The world's biggest reinsurers are approaching cyberrisk warily, but comfort levels are growing and some are aiming to take on more risk amid increasing demand from clients.
Cyberrisk exposures can be difficult to quantify, and a single event or breach can affect multiple geographies and lines of business simultaneously, presenting potential risk accumulation problems for reinsurers. There is also relatively little historical loss data, and reinsurers must be aware of so-called silent or non-affirmative cyberrisk, where exposures arise because the policy wording says nothing on whether the risk is included or excluded.
At a Swiss Re AG investor day in April, CEO Christian Mumenthaler said "It just doesn't make sense" to write more cyber business given the unpredictable nature of the risks. And at the annual reinsurance gathering in Monte Carlo in September, Scor Global P&C SE CEO Victor Peignet told journalists that Scor is "extremely cautious" about underwriting cyber.
But the world's top reinsurers are not standing still. Swiss Re's head of cyber and digital solutions, Maya Bundt, told S&P Global Market Intelligence via email that the company is aware of the challenges of writing cyberrisk and remains selective, but added: "Our growing confidence in understanding cyberrisk has led us to increase reinsurance capacity."
Bundt said Swiss Re has "evolved our approach to cyber and become more comfortable with the risk over the last few years." This includes "significant progress" in areas such as accumulation control, costing, risk assessments and collaborating with external service providers.
Bundt did not provide figures for Swiss Re's cyber appetite, saying: "We do not manage our cyber business with maximum written premium but have put a process in place to manage our cyber risk capacity globally." But she said the company is able to deploy "significant capacity" and added: "We believe in this market and in this risk, we have risk appetite and are open for business, both for first-party and third-party cyber exposures."
The world's biggest reinsurer, Munich Re Co., has an "active appetite for cyber," Chief Underwriting Officer Stefan Golling told journalists in Monte Carlo in September. He noted that Munich Re had grown its cyber book to $400 million of premium in 2018 from $100 million five years ago, and that Munich Re is investing "heavily" in its cyber capabilities.
Golling said the company has set up teams in the U.S., Europe and Asia and that the corporate underwriting team includes around 80 people dedicated solely to cyberrisk. In addition, Golling said the company had hired 20 cyberrisk experts from outside the insurance industry.
Hannover Re CEO Ulrich Wallin told journalists in Monte Carlo that cyber reinsurance "is probably the fastest-growing area that we have," although he noted that this growth was from a relatively small base. He also described cyber as "a diversifying peril," adding: "We feel that we can write cyber business on the basis of the diversification of our global portfolio."
A Hannover Re spokesperson said via email that the reinsurer's focus is on covering insurers' stand-alone cyber policies. "Network interruption and first party losses that result from either security failure or systems failure within these policies are areas we see the biggest demand from our clients for reinsurance protection," the spokesperson added.
Some reinsurers are looking beyond offering reinsurance capacity to clients. Swiss Re, for example, helps clients in areas such as product development and offers advice on policy wording and managing accumulation of risk.
Munich Re is focusing on providing cyber cover to small and medium-sized companies, in part, according to Golling, to allow the company to bundle risk transfer with other services such as cyber risk assessment and business continuity planning. He said the company has teamed up with around 25 companies, including cyber security firms and consultants, to help provide such services.
Nevertheless, reinsurers still have much work left to do in the cyberrisk field. Scor's Peignet said in Monte Carlo that although the company had established a dedicated cyber team that had made "big progress," it was still "not mastering the topic to the level where we can really underwrite big scale."
And there are areas that reinsurers will not touch. Munich Re, for example, believes that outages of entire networks such as power, telecommunications or the internet "should not be insured," according to Golling.
"We are not prepared to cover this and we believe the insurance industry should not offer this kind of cover at the moment," he said.
And just as traditional wars are not covered by the insurance industry, Swiss Re believes the same should apply to cyber. Bundt said: "Acts of cyber war are not easy to attribute and thus the concept of cyber war is somewhat unsuitable for insurance purposes."