Reinsurers are aware they must constantly invent new solutions in order to stay relevant for their clients. Yet, they admit they are sometimes challenged to close the protection gap for new and emerging risks such as cyber.
Cyber is actually an emerged risk because insurers and reinsurers started underwriting policies more than 20 years ago, but it still represents only a fraction of global property and casualty premiums. Nevertheless, the growth prospects for the sector are massive as the awareness of cyber risk rises.
Underwriters just need to proceed with caution, agreed reinsurers and rating agencies attending last month’s Rendez-Vous de Septembre (RVS).
Robert DeRose, senior director at AM Best, commented on the growth opportunities that do exist in the cyber market. “I think that the majority of the players are being quite cautious and are approaching that possibility in a judicious manner,” he said during a market briefing at the RVS. But, he noted, there are others who are writing the business for the purposes of gaining market share.
“The modeling in this area is still very, very primitive and…who knows when there’s going to be an event. But if there were an event of a material size, those who were not approaching [the risk] with some degree of caution could be burned quite badly.”
“This is actually an emerged risk where the needs of the clients really outpace the supply,” said Jean-Paul Conoscente, CEO of SCOR Global P&C, during a press conference at the RVS.
He said SCOR’s risk appetite remains cautious for two reasons. First, the company’s risk assessment capabilities are still maturing, which makes it difficult to assess accumulations. Second, he added, non-affirmative, or silent cyber, is “still very present and hard to quantify.”
“As a result, we prefer to be more cautious until that problem is solved.” Silent cyber is a big issue that the industry is trying to tackle, he confirmed.
Aon defines silent cyber as the unknown exposure in an insurer’s portfolio created by a cyber peril that has not been explicitly excluded. “Any policy that has no explicit exclusion for cyber incidents could be exposed, including products such as business interruption, marine, aviation or transport,” said a report published by S&P Global Ratings titled “Global Reinsurance Highlights 2019.”
The potential for accumulation should be a major concern for insurers and reinsurers, said Edouard Schmid, chairman of Swiss Re Institute and group chief underwriting offer, in an interview.
“Even more than a natural catastrophe, it’s a risk that has the potential to accumulate,” he said. “A big cloud outage could affect many, many policies at the same time, which wouldn’t be limited in a geographic scope like a typhoon or an earthquake.”
That’s why accumulation identification and management are key for insurers and reinsurers “so they know what they’re actually exposed to and can deploy their capacity in a managed way.”
In January 2018, Lloyd’s published a report analyzing the financial impact of an extreme cyber incident involving a major cloud provider that was forced offline in the U.S. for three to six says. Lloyd’s said it would result in economic losses of $15 billion with up to $3 billion in insured losses.
Addressing the complexity of the underlying risk, Torsten Jeworrek, Member of the Board of Management for Munich Re, acknowledged that cyber is “tricky” and challenging to model and has little historical claims data.
However, as cyber security risks in a global economy are of rising importance, new approaches to risk need to be developed by the insurance industry to stay relevant to clients, he commented during a press briefing at the RVS.
But how is it possible to overcome the intrinsic uncertainty of underwriting cyber risk when cyber modeling is in its infancy? Jeworrek explained that the tried-and-tested approach of the insurance industry is to build a small portfolio, collect data over many years and then use the data to estimate future risk exposure, which was done for earthquake, wind and flood risks.
He said this is to some extent also possible for cyber. “If you have the big portfolio of sufficiently independent risks, then the data from these risks tell you something about the exposure and performance.”
However, analyzing data is only part of the solution, which is why Munich Re takes an integrated approach in order to understand and assess the risks of ever-changing technologies, he said. In addition to developing data and datasets independently, it is also part of a network of technology companies, such as Microsoft, Cisco and mobility providers. This helps Munich Re understand what technology these companies are beginning to implement and what that could mean for a new cyber accumulation risk.
Munich Re also participates in an “ecosystem of security services,” has access to a “good hacker” community, and tries to learn from their perspective by gathering information on hackers and their expected methods, Jeworrek explained.
“We try to understand how the technology of our environment is changing and translate that into prevention services and also into insurance products,” he said.
“That is a more comprehensive approach than just offering [a policy] because at the end of the day we share the same interest—our customers and us. We all want to avoid and prevent hacker attacks,” he continued.
Jeworrek emphasized that Munich Re’s approach to cyber is not just to sell cyber insurance or reinsurance policies. “We offer a comprehensive package: advice for prevention, modeling services and risk management services to understand cyber accumulations…”
Jeworrek said Munich Re’s current cyber exposures are comparable to a medium-sized natural catastrophe event, which would mean a low single billion U.S. dollar exposure in the case of a very severe event, although the company has not yet seen a cyber loss in the region of three digit million U.S. dollars.
