The fast growing cyber market is on a collision course with constrained capital, but the most costly cyber risk remains a hard-to-detect threat.
By Russ Banham
Leader’s Edge magazine
Several major insurance companies providing cyber insurance are increasingly concerned over the possibility of a cyber attack generating systemic losses, defined as having the potential to impact thousands of companies simultaneously, due to commonalities or shared elements of exposure. Such a possibility is an existential crisis in the making for the many insurers and reinsurers that assume cyber risk.
An example of a systemic risk is the successful hacking of a large third-party provider of cloud services, shutting down its operations while concurrently infecting the IT systems of a huge number of insureds that rely on the provider for services. Marsh stated in its fourth-quarter 2021 “Cyber Insurance Market Overview” that, were such a cascading loss to occur, it “could cost multiples of the estimated size of the current insurance market.”
And according to Chubb, the complexity of cyber networks makes understanding and managing the risk worse. “Vulnerabilities and exposures are multiplying due to greater interconnectivity, creating systemic risks that are vast, growing and not easy to detect or control,” the insurer stated in a 2022 report titled “Catastrophic Cyber Risks: A Growing Concern.”
“Combining these systemic risk dimensions with potentially severe and widespread consequences creates the possibility for a cyber catastrophe,” the report states, noting that cyber incidents are not limited by geography.
Chris Storer, head of the Cyber Centre of Excellence at Munich Re, says that “understanding and modeling systemic risk is the biggest challenge we have…a topic on the minds of all leading insurers in the cyber market.”
More Demand, Less Capacity
As more technology is introduced into corporate operations, processes and functions, the risk of cyber attacks disrupting business escalates, along with the need to transfer the exposure. A recent equity research report provided on condition of anonymity to Leader’s Edge (due to restrictions on distribution) projected the cyber insurance market will grow at a 25% compound annual rate to reach an astounding $480 billion in commercial premiums by 2040. By comparison, premium volume across the entire U.S. property and casualty industry in 2021 was $715.9 billion.
Assuming the report is close to the mark, meeting this demand is challenged by available reinsurance capital to spread primary carriers’ catastrophic risks. “The demand for reinsurance capital remains greater than available supply,” Marsh stated in its fourth-quarter 2021 cyber market overview, explaining that the total amount of cyber premium that insurers are collecting “is potentially insufficient to fund for a catastrophic loss.”
Well aware of this possibility, Beazley in January 2023 launched the first cyber catastrophe bond in the global insurance market, a liquid insurance-linked securities (ILS) instrument. The $45 million tradeable bond, which is backed by a panel of investors including Fermat Capital Management, indemnifies Beazley against all perils in excess of a $300 million catastrophe. “The bond is designed to cover remote probability catastrophic and systemic events,” Beazley said in a prepared statement.
According to Chubb, while no cyber attack has produced a lateral-moving catastrophic loss, such an event is “no longer theoretical.”
Longtime industry observers agree with this nightmarish possibility. “There’s no question the potential for truly catastrophic cyber losses will rival the largest natural disasters in history, making it incumbent on insurers to understand the aggregation of cyber risks they have on their books to ensure they are appropriately underwritten,” says Robert Hartwig, associate professor of finance at the University of South Carolina, who leads the school’s Risk and Uncertainty Management Center.
Appropriate underwriting of potential systemic cyber losses is severely challenged by what Storer, from Munich Re, calls “essentially uninsurable risks. I don’t believe it is possible to model such risks at the present time, which is why they need to be clearly excluded and compartmentalized by the carriers. From a reinsurance standpoint, it is important that the carriers address these issues at the original policy level.”
Major cyber insurers like Chubb, Beazley and Lloyd’s are doing just that. Lloyd’s, for example, recently said its syndicates will begin excluding coverage for attacks sponsored by state-backed entities beginning in March. News reports also suggest the insurance and reinsurance marketplace is working on additional approaches to limit syndicates’ cyber-risk aggregations. Although Lloyd’s said last August it remains “strongly supportive” in writing cyber insurance, it also noted that “if not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”
Beazley has also added three new endorsements—a revised war exclusion; a revised infrastructure exclusion, clarifying telecommunications infrastructure and replacing the company’s existing exclusion; and a new sublimit endorsement, addressing two catastrophic cyber events: a prolonged outage of a major cloud service provider exceeding 72 hours and contagion malware in a computer operating system causing major detrimental impact to a state’s essential services.
“There are some risks that are too big for us to take on, and we’ve been pretty clear about that—cyber war, for example,” Bantick says. “But there are only a few, small number of scenarios where I think cyber insurance says, ‘This is something that we can’t take on.’”
