Cyber-related incidents have become a recurring theme – and not only business news - from breaches involving millions of customers' private data, to system glitches resulting in the grounding of entire airline fleets.
More and more, businesses are expected to recover from such incidents promptly and effectively. Investors are increasingly scrutinising the contingency plans in place. And, for their part, consumers in many jurisdictions are becoming keenly aware of the new rights they've acquired under privacy-related legislation. My view is that, in 2019, it will be highly unlikely not find any mention of cyber security in a Fortune 500 company's annual report.
Previously the sole concern of large corporations, Verizon has estimated that 43% of breach victims in 2018 were small companies, a segment where awareness is still catching up with larger businesses.
This trend has triggered the creation of a dedicated set of insurance products. Today, I put the global Cyber insurance premium at around USD 4.5 billion, twice the size it was in 2016.
A fast-evolving product
Cyber business, has settled around a set of key coverage components, such as privacy liability, extortion, business interruption, data restoration & remediation costs. These factors have been reflected in meaningful claims experience, which has enabled the insurance industry to refine its approach over time.
With ransomware attacks on the rise, specialist cyber security firms that typically handle the consequences of such attacks can help us better understand their anatomy and lifecycle. In turn, these insights can help the insurance industry put businesses back in action more quickly and efficiently.
In addition, innovative 'outside in' risk assessment techniques can prove a powerful tool to identify vulnerabilities, especially when combined with the insights derived from claims data.
Beyond the core tenets of the product, I'm still seeing great strides being made towards a broadening of coverage. On the one hand, the dynamism of the marketplace benefits buyers, who yield better value for money. Conversely, cyber insurance policies are evolving at such a pace that new coverages remain untested from a claims standpoint. For example, coverage for contingent business interruption in a world where supply chains are growing in complexity could lead to large claims clusters, the magnitude of which is difficult to fathom. In the event of a notPetya-like ransomware attack, widespread inclusion of non-IT suppliers in contingent business interruption covers could lead to a spiralling claims adjusting nightmare.
I believe we also need to look at cyber exposures in traditional policies, so-called 'silent cyber' covers. For example, property policies would often grant some level of IT-related business interruption cover, whilst professional indemnity policies would indemnify against privacy liability losses arising from a data breach.
Crucially, property and professional indemnity policies very rarely provide adequate cover or essential post-breach remediation services, which are a staple of dedicated cyber insurance policies.
It's up to the insurance industry to bring clarity to what is covered and where. An expectation gap between consumers and insurers would hinder trust and undermine the perceived value of insurance. It's only 'purpose-built' cyber insurance policies that can respond to the various facets of the risk,help bridge that gap and lay the foundations of a sustainable cyber market. In my view, this needs to be the clear message.
The role of reinsurance
Reinsurance has had an essential role to play in this growth story. At the close of the 1/1/2019 reinsurance renewal season, my colleagues and I estimated that nearly 40% of the global Cyber insurance premium flowed to reinsurers. In comparison, in more mature lines of business such as property or liability, cession rates (share of the premium ceded to reinsurers) usually remain between 10 and 15%.
Overwhelmingly, insurance carriers reinsure their business through standalone cyber treaties, highlighting the evolution of cyber as a distinct line of business.
The very large majority of insurers buy some proportional cover, usually quota shares.
Quota share treaties provide a useful tool to alleviate capital requirements, and at the same time help fund, by the means of overriding commissions, the investment required in setting up sustainable cyber insurance capabilities. Those capabilities cannot be built without the help of underwriting and broking talent, which is currently in short supply and has led to a buoyant job market for cyber experts.
Whilst proportional covers are still the norm, I've noticed that the majority of insurers buy non-proportional reinsurance. Specifically, there's been an increasing demand for aggregate excess of loss treaties in the last year. The aim of such covers is to protect insurers' balance sheets by ceding catastrophe risk to reinsurers, with attachment points ranging between 90% to 200% loss ratios. Beyond affirmative cyber, clients are now also seeking protection against silent cyber exposures across their entire P&C portfolio.
Swiss Re estimates that the total reinsurance capacity deployed for such structures currently stands at around USD 1.5 billion. Even though the amount may seem modest in comparison to property catastrophe reinsurance, this represents a 100% increase compared to last year.
This fact highlights the concern within insurance companies' boardrooms around the accumulation potential of a risk that seems limitless. Attacks such as WannaCry and notPetya were wake-up calls, with the larger of the two, notPetya, thought by the U.S. government to have caused $10 billion in economic losses, only a third of which were insured.
Recent large losses such as the Marriott data breach have highlighted a growing unease with very large risks, with carriers being more hesitant to deploy high limits on a single policy.
Yet, the current supply of capacity has been sufficient to meet a steady increase in demand for the product. Several towers have breached the USD 500m mark, a formidable feat considering the relative size of the market.
On the other hand, several sets of circumstances could lead to a shortage of capacity in the medium to long term. This is all the more true given that cyber insurance is a concentrated market, with the top 10 carriers of cyber risk (insurance and reinsurance combined) writing half of the global premium.
A cyber attack on a global scale could lead to a capital depletion event that would prevent the industry from responding effectively to an all-but-certain rise in demand post-loss. There is a role for alternative risk transfer in this context, particularly in regard to insurance-linked securities. However, the complexity of the underlying product and the lack of relevant experience compared to data-rich risk pools such as nat cat could prove unattractive for alternative capital providers.
Making an increasingly digital society more resilient
At Swiss Re we strive to work with our cedents to mitigate cyber risks and close the cyber protection gap with sustainable covers.
We aim to support our clients' cyber growth ambitions through reinsurance capacity, with both proportional and non-proportional treaty, as well as facultative reinsurance.
As the risk landscape evolves from the brick and mortar towards the digital world, we endeavour to help our cedents build their own sustainable cyber capabilities. Our dedicated cyber solutions encompass products for SMEs and individuals, state-of-the-art risk analytics and accumulation management tools.