The novel coronavirus (COVID-19) and the resultant move to widespread homeworking has created vulnerabilities for criminals to exploit. Homeworking has exposed new access points for cyber criminals to gain entry to corporate systems, including domestic PCs, laptops and Wi-Fi routers. Homeworking has also led to a diminution in employees’ distinction between work and personal emails, to increasing usage of devices with insecure passwords and to use of online applications that would be prohibited in the corporate environment due to security concerns.
Criminals have also exploited the public’s need for information on COVID-19 to create a range of social media and text message attacks, particularly in those countries worst affected by the virus. In addition, the rapid rise of online shopping due to lockdown has exposed the public to a higher level of well-established cyber scams such as form-jacking and spoofing.
Any organization that rapidly deployed new technology, applications, services or systems at the onset of the pandemic should now be focused on taking a look back and ensuring that the organization has implemented best practices in security configuration and architecture. Many organizations are discovering that their rapid deployments, while necessary, may have introduced undesirable security vulnerabilities.
In a new report, Darren Thomson, Head of Cyber Security Strategy at CyberCube; Jon Laux, Head of Cyber Analytics, Reinsurance Solutions, at Aon; and Rebecca Bole, Head of Industry Engagement at CyberCube; explore the changes to our digital landscape and lay out ways to head off problems.
A video featuring Jon and Darren discussing some of the report’s key findings can be found on CyberCube’s YouTube channel. Here is a press release.
You own a house. It burns down. Your insurer only pays out 15% of the loss.
That’s a serious case of under-insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5 trillion, according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.
I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber startups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for insurtech start-ups to step in?
High demand, but not the highest priority
We’ll hit $4 billion in cyber insurance premium by the end of this year. Allianz has predicted $20 billion by 2025. And most industry commentators believe 30% to 40% annual growth will continue for the next few years.
A line of business growing at more than 30% per year, with combined ratios around 60%, at a time when insurers are struggling to find new sources of income is not to be sniffed at.
But the risks are getting bigger. My panelists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.
The demand is there, but there are a lot of competing priorities. Today’s premiums represent less than 0.1% of the $4.8 trillion global property/casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a risk manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.
It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, caused $2.7 billion of insured loss by May 2018, according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricanes and wildfires. Yet the NotPetya event is rarely mentioned as an insurance catastrophe and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.
See also: How Insurtech Boosts Cyber Risk
Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500 million. Less than 40% of SMEs in the U.S. and U.K. had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits mean more premium, which in turn create more revenue to justify higher fees for licensing new cyber tools. Everyone wins.
Growing cyber insurance coverage is core to the strategy of many of the largest insurers.
Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with more than 20% of the market. Chubb, Axis, XL Catlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when it estimates premium will be $8 billion to $10 billion). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer underwriting capacity to MGAs specializing in cyber.
The major brokers are building up their own skills, too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modeling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared that the company would stay underweight in its cyber coverage. But most insurers are realizing they need to be active in this market. According to Fitch, 75 insurers wrote more than $1 million each of annual cyber premiums last year.
But are the analytics keeping up?
Despite the existence of cyber analytic tools, part of the problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some skeptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.
The biggest barrier to growth is the ability to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, can offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography, and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss but are limited to well-known regions. Major losses can be offset with reinsurance.
Cyber crosses all boundaries. In today’s highly connected world, corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are among the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.
What about insurtech?
Insurer, investor or startup – everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems; investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics or to sell cyber insurance themselves. Some want to do both. But is this sufficient?
The SME sector is becoming fertile ground for MGAs and brokers starting up or refocusing their offerings. But with such a huge, untapped market (85% of loss not insured), why aren’t cyber startups dominating the insurtech scene by now? The number of insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another startup offering insurance for flight cancellation, bicycle insurance or mobile phone damage?
While the opportunity for insurtech startups is clear, this is a tough area to succeed in. Building an industrial-strength cyber model is hard. Convincing an insurer to make multimillion-dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeler Cyence roared out from stealth mode fueled by $40 million of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today, the company appears to be struggling to deliver on its early promises, with rumors of clients returning the product and changes in key personnel.
The silent threat
The market for cyber is not just growing vertically. There is the potential for major horizontal growth, too. Cyber risks affect the mainstream insurance markets, and this gives another source of threat, but also opportunity.
Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber,” the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015, the Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the U.S. Northeast caused by an attack on power generators. The center estimated a minimum of $243 billion economic loss and $24 billion in insured loss.