Chubb has structured a separate endorsement to absorb four types of “widespread events.” The events include software supply-chain exploits, an attack in which hackers enter systems through trusted and certified software (“effectively a Trojan horse,” Chubb states); severe zero-day exploits (“attacks arising from certain software vulnerabilities known by cyber criminals but not yet by anyone else”); severe known vulnerability exploits (“that are not patched”); and “all other widespread events.” The last event appears designed to absorb systemic cyber risks. Chubb said such events include an outage at a large cloud computing firm that “could impact the operations of thousands or even millions of companies.”
Several brokers and MGAs commented on the ambiguous wording of the coverage endorsements and exclusions. John Farley, managing director of Gallagher’s Global Cyber Liability Practice, says the brokerage is concerned about what the primary cyber insurance marketplace “wants to cover and not cover. Some (insurers) are deciding to sublimit (catastrophic) events, adding time elements like not covering the impact of a cloud outage beyond a certain amount of hours or days. Others are throwing in co-insurance requirements. We and others are confused over what these actions mean if there truly is a catastrophic event as defined in the policy.”
“We’re seeing carriers pulling all these different levers to retract and reduce their exposures—not only sublimits and co-insurance but also much higher retentions for buyers on top of exclusionary language,” says Steve Robinson, National Cyber Practice leader at Risk Placement Services. “Carriers are seriously beginning to address the possibility of systemic risk in their wordings due to concerns over potential cloud provider outages and operating system failures. In trying to mitigate their exposure to such big mass casualty-type events, some insureds are getting substantially reduced limits for what is probably some of their biggest exposures.”
Itskovich agrees. “If a single cyber event happens to many companies and you are one of them, my interpretation of the ambiguous policy language is that your coverage will be limited,” Itskovich says. “You will have half the limits you think you have.”
Carriers that provide cyber insurance, such as Liberty Mutual, argue that the industry’s actions are necessary. “Any insurance company that is not thinking about systemic cyber risks is not thinking properly,” says Dan Frusciano, Liberty Mutual’s North America head of cyber underwriting. “The systemic nature of cyber is on everyone’s mind.”
Although Frusciano acknowledged that brokers and MGAs want more clarity and consistency in cyber insurance policy “wordings and approaches,” he says the market is immature when compared to other lines of insurance. “The more data the industry generates over time will help organizations model the potential for systemic risks,” Frusciano says. “Once carriers have a better sense of what these risk scenarios look like, we can reflect this enhanced knowledge in how we each underwrite the product.”
It is extremely difficult to quantify systemic cyber risks. Since such losses have yet to occur, the data are limited to “what might have occurred” scenarios. Like other industry participants, Shawn Ram, head of insurance at Coalition, agrees that the difficulty of modeling systemic risk is the key factor in the cyber insurance market’s recent actions.
“The models on systemic risk are highly divergent insofar as the cat load, given the lack of knowledge about a third-party cloud provider’s cyber security,” Ram says. “Consequently, there are high deviations on the potential for an aggregating event to occur. … This uncertainty is causing reinsurers to be cautious in deploying capital.”
This caution is evident in reinsurers’ quota share treaties with cyber insurers. “Many quota share reinsurance treaties during the 2022 renewal period included loss ratio caps excluding reinsured losses above a specified percentage of earned premiums, a way of reducing a reinsurer’s exposure to catastrophic loss,” says Itskovich.
While the loss ratio caps remained in place during the recent treaty renewal season, Storer from Munich Re says, they are “not unusual, as more than 50% of carriers’ cyber exposures are assumed by reinsurers, materially more than any other line of business.”
Nevertheless, Itskovich projects that over time, less capacity for cyber risks will be borne by reinsurers than is assumed at present, with “much more of the capacity taken net on primary carriers’ balance sheets,” he says. “Obviously, to support a much bigger cyber insurance market in the future to meet demand, risk-bearing capacity will need to grow substantially. This could occur directly by tapping the ILS markets, like Beazley did, or indirectly in the form of cyber insurers’ and reinsurers’ raising [investor] capital to deploy towards cyber risk.”
Farley agrees, saying, “While capacity has loosened up, it is nowhere near where it was. I don’t believe we have the capacity we truly need.”
When asked how Beazley has been able to make investors comfortable with its underwriting, Bantick says it was a two-year process of showing investors the scenarios Beazley had been building over 15 years of writing cyber. “They’ve evolved over 15 years,” Bantick says. “We have some brand new ones, we have some older ones, we have some ones we’re thinking about. I think giving them the insight into those scenarios, how we create them, the third parties we work with, that’s what built that confidence.”
In addition to using modeling provided by Cyber Cube, Beazley ran its own deterministic scenarios of the risk, working through many possibilities and modeling what they look like in the present and future as the portfolio grows.
