Sleepwalking into unexpected cyber loss
Reinsurers and large insurers are at risk of being hit by unexpectedly large losses stemming from a large cyber attack on a par with substantial hurricane losses in the US—because they do not understand their aggregations to this exposure.
That is the view of Ryan Jones, founder and CEO of ThreatInformer, which helps insurers and reinsurers understand their risk aggregations to cyber risk.
He stressed that when many insurers and reinsurers first started taking on cyber exposures the risks were often small in comparison to their overall portfolios. That has changed, however, largely because of aggregation risk.
“Suddenly, some of them potentially have very large exposures but, unlike with hurricane risk, they are in the dark in terms of exactly how big the risks are and where they sit in their portfolio,” Jones said.
Jones has more than 10 years of experience within cybersecurity, building specialist forensic teams and helping financial organisations respond to sophisticated cyber attacks. Before founding ThreatInformer, he spent two years consulting into multiple cyber underwriters, helping develop their products and supporting operations.
Counting the cost: Cyber exposure decoded, a Lloyd’s report co-written with risk-modelling firm Cyence, suggested that aggregations related to a serious cyber attack could cost the global economy more than $120 billion—as much as catastrophic natural disasters such as Hurricane Katrina and Superstorm Sandy.
The July report examined potential economic losses from the hypothetical hacking of a cloud service provider and cyber attacks on computer operating systems run by businesses worldwide. It acknowledged that insurers are struggling to estimate their potential exposure to cyber-related losses amid mounting cyber risks and interest in cyber insurance. A lack of historical data on which insurers can base assumptions is a key challenge.
Jones explained that the market has moved on since re/insurers first started taking on this risk in small amounts to the point that cyber represents a very real threat to the industry—but one the true magnitude of which is hard to grasp.
“Re/insurance by definition has unknowns but these are clearly greater with cyber risks. A lot of companies started with a very small portfolio but now cyber risk has grown to the point it is material to their balance sheets.
“That means it is more important than ever for them to get a handle on their real exposures, but some companies remain in the dark,” he said.
ThreatInformer examines cyber risk by analysing each risk separately and combining the analysis to show risk aggregation.
“We can discuss the types of incidents that may lead to cumulative risk issues. We have examples of how single incidents have effects across a portfolio and can show how we help reinsurers assess cedants’ portfolios. Our focus is primarily on treaty reinsurance,” Jones said.
The areas the startup examines when assessing cyber exposure include an analysis of the service providers used by the end buyer of policies, the versions of the software they use, their physical location and the industry they operate in.
This information can be mined largely from online information and the original policy forms used by insurers to underwrite the risk.
“Our approach is an automated external assessment using things such as domain names and internet assets that gives us the information we need to establish aggregation risk,” Jones said. “We can build up a good picture from that.”
The information gained in the process of assessing the aggregation of cyber risk can also be used in reverse to help re/insurers make better underwriting decisions and build a portfolio that is more balanced and better understood, he concluded.
Get the latest re/insurance news sent to your inbox every day - Sign up to our free email newsletters
More players are drawn to mortgage reinsurance by its growth, innovation, returns
Casualty remains tough but pockets of opportunity will emerge
Rates will now increase as reinsurers refill their depleted cat reserves
Keep your discipline when innovating
PCI looks to boost awareness of rises in auto fatality rates
HIM losses an earnings event for reinsurers
Divergence in risk helps prove role of data
AM Best questions insurers’ data modelling ability on cyber
Hurricane Nate will not generate material losses, says RMS
The fear factor will determine rate hikes
Cat losses prove uncertain nature of industry
Regulators need education on big data
Flood modelling is challenging but vital
