Cyber insurance is the fastest growing line of business in years, but its newness and complexity create important challenges for reinsurers. This message was delivered in a session titled “Cyber Security Meets Reinsurance: Modeling an Evolving Risk Landscape” at the CAS Reinsurance Seminar and the Casualty Actuaries in Reinsurance in June.
There is no question the line is growing; direct premiums written in the United States grew nearly 35 percent in 2016, to $1.35 billion, according to annual statement data from S&P Global Market Intelligence. Much more is written through Lloyd’s of London and other markets, both in the United States and abroad. Worldwide premium is projected to grow to between $7.5 billion and $20 billion in five years, according to Joshua Pyle, senior principal actuary at Symantec Corporation.
“It’s the hottest insurance product in 40 years,” he said. Growth has been driven by continued news of cyberattacks worldwide. Major incidents from the past year include the following:
- A major denial of service attack in October 2016 that temporarily brought down Twitter, Netflix, Reddit, CNN and many other sites. Bots directed heavy web traffic to the sites, overwhelming their ability to catalog and respond.
- A May 2017 ransomware attack that held data hostage at sites in nearly 100 countries. Attackers threatened to destroy the data unless ransom was paid.
The market for cyber insurance is growing as businesses learn about the internet of things, a catch-all term for the billions of smart devices connecting our world: speakers (personified by Amazon’s Alexa), thermostats, wristwatches and other devices that are connected to the internet.
“We’ve quickly generated an environment in which we want everything connected to everything,” Pyle said. But interconnectedness creates vulnerability.
For reinsurers, the vulnerability can compound as they accumulate exposures via multiple treaties. One virus or attack could impact many companies simultaneously.
Interconnectedness creates vulnerability … One virus or attack could impact many companies simultaneously.
Reinsurers typically think of accumulation risk regionally. They monitor, for example, hurricane risk in Florida or earthquake risk in Japan. However, cyberrisk accumulates across servers. “Now you have servers in Ireland connected to Africa, then connected to San Francisco,” Pyle said.
Accumulation risk is just one of the many challenges that reinsurers face. Pyle also mentioned several other concerns:
- The risk landscape is ever-changing. Ransomware and denial of service have become hot topics recently, but only a couple of years ago credit card theft was the major risk (Target, Home Depot).
- There is a human element to this peril: “As soon as we defend against one threat,” Pyle said, “the actors have moved on in an attempt to circumvent the defense.”
- There is not much data — thanks to the ever-changing nature of the risk and the reluctance of victims to report. On June 19, for example, The Wall Street Journal reported that hospitals do not always report ransomware attacks to the Department of Health and Human Services. Reporting requirements are murky for that sort of attack.
- Insurers are new to cyber exposure, so they lack what Pyle called “domain knowledge.” Today’s cyber underwriters and actuaries were, in some cases, analyzing different lines just a few years ago.
- Cyber regulation is highly inconsistent. Pyle noted 48 states have statutes regarding reporting events, but fines tend to be meager, in his opinion. This may change as the European Union’s (EU’s) General Data Protection Regulation evolves and sets the pace for other regulators worldwide. The initiative addresses cyber/privacy issues in the EU, and recent proposals would impose significant fines on companies that lose personal customer data via breach.
- Adverse selection is a real issue. Companies that know they are weak in cyber defense are more likely to load up on insurance.
Following Pyle’s overview of cyberrisk, Christopher Shafer, an assistant vice president at Guy Carpenter, gave an overview of the current reinsurance market for cyber.
- Most treaties are quota shares, and the number of treaties handling cyber is rising. The coverage is also frequently embedded into directors and officers (D&O) and errors and omissions (E&O) treaties.
- Treaties covering international exposures are becoming more common.
- Coverage follows the cedents’ original policies, though reinsurers are interested in getting per-event caps. Reinsurers are concerned about business interruption and contingent business interruption as well as bodily injury and property damage.
Meanwhile, ceding companies want broader coverage, and of late they have had some success in adding bodily injury coverage to their reinsurance treaties.
Rates are soft in many areas, Shafer said, though hospitality and health care are exceptions. Sublimits are being removed in some cases, and war exclusions are getting some retooling.
Reinsurers emphasize that ceding companies must be able to track and articulate “exactly what is in their portfolio, and what they want reinsured.”
Insurers and reinsurers generally manage and price their products using models. Modeling cyberrisk, like the coverage itself, is new and evolving, said Shafer. One major issue involves the difficulty in measuring and monitoring exposures, particularly across industries. This is particularly true with business interruption coverage, Shafer said. He recommends diversifying across industry groups as a possible starting place. Ultimately, he pointed out, the best means to diversify a portfolio could change as we continue to learn more about the underlying risk.
Other major issues involve models and data. Models, historically, have only addressed claim severity; frequency remains a challenge. There is also a lack of historical data, though some insurers and reinsurers are using third-party vendors and data to support underwriting. Lloyd’s is starting to standardize data capture, but that project faces challenges such as establishing minimum data requirements.
James P. Lynch, FCAS, is chief actuary and director of research for the Insurance Information Institute.