In the current market conditions, cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies address regulatory demands is an area worth exploring for startups in any industry.
See also: Breaking Down Silos on Cyber Risk
Ultimately, we don’t yet care enough
We all know cyber risk exists. Intuitively, we understand an attack on our technology could be bad for us. Yet, despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicized attacks on large, familiar corporations, including, most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organizations, with far more aggressive attacks that disabled systems, but on a very localized basis.
So, most of us underestimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We, too, spend less than seven minutes a month thinking about our cyber risk.
This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more startups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.
Rationally, we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or startup choice.
So, let’s not beat up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics with an understanding of insurance and catastrophe modeling, is setting the standard for new entrants.
Managing cyber risk will become an increasingly important part of our lives. It’s not easy, and there are few shortcuts, but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen, attitudes will change rapidly. Those already in the market, whether as investors, startups or forward thinking insurers, will be best-positioned to meet the urgent need for increased risk mitigation and insurance.
Much has been said about the challenges facing the reinsurance industry, to the point where the industry and a few of its major players have been characterized as being in a potentially terminal decline. However, to focus on recent results is to overlook fundamental changes in the nature of risk in the 21st century that could benefit the world’s major reinsurers, with opportunities unlike any seen before in the modern history of reinsurance.
A difficult financial backdrop for reinsurance in 2017
Financial results for major reinsurers in 2017 saw substantial contractions from prior years, driven by large catastrophe losses from hurricanes and California wildfires. These results have been followed by cost reduction in the reinsurance industry, which has elicited surprise in two conflicting ways. For some, the surprise was that the cost-reduction efforts could affect reinsurance, given that such exercises were more common for their cedent primary carrier clients. For others, the surprise was that it had taken so long for a focus on cost to come to the reinsurance market.
Concerns about the future financial performance of the reinsurance industry are held at the very highest levels of leadership among major reinsurers. In response to questions about the company’s 2017 performance, Swiss Re CEO Christian Mumenthaler commented on the state of the property catastrophe market that “we need to get used to a world where margins are much lower.” Given that property catastrophe profits have been one of the best-performing segments, not just in reinsurance,but in the entire insurance industry, according to McKinsey, this is an unwelcome development for the medium-term profitability of reinsurance firms.
Bearish commentators do not blame recent poor results on an unfortunate confluence of large-scale U.S. property losses, excess capital in the reinsurance industry or a temporary soft market. Rather, global advisory firm EY points to “clear signs that reinsurers face a long-term structural phenomenon rather than a short-term fluctuation of the insurance cycle.” EY goes on to warn in a report on the reinsurance industry that there is “compelling evidence that reinsurers are inexorably moving toward a ‘dead end’ with their legacy business models.”
The potential for reinsurance, with a longer-term lens
Such pronouncements about the potential for the reinsurance industry to perish are, however, overblown. Far from the rapidly changing risk environment undercutting the role of reinsurance, changes in the nature of risk have the potential to unlock a golden age of reinsurance where reinsurance institutions could play an even more important role in the future of the global economy than ever before. Two megatrends affecting society in the 21st century could bode very well for the reinsurance industry.
The shift from physical to non-physical assets on balance sheets
First, the emergence of non-physical assets fundamentally alters the nature of risk, which will require major changes in the P&C insurance industry.
According to Ocean Tomo, in 1975, more than 80% of the market capitalization of the S&P 500 was derived from physical assets and infrastructure. Property insurers, therefore, had a key role in insuring the most valuable assets of the business community. However, by 2015, property assets made up a relatively small share of the value of businesses, with 87% of that value being tied to intangible assets. For centuries, the P&C insurance industry was focused on the protection of property, but in the space of a generation the relative importance of physical property has declined precipitously. Risk to assets hasn’t gone away; there has just been a shift from physical to non-physical assets.
See also: The Dawn of Digital Reinsurance
The shift toward digital risks as a driver of risk to a company’s income statement
Second, the emergence of digital risk is fundamentally changing the potential causes of loss for businesses. When you move beyond a balance sheet perspective, where physical property has declined in importance, and look at the income statements of contemporary businesses, you also see an increasing reliance on digital technologies with substantial potential for business interruption when these technologies are disrupted. These losses are already being witnessed today with the recent NotPetya attack illustrating that many major businesses can lose hundreds of millions of dollars from a single cyber event. It is, therefore, no surprise that cyber risk has skyrocketed in importance from the #15 item on the minds of risk managers in 2013 to the #2 item on the minds of risk managers in 2018, according to a report from Allianz.