He noted that customers are increasingly at risk as new technologies come into the market like the new 5G standard, which will lead to increased connectivity in the world.
At the same time, regulators and shareholders want to know that a company is protected against cyber risks, he indicated. “The possible fines are much higher than in the past.” If a company isn’t seen to do the utmost to guard against cyber risks, then management runs a higher risk in the future to be sued by shareholders, he continued.
Munich Re still strategically focuses much of its cyber capacity on small and medium-sized enterprises (SMEs), which provides the company with diversification. “And they are the customers who need us most,” he noted.
Reinsurers at the Rendez-Vous de Septembre affirmed that the growth potential in the cyber market is immense.
The industry is moving to cover cyber affirmatively and reduce the amount of silent cyber, which is “almost given away for free…,” said Schmid. He acknowledged that the trend toward affirmative cover is helping to drive the growth of the cyber premium, he said.
From about $5 billion market today, over the next three to four years premiums are expected to grow to $14 billion, he indicated.
During a press conference held by Swiss Re at the RVS, Moses Ojeisekhoba, chief executive officer of Reinsurance, agreed with Schmid by saying the $14 billion figure is not necessarily all new risk “because some of it is conversion of silent cyber to affirmative, but clearly the exposure is growing.” (Swiss Re does not disclose its cyber re/insurance premium level).
Major market players, such as AIG, Allianz and Lloyd’s, have taken action to affirmatively cover or exclude physical and non-physical cyber exposures, which also is adding to the sector’s momentum.
Sven Althoff, member of the Executive Board responsible for Property & Casualty Reinsurance at Hannover Re, during a press conference at the RVS discussed his company’s experience with cyber growth. “We see more demand outside of North America now, which is pleasing from a diversification point of view,” he said.
“We also see more demand from the smaller businesses, the SME businesses, rather than only the big target risks. We will continue to grow in the class. I would say affirmative cyber is now an established class of business.” (Hannover Re does not release its cyber premium figures for strategic reasons).
SCOR wrote about €50 million euros ($55.2 million) in affirmative cyber premium in 2019—50 percent was specialty insurance and 50 percent was treaty reinsurance, said Conoscente at SCOR, noting that the company’s cyber book has been very profitable. (SCOR’s cyber figures for 2018 were not made available by the company.)
Jeworrek said cyber insurance is still a small segment of global insurance premiums, but the number of high-profile attacks means that clients are becoming more aware of the need for coverage. He cited the WannaCry and NotPetya attacks in 2017, the Marriott data breach in 2018 (when the personal data of 500 million guests were stolen), and the recent distributed denial of service attack against Wikipedia.
“We still expect to see exponential growth of let’s say in the realm of 25 percent to 30 percent every year,” Jeworrek said. (As of October 2019, Munich Re’s internal estimates placed global cyber premiums at around $5 billion at the end of 2018 compared with $4 billion in 2017. )
Munich Re’s cyber insurance and reinsurance premium grew to $473 million in 2018 from $354 million in 2017.
Regulator actions are also pushing the affirmative cyber market forward. In January 2019, the U.K.’s Prudential Regulation Authority said it expected U.K. insurers to have action plans to reduce their silent cyber exposure. That was followed in July by a Lloyd’s market bulletin announcing that “Lloyd’s is mandating that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.”
S&P said the market is still in its infancy, blaming “the lack of global standards, including a homogenous definition of cyber events, liberal exclusions and relatively low sums at risk offered by re/insurers…”
With a combined ratio of about 70 in 2015-2017, the cyber market has been profitable, said the S&P report, citing Aon statistics. (S&P’s comments on the cyber industry are contained in an article in its “Global Reinsurance Highlights” report, titled “Global Reinsurers Face The Iceberg Threat Of Cyber Risk,” authored by Johannes Bender, Manuel Adam, Robert J. Greensted, Jean Paul Huby Klein, Milan Kakkad and Tracy Dolin.)
Global economic losses caused by cyber crime were about $600 billion in 2017, up from about $100 billion in 2014, said S&P, quoting the Center for Strategic and International Studies. “At the same time, global affirmative cyber premiums remain low at about $5 billion in 2018, which indicates a large protection gap.”
In comparison, economic losses from natural catastrophes in 2018 were approximately $155 billion compared to insured losses of around $76 billion, said S&P, citing Swiss Re statistics.
“The Center for Strategic and International Studies says cyber crime resulted in global economic losses of about $600 billion in 2017, up from about $100 billion in 2014,” according to the S&P report.
A large protection gap means there are big growth possibilities for insurers and reinsurers—but they surely must proceed with caution.