Cyber insurance is a market with enormous growth potential – but one that also has the potential to become a costly, worldwide event in a matter of seconds. Unlike natural catastrophes, cyber isn’t limited to geographic regions.
Executive SummaryInsurers realize that cyber insurance can be both lucrative and disastrous because of its unique risks and opportunities. The topic was a big one at September’s Rendez-Vous de Septembre (RVS) in Monte Carlo, where Carrier Management gathered market perspectives from Hannover Re, Munich Re, SCOR and Swiss Re.
It’s a risk that reinsurers are working hard to master, aiming to control the dangers of global accumulation, while providing their insurer clients with the coverage they seek. They aim to stay relevant with their customers who are demanding cyber protection.
As in any market, reinsurers are approaching the risk in their own unique ways. During last month’s reinsurance Rendez-Vous de Septembre (RVS) in Monte Carlo, Carrier Management gathered comments from Hannover Re, Munich Re, SCOR and Swiss Re on their views of the cyber market.
SCOR executives expressed the most doubts about the insurability of cyber. “Cyber risk is certainly a challenge to the market. We are extremely cautious about underwriting cyber,” said Victor Peignet, CEO of SCOR Global P&C.
While SCOR has a team totally dedicated to cyber, “we feel today that we are not mastering the topic at a level that we can really underwrite at a big scale,” he added.
Nevertheless, SCOR is in the market and is working with a select group of clients to try to better understand the risk, “but we are really challenged with accumulation control of the insurance scenarios,” he said during a SCOR press conference at the RVS.
“To me, it remains a real question of whether this is insurable at all,” he emphasized.
During an RVS panel discussion on trends in the market, SCOR CEO Denis Kessler cited “a worldwide cyber collapse” as the only event that could bring market-wide price increases similar to what happened after Hurricane Andrew in 1992 or the World Trade Center terrorist attacks in 2001. He explained that the industry doesn’t know how to measure such a large and unexpected loss.
The other reinsurers also highlighted the challenges of getting to grips with the risk of cyber accumulation, but seemed more open to embracing the risk.
“Cyber is a risk which can spread across our globe, and that is different in the nature, compared to what we knew before, as an industry,” said Torsten Jeworrek, chairman of Munich Re’s board of management and chairman of the reinsurance committee during a press conference..
The industry is in the process of learning how to deal with cyber risk and to find ways to underwrite responsibly, he said.
“By nature, the worst cyber events are global events, so we can’t count on the geographical diversification of our business, said Stefan Golling, head of Corporate Underwriting at Munich Re. “But we can look for other ways of how we can diversify or how we can limit at least certain events in cyber insurance.” He cited examples such as technology, or the type of insurance provided because not everybody is likely to face a cyber attack for the same reason.
The insurance industry needs to take action to mitigate this exposure and make the exposure transparent, to turn so-called “silent cyber coverage” into affirmative coverage, Golling continued. Only then, can the industry adequately assess the risk, price for it, limit it, and then include it accumulation models. (Silent cyber exposure can exist in some insurance policies if cyber-related risks are not specifically included or excluded.)
He said often policy language is either completely silent on cyber or the exclusion or inclusion of cyber is worded inadequately, is unclear or ambiguous.
Ulrich Wallin, chairman of the executive board of Hannover Re, acknowledged that cyber is a class that has its challenges because the exposure is constantly changing and there is an accumulation exposure that is difficult to quantify.
“You’re not easily able to escape all cyber exposures because you have the silent cyber anyhow where you get claims under traditional property and liability policies from cyber attacks,” he said, explaining that accumulation also is generated from specific, or affirmative, cyber policies.
On the other hand, he continued, the development of specific cyber policies is positive because it helps reinsurers actively evaluate the exposure on specific policies.
While there is uncertainty on the expected losses and the exposure for cyber, Hannover Re feels this is exactly the class of business that reinsurers are there for – to support clients to be able to offer these products to their insureds, Wallin emphasized during a press briefing.
There is clearly a market for these products because clients want to sell cyber coverage and insureds want to buy it, Wallin continued.
“That of course leaves the question: is this an exposure that we as a reinsurer can carry on our books, or is it too much of an unknown that we are writing?” he questioned.
Wallin described cyber as a diversifying peril, along with other major exposures like catatstrophe risk and market risk. “So from our point of view, we have a defined risk appetite for cyber, which of course is significantly less than our risk appetite for cat.”
“We feel that we can write that business on the basis of the diversification of our global portfolio and therefore look at it in a somewhat different way to some of our competitors and similar to others of our competitors – but that makes a market.”
