Rethink cyber systemic risk to eliminate barriers to growth

Research suggests that a sizeable element of cyber-related losses are uninsured, so it’s clear to see why discussions are arising around whether state intervention is needed to fill the gaps. Cyber insurance is at a turning point, faced with threats that are bigger and harder to predict than ever before. As these become more challenging to capture and less tangible, it follows that premiums are soaring and insurers are shying away from entering the market at all, for fear of its being too risky. 

Hartmut Mai, Group President of Cyberwrite, will speak at the panel titled “Rethink cyber systemic risk: Approaches to break down obstacles hindering growth and sustainability in the cyber insurance marketplace” at the Cyber Risk & Insurance Innovation Europe event being held in London on February 8, 2024.

With more than 25 years of global insurance leadership experience, Mai held roles prior to joining Cyberwrite as the chief underwriting officer, deputy chief executive officer, and board member at Allianz, where he led the launch of the cyber insurance programme in 2013. During his distinguished career, Mai has held leadership underwriting roles at AIG, and led the financial and professional liability programme at Marsh.

The panel will explore the depths of systemic cyber exposure and whether state intervention is needed for cyber insurance. Speakers will discuss being more transparent as a way of attracting more reinsurance and third-party capital and look at how the industry can establish clear rules of thumb. Best practice is the framework for setting boundaries and a path ahead and the panel will examine what this looks like in reality as well as discussing closing the protection gap and reducing systemic loss while considering the reliability of threat intelligence, vulnerability scans and risk reports in assessing exposure and how risk modelling may need to adapt. 

The role of public-private partnerships, diversification and risk-pooling, and the use of improved data analytics to enhance risk assessment, refine pricing and enable more precise coverage will be talked about within the panel as part of this session.

Ahead of the panel discussion, Mai discussed his thoughts on these important issues. 

What is a systemic cyber event? What might cause one and what would it look like?

A systemic cyber event refers to a significant and widespread incident that affects multiple interconnected systems and/or entities, often on a large scale. These events typically have far-reaching consequences, impacting critical infrastructure, organisations, or even entire networks. 

Depending on the nature of an incident with regard to the number and type of targeted victims and how the breach subsequently affects other entities, cybersecurity failures could give rise to serious and widespread damage and disruption. Impacts can include events that completely disrupt organisations’ ability to carry out their operations, which ultimately may lead to catastrophic losses for society, both physical and financial.

Examples of systemic cyber events could include large-scale data breaches impacting multiple organisations, widespread ransomware attacks targeting critical infrastructure, or coordinated cyber incidents that affect interconnected systems in various sectors like finance, healthcare, or energy.

Is state intervention needed for cyber insurance?

As the industry becomes more reliant on digital technology, especially the centrality of network connectivity—one example being the post-COVID-19 pandemic shift to remote working—the overall costs from a major cyber incident or campaign of attacks continue to grow. 

Estimates of the annual cost of cybercrime range widely from around $1 trillion to as much as $8 trillion. Relative to the global cyber insurance market, which is worth around $12 to $14 billion in premiums, this suggests a sizeable chunk of cyber-related losses are uninsured. The overall implied cyber protection gap is estimated to be bigger than 99 percent of potential losses. Even if the cyber insurance market is fulfilling its growth projections to become a $50 million market by the end of 2030, the impact on the insurance gap seems to be still remote. 

A number of initiatives are needed to address this protection gap, such as increased transparency on cyber insurance risks using artificial intelligence (AI) and machine learning (ML)-powered risk analytics platforms to gain further insight into cyber insurance risks and data; better risk modelling capabilities; enhanced cyber exposure pooling mechanisms to transfer risks into capital markets; standardisation of claims/breach data; and increased cooperation with government agencies to gain better and more reliable insights. 

Ultimately, to address the above-mentioned cyber protection gap, government financing to provide a backstop for extreme re/insurance losses might also be needed. This could encourage and support the re/insurance sector to take on more cyber exposures, knowing that their downside losses are capped.

Would clarity attract more reinsurance and third-party capital, creating a true cyber catastrophe market? Can new technologies improve risk?

Clarity in the insurance industry can attract more reinsurance and third-party capital, particularly in cyber insurance where risks are evolving rapidly. A well-defined and transparent framework helps re/insurers and other capital providers better understand and evaluate the risks they are underwriting, which in turn can stimulate market growth and innovation. 

Some measures to foster this approach would be to leverage data standardisation, regulatory advances, information, data-sharing and collaboration. Among those which are better actionable by a single carrier as being fully in its control, would be to leverage innovations in data capture and analytics. 

Improved quality data and analytics are enabling a more detailed picture of the underlying cyber risks and postures. So-called “outside-in” data about a company’s externally facing IT infrastructure can be profiled externally and give a potential intruder’s view on a targeted entity. This type of data is often gathered by specialised technology firms with the goal of detecting possible openings for attackers. 

Solutions vendors can combine past breach data with the identified vulnerability assessment and further company data to develop cybersecurity ratings for individual companies. These ratings help re/insurers to screen insureds and assess the overall risk profile of their cyber insurance portfolios. 

Similarly, defensive AI/ML algorithms can help spot and alert users via ongoing monitoring of suspicious behaviour and even highlight ways to prevent intrusions happening in the first place. These new technologies are vital to allow the building of a sustainable cyber risk market. Only if re/insurers further invest and support these new technologies will profitable growth against defined underwriting strategies be possible in a constantly monitored way. 

Probabilistic and deterministic modelling seek to combine forensic data with cyber domain expertise and advanced cyber risk analytics frameworks to build models of extreme cyber events. None of these approaches is perfect yet and may never become so. However, data and understanding about cyber threats and cyber risk quantification are expanding and constantly improving. 

What is best practice for measuring and monitoring accumulation risk and looking toward strategies that will allow for growth while still protecting overall exposure? 

Measuring and monitoring accumulation risk while balancing growth and exposure protection involves a combination of strategic approaches and risk management practices. Some of these have been mentioned, including advanced data analytics and modelling. 

Strictly applied risk limits, diversification strategy and controls around these to regularly review and adjust these limits reflecting changing market conditions and the ever-changing risk landscape is also key, as is real-time monitoring of the portfolio written. The re/insurance strategy is vital to mitigate risk accumulation, but it has its challenges considering the accumulation of extreme events in cyber and there is ongoing discussion about the insurability of these exposures.

Cyber risks will most certainly become more insurable over time if the number of market participants increases, to spread risks over more balance sheets. This will boost the risk-absorbing capacity of the traditional markets. 

The size of potential extreme events in cyber is still very large, so further risk-absorbing capacity needs to be attracted as we currently see in the capital markets. The insurance-linked securities market for cyber is still in its infancy but developing rapidly, as the pool of investible funds is much larger than the total insurance capital base. 

Obstacles such as long-tail claims, immature risk models and limited potential for resale options need to be overcome to satisfy the typical preferences of this market. Further to these capital-focused approaches is the collaboration between the re/insurers, key internet infrastructure and government security agencies which needs to increase as it will inevitably improve cyber risk monitoring, which will allow policy limits to increase. 

This may still not be sufficient given the uncertainty surrounding extreme potential accumulated cyber losses. Whether a government backstop is needed to contribute to more efficient risk-sharing in order to absorb outsized uninsured losses if a major event occurs, is a current discussion.

Register for your place at the Cyber Risk & Insurance Innovation Europe 2024 conference at America Square Conference Centre in London on February 8, 2024 and discover how to achieve sustainable insurability and sufficient capacity in a volatile market, with 200+ attendees and 50+ expert speakers covering 20+ sessions.