The insurance and reinsurance industries still have work to do before they are ready for genuinely catastrophic cyber losses.
Insurers are well-versed in dealing with heavy claims bills from natural catastrophes, but while there have been a smattering of large cyber claims, the industry has yet to deal with an attack big enough to threaten profits and capital.
The NotPetya ransomware attack of 2017, which affected multiple industries in multiple countries, gave insurers an indication of what to expect from a catastrophic event. Property Claim Services estimated that industry claims from that attack came to about $3 billion, which is small compared to typical payouts for natural catastrophes. The average annual insured losses from natural catastrophes over the past 10 years was $71 billion, according to the Swiss Re Institute.
Jeffrey Cohen, president of insurance data company Advisen, in an interview said NotPetya and similar events "are the only things that have come close" to what could be described as truly catastrophic.
'Very inconsistent' view of risk
A study by reinsurance broker Guy Carpenter and cyberrisk analytics company CyberCube into possible catastrophe losses to the affirmative U.S. cyber market found that one of its scenarios, widespread data loss from a leading operating system provider, could cost insurers $23.8 billion.
Erica Davis, cyber risk strategy leader at Guy Carpenter, said the loss estimates in the study underscore how necessary it is for the industry to "develop further in order to sustain these potential catastrophic events." Just as it is difficult for corporations buying insurance to determine the impact of cyberrisk on their operations, it is "equally challenging" to model what the fallout of breaches and attacks might be for insurers and reinsurers.
Because there has yet to be a cyber catastrophe that has eaten into earnings or capital, views about the relative risk to the industry are "very inconsistent," according to Davis.
Increased frequency
Although the insurance industry has escaped a major cyber catastrophe so far, there are signs that one may be on the way. Ron Adiel, CEO and chairman of Advisen, said his company's data showed that "the frequency of attacks is significantly increasing." He also said cyber attackers are becoming more sophisticated and are sometimes backed by nation-states. Such support makes the "depth and sophistication" of attacks "much more significant."
What is truly making the industry jittery about a cyber catastrophe, according to Cohen, is the pricing. More companies are writing cyber, partly in response to client demand, which is increasing available capacity. Even though the frequency of attacks is growing, the increasing capacity is dampening the effect of the perceived risk increase on pricing.
"The pricing is not changing dramatically, and that is making a number of people very nervous," Cohen said.
