Is cyber the “new property”?
Natural catastrophes such as hurricanes and earthquakes have existed longer than mankind itself. Property insurance as we know it today is much younger, but nevertheless can be traced back to the seventeenth century. The first stochastic natural catastrophe models, helping insurers and reinsurers better understand and price the risk, were only developed in the late 1980s.
These models play an important role in today’s (re)insurance and Insurance Linked Strategies (ILS) market, and technological progress has allowed researchers to run ever-more-complex simulations in ever-shorter amounts of time. But now, the same computers that afforded the industry these advancements are becoming a source of new risk – cyber risk.
The first computer virus was created in 1983, only 36 years ago. The first cover policies for cyber insurance were already discussed in the 1990s, but only came into being in 2000 at Lloyd’s of London. Some eight years later, the market was already worth approximately USD 500 mn in annual premium volume, and has grown to approximately USD 5 bn in annual premium volume in 2019. Although this demonstrates very strong growth, it is still very small overall. In comparison, the annual premium volume for global property and casualty primary insurance is estimated to be around USD 1.5 tn (2018).
The growth of cyber insurance significantly lags behind the growth in potential risks. Reasons for this include:
- The lack of data actuaries have to price coverages
- The lack of a unified market view in terms of scenarios – for example, would a 48-hour downtime of Amazon Web Services lead to a USD 1 bn industry loss or to a USD 20 bn loss?
- A wide variety of potential “perils” that need to be covered, such as first-party material damage or third-party liability
- A low awareness of the product by companies’ risk managers
- A perception that cyber insurance is not needed or is too expensive – if you consider that only 10% of homeowners in California buy earthquake insurance, you can imagine how difficult it is to sell cyber insurance
On the other hand, there are many reasons to be optimistic for the cyber (re)insurance sector. The Internet of Things (IoT) is booming. By 2025, there will be an estimated 75 billion IoT devices in the world. It is estimated that by 2020, there will already be an average of 6.6 devices connected to the internet per person. The fifth generation of the Internet (5G) will be a game-changer, connecting devices with each other with considerably improved speed and latency. Cloud services are growing, with more and more businesses moving part of their activity to the cloud.
This also attracts unwanted attention: in a recent report, Kaspersky has estimated that the number of attacks to IoT devices has multiplied by nine in the last year. C-suite and Board-level awareness and concerns are growing, reinforced by the NotPetya ransomware attack, which is considered the costliest cyber catastrophe event seen to date. NotPetya affected companies like Merck, FedEx, Maersk, Mondelez and Reckitt-Benckiser. There are no reliable estimates on the economic losses from this cyber-attack, but the insured loss is estimated to be more than USD 3 bn. In 2018, the United States government assigned responsibility for NotPetya to Russia, opening the door for cyber insurers to dispute the validity of any insurance claims under the standard ‘war exclusion’ clause. Time (and pending lawsuits) will tell if government-backed cyber-attacks should be covered under cyber policies or not.
The NotPetya event is testament to how complex cyber risks are to understand and to cover by insurance. Cyber insurance is not only about the attacks themselves, but can also cover losses due to power grid outage, cyber extortion, damage to reputation, business interruption whether caused by a third-party hack, software failure or human error, and also expenses due to data breaches. The increasing frequency of these data breaches has raised concerns and awareness from companies regarding reputational risk and balance sheet protection. Regulatory developments such as the General Data Protection Regulation (GDPR) in Europe have also helped draw more attention to cyber threats from the corporate world. Some of the benefits of globalization have become weaknesses, too, with malwares having the power to affect companies everywhere across the globe in a short amount of time.
Cyber is a new risk, still in its infancy, but cyber insurance is growing much faster than the property and casualty insurance market. Modeling firms have replaced hiring PhDs in climatology with PhDs in cyber engineering and security to bring in expertise in modeling such complex and intricate risks. Insurance companies are still adjusting their understanding of the accumulation of the cyber risks they are carrying on their balance sheets. Customers are discovering every day that their entire business could go down due to an unfortunate click and are investing more and more in the security of their systems. This somewhat small but growing ecosystem is learning how to apprehend this risk, though – being realistic – it will be a while until the risk is well understood and modeled. Scientists are working hard to develop ever-more-powerful and intelligent computers and devices; just as hackers are working hard to develop ever-more-ingenious viruses. Cyber risk is here to stay and so is cyber insurance.
Does cyber risk play a role in the reinsurance and ILS market?
Cyber reinsurance exists, although capacity is limited. This limitation stems from the rather small risk appetites set by boards and executive committees, because of the uncertainty in modeling and accumulating cyber risk, and the lack of diversification within this line of business. On the ILS side, the capacity is even more limited, because of the same reasons cited before, but also because of the mixed aspect of first-party damage and third-party liability, the difficulty of committing on a multi-year basis given the very dynamic nature of the risk, and finally the lack of sponsors willing to cede their cyber insurance risks or their operational risks to the capital markets as well as the capital market’s reluctance to take on such complex and less-well-understood risks. In addition, ILS and catastrophe bonds became popular among capital market investors in part owing to their low correlation to financial markets. Cyber risk is likely to exhibit a much higher correlation. So will cyber risk be the next big thing in the ILS market – the “new property” (i.e. natural catastrophe coverage)? We believe that this is unlikely in the near future, yet cyber insurance has the potential to ultimately become an alternative market with the size of today’s natural catastrophe market. The ILS catastrophe market remained fairly small during its first ten years of existence and underwent continuous innovation and development in terms of risk transfer structures and solutions. Equally, any direct transfer of cyber risk to the capital market is unlikely to happen overnight or to grow quickly – rather, it will carefully and steadily develop over time to match investor appetite with sponsors’ need for cyber reinsurance and ILS coverage.