Single coordinated cyberattack could cause $40bn insured losses

Asian risk and insurance managers need to prepare for some challenging converations with their insurers in coming renewals, as the leading global players seek to tackle the so-called silent cyber problem and shift the risk from traditional lines into dedicated affirmative cyber policies. The need for the carriers to take swift action on this potentially catastrophic exposure was laid bare last week at the Singapore Reinsurance and Insurance Conference (SRIC), when cyber insurance expert Peter Hacker and his colleague Hans-Joachim Guenther warned that the market could face a massive loss of up to $40bn from a single coordinated attack, if it does not tackle many of the ambiguities and hidden accumulation problems caused by cyber. A rising number of risk and insurance managers and their representative associations across the world have come to accept that the cyber accumulation threat posed by silent cyber needs to be tackled and the clarity provided by affirmative cover would be good for all. But, many remain concerned that insurers will seek to use these fears to unjustifiably generate a rich new vein of business by charging through the nose for the new dedicated cover without reducing the cost of the more limited existing cover once the cyber has been stripped out. Franck Baron, president of the Pan Asia Risk & Insurance Management Association (Parima), which held its Malaysia conference in Kuala Lumpur this week, raised this point in a recent interview with Commercial Risk Asia. He said he is not surprised that insurers are working to tackle non-affirmative cyber in other lines of business. He believes that, on the whole, this is good news for buyers. However, he stressed that any previous non-affirmative cyber cover that insurers want to exclude should be factored in at renewal pricing negotiations, with reductions in costs for buyers. Relying on “bits and pieces of cyber coverage from various lines of insurance is dicey at best”, he said. But Mr Baron rightly pointed out that cyber risk and cyber insurance are not brand new and after years of maturation, it is high time to secure a fully dedicated programme for these risks. Mr Hacker and Mr Guenther definitely believe that all parties in the risk and insurance chain need to tackle this problem, and fast, or face losses that could wipe out the reinsurance market’s surplus capital. Risk managers need to take a close look at their exposures and their policies and programmes before they start the discussion with brokers and carriers on cyber. During the SRIC presentation, Mr Hacker explained that based on the pair’s recently designed proprietary model, a single coordinated attack could cause economic losses of up to $234bn and insured losses of up to $40bn. The reinsurance sector would take the lion’s share of the silent cyber losses within that total. Captives may well take a material hit primarily from embedded silent cyber exposure in P&C lines, according to the analysis. “As result of our own and proprietary cyber risk scenario analytics, we believe global economic losses can range between $121bn and $234bn, and insurance losses between $27bn and $40bn. The scenario is based on a massive power outage or major cloud operation and domain name servers failure resulting from a coordinated global cyberattack, using the combination of a high-volume and intensity-driven distributed denial-of-service attack (DDoS) with two to four attacking vectors, one of them a major ransomware backing a wiper. In the broadest sense, we talk about DDoS plus NotPetya/WannaCry alike, but without a subsequent ‘quick’ kill switch and with broad interruptions of three to seven days across numerous sectors and company sizes,” he told Commercial Risk Asia shortly before the event in Singapore. “Over the next few years, the gap between economic losses and insured cyber losses will rapidly shrink and cyber will represent a loss exposure that is comparable to the worst natural catastrophe losses but, significantly, with a potential return period that is much shorter than in natural catastrophe scenarios,” continued Mr Hacker. Mr Guenther added that, at this stage, a prudent estimate for silent cyber loss would probably account for about 20% of an insured loss, though he did add that this assumption may well change once pending court cases are resolved. However, he said it is important to note that if data is considered a physical, tangible asset, or non-kinetic warfare such as state-sponsored cyber warfare activities are not, or only partially, excluded, the 20:80 split could exponentially well change, resulting in massive pressure on conventional P&C markets. “Given existing property and casualty risk reinsurance or captive structures, it is reasonable to assume that 90% of this loss will run down into reinsurance. Be reminded of the Thai floods of 2011 and how a large event made its way through uncapped risk covers into reinsurance. Silent cyber losses are mostly outside managed loss scenarios and are therefore running against the reinsurance industry’s excess capital,” he said. “Standard & Poor’s states in its latest Global Reinsurance Highlight 2019 report that the leading top 20 reinsurers have excess capital of about $20bn to $30bn. The straight conclusion reads: silent cyber has the power to wipe out a substantial amount of the global reinsurance excess capitalisation, which is the foundation of the loss-resilience profile of this industry. The threat related to silent cyber is pretty much the same for captives, which will need to carefully assess their silent cyber exposures against their limited capital,” added Mr Guenther. Mr Hacker agrees with a rising body of regulators and experts in the risk management and transfer sector that this potentially catastrophic risk cannot be managed in isolation. It needs a joined-up approach. “Cyber risks are simply too complex to be handled in isolation. No matter what capital size the (re)insurance parties can offer, it is a challenge that needs to be addressed top-down by regulatory bodies, the (re)insurance industry, capital markets, cybersecurity vendors and corporations together. Personally, I remain convinced that broader solutions backed by governments, (re)insurers and capital markets, such as cyber risk transfer pools or ILS structures, will be mid- to long-term products to manage huge loss scenarios. In any case, nobody can afford running continuously with such a high degree of potential silent cyber exposure,” he said. But while governments, regulators, industry associations and the like work out how best to tackle this problem, individual risk managers within corporations, insurers and reinsurers need to take a good look at their exposure, how and whether they are covered, and revise their response and crisis management plans sooner rather than later. The Swiss experts have already carried out education and reviewed coverage wordings, exposures and potential accumulations for a number of risk managers within corporations, captives and the (re)insurance sector. Demand will clearly rise for such expert, third-party assistance. Mr Hacker said corporate customers should run board simulations that stress test their readiness to respond to critical cyber incidents and help verify the appropriateness of insurance solutions. But these need to be truly dynamic tests, not tickbox exercises, he stressed. “This cannot be done with simple desk exercises or ‘card games’. This requires a dynamic and non-linear simulation that reacts to the way management responds to an incident. [Being] forced to decide under stress is different to working [from] a handbook,” he said.

Single coordinated cyberattack could cause $40bn insured losses

Want to read this article?

Read Next

Rates fall in most regions during Q1 but rise in Europe and US: Marsh

Major cyberattack would hike rates but insurers would ‘brush off’ losses: Lockton Re

Chubb says Q1 saw ‘best rates’ as it books $2bn profit

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Rates fall in most regions during Q1 but rise in Europe and US: Marsh

Major cyberattack would hike rates but insurers would ‘brush off’ losses: Lockton Re

Chubb says Q1 saw ‘best rates’ as it books $2bn profit

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Want to read this article?

Read Next

Rates fall in most regions during Q1 but rise in Europe and US: Marsh

Major cyberattack would hike rates but insurers would ‘brush off’ losses: Lockton Re

Chubb says Q1 saw ‘best rates’ as it books $2bn profit

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Related Articles