Three of the top 20 cyber insurance providers could face “meaningful to significant gross losses” from a single-event cyber catastrophe, according to an A.M. Best report based on modeling conducted by the ratings agency and Guidewire’s Cyence Risk Analytics.

The big finding: Such an event would produce losses ranging from 15 percent to 119 percent of these companies’ estimated 2022 policyholder surplus.

“For the majority of these companies, even the gross losses do not come close to the natural catastrophe probable maximum loss estimates used for stressing the balance sheet strength of the companies,” Fred Eslami, an associate director at A.M. Best, said in prepared remarks. “However, under these circumstances, a handful of companies could lose a significant amount of surplus, which potentially could create ratings pressure or even trigger a downgrade.”

A.M. Best and Cyence focused for the report on extrapolating and modeling current cyber insurance market trends to 2022. As part of the approach, they created five typical policy profiles, each with certain attributes such as business revenues, specific policy limits, self-insured retentions and attachment points.

To model the potential losses, A.M. Best/Cyence used two scenarios as described in a Lloyd’s 2017 emerging risk report: a cloud service provider interruption and mass vulnerability. With these in mind, A.M. Best applied Guidewire’s Cyence Risk Analytics application to the top 20 carriers’ modeled cyber portfolios in various scenarios to model their gross loss potential.

In the first scenario, numerous cloud-based customer servers fail, leading to widespread service and business interruptions. In the second scenario, a common software application is compromised and exploited on a global scale. In addition to the two event scenarios, an assessment against both events occurring over a 12-month period found that at the 1-in-200 event level, five companies incurred gross losses ranging from 11 percent to 233 percent of their estimated 2022 policyholder surplus.

The report notes that gross losses under the 1-in-50 and 1-in-200 scenarios do not take into consideration ceded reinsurance arrangements to which these companies may be party. But the analysis also does not consider companies’ silent cyber exposure (i.e., when perils are neither specifically included nor excluded), which potentially could be significant.

Stress-testing cyber risks against a company’s balance sheet to confirm that the cyber portfolio does not pose capital stresses and an evaluation of risk mitigation strategies, such as selective underwriting, reinsurance, establishing risk preferences and risk pricing, will be key aspects of A.M. Best’s review of an insurer’s approach to managing cyber risk, the ratings agency said.

The full findings are contained in A.M. Best’s special report, “Cyber Insurance Market: Stress Testing the Future.”

Source: A.M. Best