Tom Johansmeyer of PCS, Verisk Insurance Solutions, reviews 2017’s cyber losses and assesses where the momentum is—and examines why the ILS market should be taking note.
Big numbers grab headlines. By this thinking, cyber shouldn’t be much of an issue this year for the global reinsurance and insurance-linked securities (ILS) market. Last year, the cyber sector had to wrestle with the large NotPetya cyber catastrophe loss. But many ILS practitioners believe that ILS capital could ultimately solve many problems in this sector—so they are watching its development closely.
Affirmative cyber risk losses of at least $20 million resulted in insured losses of more than $400 million, not of all of which was from the cyber catastrophe event. In contrast, 2018 has been pretty tame. So far, we haven’t seen a potential NotPetya brewing, and although PCS Global Cyber has recorded four affirmative cyber losses, the total falls short of even half the 2017 tally.
Of course, nobody has stopped talking about cyber, and the chatter up and down Front Street on Bermuda is no exception. If anything, the momentum has increased, especially given recent discussions about the reinsurance sector’s need for capital markets capacity to support growth up and down the value chain.
Some of this is attributable to a natural lag in the industry conversation. An event happens, the losses develop, the market learns, the conversation evolves. It makes sense. However, there’s another dimension to our industry’s current reflection on the cyber market: it’s becoming pretty clear that 2017 could have been a lot worse.
Let’s start with NotPetya. Only around 10 per cent of the insured loss from that cyber catastrophe event—the first designated and estimated under the new PCS Global Cyber methodology—came from affirmative cyber cover. The overwhelming majority of the loss fell into the property market.
As the global adoption of cyber insurance continues, it’s likely that cyber catastrophe events should have increasingly higher overall insured losses. What’s comparatively small now could become pretty big in the next few years.
The establishment of case law for ‘silent cyber’ could go either way. If any cases related to NotPetya find their way through the system and establish precedent unfavourable to insurers, the result could be an emboldened claimant base that could conceivably drive insured losses higher for future loss events, even if insurers tried to use such outcomes to explore sublimits and exclusions.
There is the possibility that favourable outcomes could constrain the size of future events, although they could also lead original insureds to secure more cyber protection, which in turn could help swell the size of future cyber catastrophe insured losses.
Then there’s the uncertainty associated with the underlying cause. Was there any reason to expect that an exploit in Ukrainian accounting software could become a global insurance event? And since this one was surprisingly large, is there a similar risk out there that could be surprisingly larger? The ‘what if’ game here could go on forever, with various increments ultimately becoming transformative. And in the end, we keep discovering that the limits of our collective imagination are just the beginning.
The numbers game
When it comes to cyber catastrophe, imagination can be powerful, and the end scenarios reached in casual conversation can quickly become apocalyptic. Cyber risk losses don’t carry the same parlour game attraction, but to overlook their potential for industry impact could have serious consequences, particularly as the ILS market looks to increase its efforts in the space.
Last year, PCS Global Cyber identified three large cyber risk losses, two of which exceeded $100 million. With a few unlucky bounces, though, an active cyber loss year could have wiped out the industry’s worldwide premium collected. Two uncovered companies were hit by NotPetya and subsequently secured protection. Had they been insured prior to the event, the result could have been another $600 million in affirmative cyber insured losses.
If the two largest risk losses of the year had had $500 million in affirmative cover (at the upper end prevailing at the time), another $600 million in claims would have come into the market, taking the year’s total to more than $1.6 billion. Had half of the remaining silent cyber losses from NotPetya hit the affirmative cyber market, the total for the year would have exceeded $2 billion.
With cyber insurance premiums for 2017 ranging from $2.5 billion to $3 billion, it’s easy to see how a few changes to last year’s losses could have had a profound impact on a young line of business. Some have questioned, however, whether the increased premium from the underlying penetration assumed in the above scenario would have dulled the impact of the losses.
While technically an interesting thought, the rather low rates being seen in the sector suggest any dilution would be minimal. Rates on line of 2 to 3 percent for towers of $300 million would constitute little more than a rounding error in our understanding of how brutal some losses would have been for the cyber market last year.
As we know, 2018 has been fairly quiet—for both affirmative and silent cyber. Three quarters are behind us, and there hasn’t been a cyber catastrophe this year. Risk losses have been minimal, but just keep in mind that there’s no such thing as ‘cyber season’, and the holiday shopping season is right around the corner.
Tom Johansmeyer, PCS, cyber, insurance, ILS