“The insurance industry needs to work hard to find ways to help mitigate this risk,” said Swiss Re’s Group Chief Underwriting Officer, Edouard Schmid. “Obviously, cyber risk is a more challenging risk than a nat cat risk,” but there are ways to put your arms around the risk, which will get easier with time.
He pointed to the fact that Swiss Re’s sigma research publication wrote 50 years ago that flood may not be insurable. “But today, we have the means, the tools, the risk assessment, the technology to insure flood.”
Nevertheless, digital risk will continue to have its challenges because it’s a very fast-developing risk with new vulnerabilities and new connectivities, he said during an interview at the Rendez-Vous. “You just need to update your risk much more frequently than you would have to do for more stable types of risk.”
Schmid noted that he prefers to say “digital risk” rather than “cyber risk,” which doesn’t describe the risk issues comprehensively enough.
Swiss Re engages with insurance company clients around the world to help them develop sustainable solutions and to find ways to help mitigate the digital risk for original consumers, particularly in the small and medium sized enterprise and in the personal lines space, where there are huge gaps that need to be covered, he said.
“We make significant capacity available and we also continue to invest to understand the risk even better and to keep our accumulation under control,” Schmid went on to say.
“We run scenarios so we really have a good measure of what it will cost us if a big scenario materializes – a big malware attack affecting many thousands of computer systems or a major cloud provider [going] out of order.”
Jeworrek at Munich Re said he was convinced that the industry, and Munich Re, as a market leader, cannot ignore cyber. “How do we make sure that as an industry we remain relevant? Here is a chance for that. Cyber is a chance to remain relevant. It affects all industries: small companies, big companies, banking industry, production industry, chemical industry, coal industry, all have to deal with this issue.”
“If we shy away from this risk, if we shy away from the challenges of cyber, we risk that the insurance industry becomes irrelevant,” said Golling at Munich Re. “Because the cyber risk is here, and will stay and will grow.”
“It is very clear that the world economies and businesses are becoming much more digitized, so the exposure to cyber attacks or other things going wrong with IT systems, is becoming a much more important factor and the insurance industry needs to work hard to find ways to help mitigate this risk,” agreed Schmid at Swiss Re.
The reality is that the insurance and reinsurance industry cannot ignore cyber risk because it set for massive premium growth.
Golling said the cyber insurance market is expected to grow today from $4 billion in premiums to $8-$9 billion by 2020 and to approximately $20 billion by 2025. At the same time, he said, the Center for Strategic and International Studies in partnership with McAfee currently estimates that the economic losses from cyber crime in 2018 sum up to about $600 billion, which shows a significant insurance protection gap.
If you compare the current global cyber insurance premium of $4 billion, and if you assume a conservative loss ratio of 75 percent, then only $3 billion of the overall economic losses are currently insured under affirmative cyber coverages, Golling noted.
Further, he said, the revenue from the global cyber security market, currently at $150 billion, is expected to grow to $240 billion by 2022.
Experts in the cyber security market agree that, even with the best investments in cyber security and preventative measures, the risk will never be completely mitigated. “There will always be residual risk, that at the end that should be protected by insurance.”
Golling said Munich Re is already well positioned in the cyber insurance market, having grown its business from about $100 million in cyber premium about five years ago to more than $400 million in 2018.
Munich Re’s current focus is on providing cyber solutions for the small-and-medium-sized enterprise clients and those in the midmarket, which Golling said comprises about 90 percent of its current cyber insurance business.
He cited various reasons for this strategy. First of all, research shows that the larger a company is, the more attractive a target it is for a cyber attack.
“On the other hand, of course, larger companies are generally also better prepared to respond to such a cyber attack. They have their own IT department, they have their own cyber security expertise, they have a bigger budget to spend on preventative measures….”
While larger companies are more likely to be targeted, the financial impact of actual cyber events for smaller companies is disproportionately higher, he affirmed. “So the financial impact for smaller companies is much bigger, and therefore, the value of insurance should be much higher.”
He noted that the on smaller risk is not only a reaction to the market needs, it also helps Munich Re learn from failures.
“Providing smaller limits to many small companies is, of course, easier to digest than providing hundreds of millions of capacity to very few single, large risks.”
And another reason this segment of the market is of particular interest is the company can provide cyber insurance solutions, risk transfer solutions, while bundling those solutions with services.
Golling explained that Munich Re has teamed up with about 25 cyber security specialist companies to help customers preventative measures and post-loss response services.
“We try to assess the cyber risk with inside-out methods, with outside-in methods, and we try to come up with recommendations to our end customers how to improve their cyber readiness,” he continued. When an insurance policy is sold, Munich Re offers a 24/7 hotline consulting service in order to help our clients to react after an event.