What is remarkable is not just the meteoric rise in importance of cyber risk over the past five years but the fact that we are just scratching the surface of a megatrend that promises to have an even greater impact in the years to come. Changes in technology are fundamentally changing the nature of risk due to the digitization of the economy, the automation of entire industries and the explosion of Internet of the Things (IoT) devices. As the economy shifts from having 10 billion Internet of Things (IoT) devices to more than 200 billion IoT devices, sources of digital risk are set to skyrocket, along with the potential for cyber losses.
The foundation for any financial risk transfer product – where is the financial loss?
Estimating the financial impact of cyber risk is a difficult endeavor. A recent piece of research conducted by RAND, supported by the CyberCube unit of Symantec and the Hewlett Foundation, estimated that cybercrime today costs the global economy at least $275 billion to as much as several trillion dollars. When you layer on the emergence and deployment of new technologies, this number will only increase over time.
Not only will these losses due to cyber events rise, but cyber catastrophe modeling research undertaken by CyberCube suggests that there will be a shift from attritional day-to-day losses affecting individual to firms to more and more large-scale losses affecting multiple companies simultaneously from global aggregation events. Such events were once deemed somewhat theoretical, but the last 18 months have revealed a series of cyber aggregation events that have shown that cyber events have the potential to lead to simultaneous losses from many companies, and we are just at the beginning of a major technological change.
In many cases, the absolute level of risk for the global economy will decline. For example, with the emergence of new safety features in automated cars, the incidence of property and casualty losses from automobiles will decline.
However, new sources of catastrophic risk emerge as the potential arises for mass losses from the simultaneous failure of the technology affecting thousands of companies simultaneously. CyberCube has identified more than 1,000 technology “single points of failure” that could pose sources of aggregation risk to insurers, and this number will only grow as the years go by and new cloud-connected technologies are rolled out. To draw an analogy to the property insurance market, you can expect far fewer one-off damages from one-off fires burning down a single home and far more wildfires destroying entire towns.
Implications for reinsurers
So what are the implications for reinsurers?
1. The foundation for any financial risk transfer product – where is the financial loss?
Changes in the nature of company assets, technology and the emergence of connected digital risk are reducing absolute levels of risk to the society overall but concentrating the potential for financial losses in a smaller number of catastrophic events. This is precisely the type of risk and financial transfer that the reinsurance industry can provide.
2. Emerging cyber risk is so complex that the largest and most sophisticated reinsurers stand to gain the most from this shift in the risk landscape
Given that cyber risk is not geographically constrained, the ability of smaller and less sophisticated reinsurers to participate in a large number of geographically diversified natural catastrophe treaties is diminished. The nature of cyber risk is so complex and dynamic that only reinsurers with a critical mass of expertise in connected digital risk will be able to effectively understand, monitor and model cyber risk. There will be more differentiated insight in cyber risk than in natural catastrophe risk.
3. Investment from reinsurers is needed to understand cyber risk today, in advance of catastrophe events that could create tremendous financial opportunities for reinsurers in the future
It is a cliché to say that it is just a matter of “if not when” for cyber attacks on individual companies. What is becoming increasingly apparent is that the same can be said for catastrophic cyber aggregation events that cause material damage to many companies simultaneously. When this happens, insurance history suggests that demand for coverage will increase, capital will flee the market and prices will harden. The reinsurance market for cyber as a peril might be small today, but reinsurers that have taken the time to invest in their own capabilities ahead of these events, with informed capital to deploy when market demand spikes, will benefit tremendously.
Conclusion: Terminal decline or golden age?
The nature of risk is fundamentally changing, which means the nature of financial risk transfer also must change. 2017 may have been a bad year for the financial performance of the reinsurance industry, but this is a market where time horizons need to be considered over many decades and certainly not over the results from one financial year alone.
Far from the reinsurance industry being in a potentially terminal decline, changes in the nature of risk in the 21st century, stand to benefit the most sophisticated players in the reinsurance industry if they can take advantage of digital trends and understand new risk concentrations.
Reinsurers that invest in understanding the nature of cyber risk, and the sources of catastrophic losses, not only stand to benefit in outsized ways relative to other insurers, but they also stand to help society reap the tremendous rewards of new technology by mutualizing financial risk when technology inevitably goes wrong.
The reinsurance industry as a whole is neither in terminal decline nor at the beginning of a new golden age. It is the action of individual reinsurance companies, and their efforts to understand, quantify and model digital risk that forms the basis of whether they will thrive or falter in this emerging digital age.