The importance of the cyber insurance market’s response to systemic risks cannot be overstated. A 2022 survey of 1,200 business leaders by Travelers Insurance listed cyber threats as the top overall business concern, ahead of broad economic uncertainty, energy cost fluctuations, and the ability to retain and attract talent. “I don’t think that CEOs and CFOs believe their companies can manage cyber risks well enough, which explains why the cyber insurance market is so crucial and has grown so much in such a short time,” Itskovich says.
The business leaders surveyed were upbeat that insureds will continue to do their part, fortifying their networks and systems against attack and responding forcefully when an intruder is discovered. “The insurance industry has done such a great job moving the needle of cyber-security preparedness across businesses in diverse sectors,” says Robinson, of Risk Placement Services. “To qualify for coverage now and in the future, you have to be secure. That will continue to be a catalyst for good.”
Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.
SYSTEMIC THREAT LANDSCAPE
There are other types of systemic cyber risks aside from a major cloud outage. Among them is a vulnerability in widely used software. In 2021, Chinese cyber-security researchers detected such a vulnerability in Log4j, an open-source logging utility residing within hundreds of millions of computer devices. U.S. government cyber-security officials subsequently issued an emergency directive requiring federal agencies to patch the vulnerability, calling Log4j “one of the most serious software vulnerabilities in history.”
In January 2022, Microsoft reported that attackers were taking advantage of the vulnerability to deploy ransomware. “Had the malware been exploited, it could have spread like COVID to cause catastrophic insured losses,” says Roman Itskovich, co-founder and chief risk officer at At-Bay.
Dan Frusciano, North America head of cyber underwriting at insurer Liberty Mutual, cited another type of systemic risk: “targeted malware that penetrates a SaaS [software as a service] provider’s network and expands out to multiple customers to cause a catastrophic loss. In some ways, given the many SaaS providers out there, this is more of a concern than a large cloud provider outage, as there are only a few of them.”
The SolarWinds software supply chain attack is emblematic of another type of systemic risk. Hackers used SolarWinds’ supply chain to infiltrate the networks of 20,000 companies and government agencies, including Microsoft, Cisco, Intel, the State Department and the Pentagon. The malware in the attack, known as Solorigate, is considered a game changer. “Cyber criminals have demonstrated their ability to disrupt supply chains for businesses around the world,” Chubb stated, adding that the attack “could have been much worse if the intent had been to steal or destroy critical data or other information.”
Solorigate appears to be a key factor in the decision by Chubb to develop a widespread event endorsement for systemic cyber incidents. Among the four widespread events covered in the endorsement is a “widespread software supply chain exploit.”
Storer’s colleague, Steve Pacheco, head of U.S. cyber and tech at Munich Re Specialty Insurance, says the threat of a systemic cyber event “keeps most cyber underwriters up at night. It’s the million dollar question.” He adds that a “systemic event doesn’t discriminate. Once it replicates, it can find its way across businesses in a broad spectrum of industry verticals.”
In response, major cyber insurers such as Chubb, Beazley, Crum & Forster and Lloyd’s have taken specific actions to reduce their exposure to systemic losses. For the most part, these actions involve coverage exclusions for war and state-backed cyber attacks, the inclusion of a sublimit confining losses from cyber cloud outages to a specified time period, and the development (by Chubb) of two separate cyber policies: one for the insurer’s attritional losses—a loss impacting one customer—and another for systemic losses.
The actions are necessary to manage the unpredictability of systemic cyber risks and to maintain stable reinsurance capacity at a time of rapidly growing demand, driven in large part by the digital transformation of companies in all industry sectors.
Growing apprehension among insurers and reinsurers over the risk of a systemic cyber incident has attracted the attention of the U.S. Treasury Department, which put out a request for information (RFI) on the subject to the property and casualty insurance industry in September 2022.
The department’s action springboards off of a concerning June 2022 report on cyber insurance issued by the Government Accountability Office (GAO). The report cited three main worries: an increase in the frequency and severity of cyber incidents impacting critical infrastructure; a number of recent cyber attacks demonstrating the potential for a systemic cyber incident that “spills over from the initial target to economically linked firms, thereby magnifying the damage”; and risks presented by cyber incidents to critical U.S. infrastructure.
Astoundingly, the GAO report stated that scenario-based estimates of a potential loss from a severe cyber incident range from $2.8 billion to $1 trillion on a per event basis. The possibility of such shocking losses impelled the GAO to conclude that a federal insurance response might be in order, hence the Treasury Department’s RFI to the industry. One possible response floated by the GAO is the development of a federal insurance cyber backstop similar to the Terrorism Risk Insurance Program, a federal loss-sharing program for certain losses resulting from a certified act of terrorism.
Industry players are intrigued by the possibility of a federal loss-sharing program. “Although a catastrophic loss produced by a systemic risk scenario involving a multitude of insureds has yet to happen, the industry at present is dealing with this threat through policy wording designed to reduce their loss exposure,” says Mario Vitale, CEO of cyber insurance provider Resilience Cyber Insurance Solutions. “The question then becomes, what will reinsurers do. Some already are putting loss ratio caps reducing their cyber exposure.”
