Insurance rating agency A.M. Best still considers natural catastrophe losses to be the primary threat to the financial strength and credit quality of property/casualty insurers, but cyber-attack risks aren’t far behind, according to a new report.

Cyber attacks “pose a substantial threat to the insurance industry,” A.M. Best analysts said in a new report, titled “A.M. Best’s View on Cybersecurity Issues and Insurance Companies,” citing both the increasing frequency and severity of attacks and the difficulty in measuring the risks.

At the present time, determining whether the information gathered via the SRQ and the pre-meeting questionnaire would impact a company’s ratings depends on the materiality of the types of coverage and limits provided, relative to the capital position of the company,” the report says.
The report raises particular concerns about potential loss aggregations for insurers who write cyber insurance.

“Just as an earthquake presents risk that can be managed, but not eliminated, cybersecurity risk must be managed for both its existence and aggregate impacts. However, the world of cybersecurity risk has connections and interdependencies unlike those seen in the physical world, making locale almost irrelevant when measuring and managing the aggregation of risk within cyber insurance portfolios,” the report says, at one point citing a $31 billion estimate for a total realistic probable maximum loss for cybersecurity risk globally.

That $31 billion figure is from a report published by the UK government and Marsh, “UK Cyber Security: The Role of Insurance In Managing and Mitigating The Risk,” and is derived as 20 percent of the total of standalone cyber indemnity limit sold in 2014 (£100 billion).

“Assuming that the possible maximum loss (PML) follows the range for property risk (up to 20 percent of the total exposure), the insurance industry could face a cyber PML of up to £20 billion,” or $31 billion, the UK report said. If we consider that the cyber insurance market could treble in the next three to five years, the industry PML for cyber risks could easily exceed the global insurance/reinsurance capacity available for other aggregating events, such as nuclear disaster (£3 billion) or natural catastrophe (£65 billion),” the UK report said.

Taking the discussion back to an individual insurer level, A.M. Best said it is analyzing each rated insurer’s cybersecurity exposure “in an effort to increase awareness” of threats and “to assess the impact on an organization’s financial strength.”

How an insurance company goes about aggregating its exposure to arrive at potential loss estimates is one of two overriding questions that dominate Best’s examination of an insurer’s cyber risk.

The other question: How is the company protecting itself against internal and external cyber threats?

“From A.M. Best’s vantage point, while all financial and non-financial organizations are susceptible to cyber-attacks, insurance companies are particularly exposed, given the nature of their business,” the Best report says, noting that rating agency analysts assess the ability of insurers to fend off or minimize the impact of attacks on their own businesses during the interactive rating process. As part of the process, analysts deliver a questionnaire starting with a simple inquiry about whether the company has ever been the target of a data breach or cyber attack, and including more detailed questions about system investments made to improve resilience.

So far, Best’s probes of insurer levels of preparedness against cyber attacks have uncovered two main findings:

  • Most insurers are inclined to invest large sums of money to improve security on their IT systems and infrastructure.
  • Larger companies tend to buy cyber insurance policies to further manage the risk associated with a cyber attack.

Insurers responding that they have not been attacked or threatened are likely to face more questions from the analysts during face-to-face rating discussions, the report notes, suggesting that having no attack is unlikely.

The report also discusses A.M. Best’s process for understanding the risk aggregations of insurers providing cyber coverage, noting that the collection of data from the annual Supplemental Rating Questionnaire (SRQ) and ongoing discussions with company management are both part of the rating agency’s analytical process.

“At the present time, determining whether the information gathered via the SRQ and the pre-meeting questionnaire would impact a company’s ratings depends on the materiality of the types of coverage and limits provided, relative to the capital position of the company,” the report says.

Among the key questions management teams must answer for A.M. Best are these:

  • What are the loss expectations for 2015-2017?
  • Briefly describe the underwriting process.
  • How are premiums and reserves determined?

Among other things, A.M. Best looks for insurers writing cyber coverage to have an appreciation for the “interconnectedness of cyber risk” among insureds that is not necessarily correlated to their physical locations or classes of business.

“An assessment of the correlation of risk based upon service providers and other common vectors of attack, such as common vulnerabilities and systems, should be the basis of catastrophe scenario testing of a carrier’s portfolio,” the report says, noting that such catastrophe scenarios “can be modeled via Monte Carlo methods.”

“These general methods have been utilized in the examination of property and casualty risks for decades; it is now time they be appropriately modified and applied to analyze cyber insurance portfolios,” the report says. Monte Carlo simulations can generate many different states of the world based on the individual risks and risk interactions to examine potential financial impacts on the cyber insurance portfolio and the likelihood of these impacts over the course of a year.

Earlier in the report, A.M. Best also offers some suggestions related to underwriting and reserve setting.

“Devising single-risk limits with regard to policyholders’ shared service providers, common vectors of attack, and other correlational factors, could prevent massive losses that may occur as a result of a single event, simultaneously causing losses at many organizations,” the report says.

On the reserving front, the report points to the lack of data and actuarial information available and suggests that “the establishment of contingency reserves for cyber losses would demonstrate prudent risk management, as well as a conservative approach relative to this emerging risk.” In addition, the presence of contingency reserves “would be a positive factor in terms of the rating analysis,” the report says.