Systemic cyber risk is being discussed as a growing concern for insurers as technology advances and interconnectivity increases, but how is this risk defined? That may be one of its gray areas.

“As you go through different owners of risk in the ecosystem, the word systemic means a lot of different things,” said Matt Prevost, chief underwriting officer for cyber at Chubb. “So, in the ecosystem of cyber insurance, whether it be reinsurers, ILS (insurance-linked securities), all the way down to the primary market talking about this, there’s a tendency to be almost philosophical at this stage.”

Prevost was speaking on a panel about systemic risk at the Property Liability Underwriting Society’s 2024 Cyber Symposium held in New York City.

Part of the challenge is that systemic risk is typically situational, said Mark Camillo, CEO at CyberAcuView, an industry consortium of cyber insurers.

“I think the part that I find challenging when we define systemic risk is we talk about vulnerabilities, and those vulnerabilities might be in lots of people’s environments,” he said. “Really, it is situationally dependent. I think that some vulnerabilities, depending on how they exploit the different layers of defense and different organizations’ environments, could create the systemic risk. But it doesn’t always create systemic risk. I think that’s part of the challenge that cyber writers have.”

“It just really is a single event that impacts more than one company. It’s different things to different people.”

Mark Camillo, CEO, CyberAcuView

Dani Tobler, head of Cyber at Swiss Re, said his team is talking about systemic risk from a reinsurance perspective as losses that affect several clients across geographies either within one class of business or beyond classes of business.

“If we get into the space across classes of business, we’re approaching the part which is uninsurable, so war would be a typical example,” he said.

Because of its situational nature, Camillo said one solution to some of the confusion is to move away from calling it systemic risk altogether.

“It just really is a single event that impacts more than one company,” he said. “It’s different things to different people.”

A lack of clarity right now isn’t necessarily a bad thing, however. Camillo said conversations around how the risk is defined mean large, established players with a global footprint in the industry are now gaining a more complete view of the risk, which can help them understand how to solve for it.

“Instead of having these philosophical ‘What is systemic risk?’ conversations, insurers are actually getting into the weeds and either agreeing or disagreeing on what their view of the risk is—whether it be reinsurance, whether it be an ILS market, whether a private insurer—but also the policyholders are actually starting to understand what we’re focused on,” he said. “Those conversations help us. So, I think broadly talking about this helps us underwrite even the attritional risks better…It just kind of keeps informing the underwriting.”

As underwriters are reaching a better level of assessment and awareness around attritional risk, they’re thinking about how to price and engage their risk appetite for systemic as well, said Erica Davis, global co-head of Cyber at Guy Carpenter and moderator of the panel.

“I think these solutions for systemic critical levels require new concepts and approaches and different language of discussion.” Dani Tobler, head of cyber, Swiss Re

“So, all of these different parts are sort of working together, and I can definitely say from a Guy Carpenter perspective, we did see the trends that Dani (Tobler) spoke to about starting to really shape and design reinsurance around the more systemic future,” she said.

As insurers explore this risk, different definitions are emerging—some that are peril-based and others that offer broader language, as well as structures to segment out attritional versus systemic losses, Tobler said.

“But again, these are all good developments,” he said. “The market, I think, is developing an understanding of what those nuances are.”

As the market evolves, Tobler said insurers will need to continue examining creative approaches to challenges regarding widespread cyber risk. This may mean living through a gray area for a while until the market can reach a point of more clarity.

“I do think that the fact that we’re talking about this, the fact that there are certain platforms to work on some of these issues, is definitely a positive development so we can tackle some of these longer-term challenges,” he said. “I think these solutions for systemic require new concepts and approaches and still a lot more discussion. That’s really important. I think to get there, we need to go through this phase of many ideas, many proposals, and some will prevail in the end.”