If the insurance and reinsurance markets continue to reduce their exposure to a systemic loss, Vitale says, insureds “will need to bear more of the cyber risk on their balance sheets or pay substantially more for coverage. This possibility makes a government backstop an important subject for discussion.”
The Treasury Department issued its information request last November. Following receipt, the commentary will be jointly assessed by the Federal Insurance Office, which is engaged in developing the department’s counter-ransomware strategy, and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, which will subsequently inform Congress if a federal insurance response is warranted.
Robert Hartwig, associate professor of finance at the University of South Carolina, says all countries, not just the United States, should be “thinking strongly” about the development of a government backstop “for what will inevitably be some sort of systemic shock from a cyber event.”
Hartwig, who has testified several times in front of Congress on the reauthorization of the Terrorism Risk Insurance Program, says the insurance industry “needs to carefully manage this exposure sooner than later. A structure like a federal backstop that spreads catastrophic cyber losses over time, by borrowing on a scale that would be inconceivable on the part of private insurers, is a step in the right direction.”
“If you look at catastrophic cyber,” says Paul Bantick, Beazley’s head of Global Cyber & Technology, “we run 12 to 20 scenarios where we model catastrophic events happening with cyber, and that’s OK: we’re giving coverage for those, we’re insuring those, we’re comfortable with that. We’re not doing this because we’re not comfortable with how we’re managing the systemic risk we have today.” Bantick says Beazley is introducing its cyber catastrophe bond because the market is “probably going to grow a lot if we want to keep giving clients that coverage going forward, which we want to do.”
While the alternative form of cyber risk-bearing capital is considered an important industry development, the ILS-backed instrument alone won’t meet the market’s needs.
“This is a very, very small placement, especially for a carrier as large as Beazley,” says Roman Itskovich, co-founder and chief risk officer at cyber insurance provider At-Bay. “It’s more of a proof of concept than a capital solution, although it is certainly a step in the right direction, given that the demand for cyber insurance outpaces the supply of capital.”
Bantick agrees this is just one tool for working to build capacity in the growing market and says it was a conscious decision to go for the smaller, $45 million bond versus a larger number. “We now have something that is tangible, that is there that we can build on, and I think that is a very good way to go about it,” he says.
“We want to grow this. I’d love to get it to a quarter billion or more. And if you look at the property market, that is something that is a natural progression that hopefully we’ll get to.”
RANSOMING THE INSURANCE INDUSTRY
Although the number of ransomware attacks decreased roughly 10% in third quarter 2022 from the prior quarter, TechCrunch reported that, by the time it adds fourth-quarter ransomware attacks to full-year statistics, “2022 looks set to top  as the worst year on record.”
Major ransomware attacks in 2022 included Bernalillo County in New Mexico, which shut down most government buildings; school website provider Finalsite; Maryland Department of Health, which stated that it did not pay the ransom demand; German defense contractor Hensoldt; and Japanese auto parts maker Denso, among many others. Altogether, from 2019 through February 2022, the number of ransomware attacks increased 232%, according to a report by SonicWall Capture Labs.
The growing frequency and severity of ransomware claims produced record-high loss ratios for many cyber insurers in 2020. Industrywide loss ratios in the United States reached 73%, up from 43% in 2016 and an average of 48% in 2018 and 2019, according to S&P Global Market Intelligence.
In response, cyber premiums catapulted an average 96% in third quarter 2021 on a year-over-year basis, Marsh reported in its fourth-quarter cyber market overview. Other adverse market reactions in 2021 included a 50% sublimit for ransomware losses, reducing by half the available financial limit. Overall limits of cyber insurance also decreased, and coverage terms and conditions tightened, with exclusions introduced for “known vulnerabilities,” policy wording signifying an insured’s substandard cyber security.
“In 2021, we saw a dramatic cut in capacity almost across the board, with the previous $10 million limits reduced by half,” says John Farley, managing director of Gallagher’s Global Cyber Liability Practice. “This past year was a bit better, with ransomware losses in terms of severity somewhat down, due to what I believe are the strict underwriting controls imposed on insureds in renewals, putting them on notice to bolster their IT networks and systems against wide-ranging attacks.”
Many insureds have done just that. Improvements in policyholders’ cyber hygiene are a major factor in the present moderating of the cyber insurance market. Nevertheless, a recent survey of risk managers by the Risk and Insurance Management Society suggests that companies cannot buy the limits of cyber insurance they desire. Nearly three quarters of the risk-manager respondents who purchased limits below $10 million said they would have bought limits above $10 million had the insurance been available for a reasonable premium.