributors: Kumarappan Sundaram is a manager in the financial services advisory practice of PwC. Christopher Lima is a senior associate in the financial services advisory practice of PwC and Joseph Calandro Jr. is a managing director in PwC's insurance practice. He is the corresponding author and can be reached at

Key Points

What's Happening: The threat of cyberrisks is intensifying and the demand for coverage is growing.

The Problem: The growing demand for cyber insurance exposes insurers to severe losses as cyber incidents become more frequent.

The Solution: The time has come for insurers to begin identifying their accumulated cyber exposures and actively managing sizable concentrations.
COPYRIGHT 2017 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2017 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:A World of Risk
Author:Calandro, Joseph, Jr.; Sundaram, Kumarappan; Lima, Christopher
Publication:Best's Review
Date:Dec 1, 2017
Previous Article:A CYBERRISK GROWS UP: Once considered an innocuous threat, ransomware has morphed into a new, formidable risk.
Next Article:CONVERGENCE: The new secretary-general of the IMS says the move toward a global capital standard and development of a common framework for the...

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |