Cyber attacks have reached a point where they could rack up billions of dollars in economic and insured losses, rivaling damage created by hurricanes. This milestone means insurers must start rethinking how they cover cyber risks and possibly place them on par with natural catastrophes, Lloyd’s and Cyence assert in a new report.

“Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs,” Lloyd’s CEO Inga Beale said in prepared remarks. “Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.”

Lloyd’s the global specialist insurance market, and Cyence, a cyber risks analytics modeling firm, determined that cyber attacks in their current capacity can hurt in significant ways. One of their major findings argues that a malicious hack that disables a cloud services provider could lead to as much as $53.1 billion in economic losses due to the widespread reach of such an attack. Another potential risk, an attack on computer operating systems run by large numbers of global businesses (mass software vulnerability scenario), could leave $28.7 billion in economic losses, the report concluded.

For the Purpose of Underwriting, Cyber Attack Equals Hurricane?

As the report’s promotional materials note, those numbers are somewhat higher than damages caused by Superstorm Sandy, a colossal tropical cyclone that struck New Jersey and New England in fall 2012. Lloyd’s/Cyence cited economic losses from that storm and its aftermath of between $50 billion and $70 billion.

Beyond economic losses, the report concluded that cyber attacks could trigger billions of dollars of insured losses. With the cloud services attack scenario, for example, the report estimates a range of insured losses between $620 million for a large loss to $8.1 billion for an extreme loss scenario. If there was a cyber strike that hit a wide range of business software systems used globally, insured loss estimates could range from $672 million to $2.1 billion.

Other major findings in the report:

  • There is an insurance gap of between $4 billion for a large loss and $45 billion for an extreme loss in terms of the cloud services cyber-attack scenario, which means between just 13 percent and 17 percent of the losses, respectively, are covered.
  • There is also a big underinsurance gap. Lloyd’s/Cyence estimates that this ranges between $8.9 billion for a large loss, and $26.6 billion for an extreme loss assuming there is a massive attack on businesses’ computer operating systems. In other words, just 7 percent of economic losses are covered.
  • When current estimated market premiums are assessed against the predicted cyber scenario insurance loss estimates in the report, the results are sobering. Lloyd’s/Cyence said a single cyber event, based on those numbers, could boost industry loss ratios by 19 percent for large loss events, and 250 percent for extreme loss events.

With all of these numbers in mind, Lloyd’s and Cyence are urging the P/C insurance industry to keep up with cyber risks and their fast evolution, even as the demand for cyber insurance continues to grow. The global cyber market is worth between $3 billion and $2.5 billion now, though that number could climb to $7.5 billion by 2020, according to industry data cited in the report.

“Insurers’ understanding of cyber liability and risk aggregation is an evolving process as their experienced of cyber attacks increases,” the report notes. “It is therefore important that risk understanding, including technical premium calculations and capital models, keeps pace with the changing cyber risk knowledge base.”

As well, the report encourages insurers to think about cyber cover more like they do for major hurricanes.

“Insurers could benefit from thinking about cover in these terms and make explicit allowance for aggregating cyber-related catastrophes,” the report concludes. “To achieve this, data collection and quality is important, as cyber risks are constantly changing.”

Lloyd’s and Cyence jointly develop the report, using experts in cyber security, economic risk modeling and cyber insurance. To generate scenarios and produce loss estimates, Cyence used a structured, seven-stage research process that included reviews of widely adopted technologies used across industries as well as other non-technical factors; data collection and processing for the exposures; analysis of the exposure accumulation paths and a selection of scenarios, frequency and severity models. The study also included a discussion and review with insurance and cyber security experts, and finally loss calculations and final review.

The full study is called: “Counting the cost: Cyber exposure decoded.”

Source: Lloyd’s, Cyence