The Big Question: does the market need to broaden its thinking on systemic cyber risk?
Cyber-attacks continue to be a relentless source of concern for business – and also for the (re)insurance market, which I think it’s fair to say is becoming increasingly concerned about its aggregations and the extent of exposure to a possible ‘systemic’ cyber event.
With this in mind, last month Gallagher Re released a report which emphasised the rising concern among business and insurance sector leaders regarding the potential for a large-scale systemic cyber- attack, or ‘cyber catastrophe’.
The report underscored that while the cyber insurance market is rapidly evolving, it has yet to confront the potential fallout of a cyber catastrophe of unprecedented scale. As it suggested, unlike markets for natural catastrophe risks, which frequently witness events like hurricanes, wildfires, tornadoes, and floods, the lack of historical data and inconsistency in coding frameworks make modelling and pricing cyber catastrophe events particularly challenging. The result is a high level of uncertainty that affects the industry’s ability to assess and manage this risk effectively.
We thought we’d dig a little deeper into the issue, and in this latest Big Question we caught up with Gallagher Re’s Head of International Cyber, Jennifer Branney, to ask : does the market need to broaden its thinking on systemic cyber risk?
Ian Summers, Global Business Leader, AdvantageGo
“When you talk about systemic risk, it’s worth noting that you can have two different types,” says Braney. “You can have a cat risk, but then there is also an attritional systemic risk, which can be through pricing, so you’ve under-priced for the risk. If the risk involves, then you might think that ‘we haven’t quite priced that right’, and I think we saw that with the ransomware losses in 2019 and 2020 – there was a bit of a market correction rather than a market hardening, where there was a revisiting of the limits being given, the questions being asked, and the understanding from the claims coming out led to an adaption of the underwriting.”
“You have also something like ransomware , which is a systemic risk even though it isn’t quite a cat because it is ongoing, a bit like a pandemic. There is this argument: is a pandemic a cat event or is a pandemic kind of an attritional systemic loss? So when you think about the word systemic, you can look at it in various different ways. At the moment, most people would think about systemic as being a big tail-event cat: probably a big cloud outage or a big ransomware event, potentially even a big data breach.”
“But I think we shouldn’t completely miss out on the other systemic exposures. I actually think of regulation here as well because, as we increasingly rely on software, there are going to be a lot of risks that come out of that, and when regulation changes – we’ve seen it with privacy regulation but I’m sure there are going to be other things happening such as artificial intelligence – then that also leads to a different type of systemic risk, so I think we should also broaden our view as to what exactly we mean by systemic risk.”
Gallagher Re’s report suggests that to an extent capital remains constrained for cyber cover, but Braney says she thinks there are signs of improvement:
“We have done a huge amount of work to capacity hunt; it tends to take we find sometimes three years to bring new capacity to market and I think it’s an education and knowledge-sharing piece. As humans we fear the unknown, and people think that cyber is scary and they just don’t want to think about it. It holds people back. But the big capacity providers that are in the market, they have done a huge amount of research into this class of business and into the risk. They really have a plan to deal with it, and right at the top level of these companies cyber is understood and recognised as an opportunity as well as a threat. And I think that, unless you are approaching it in that way, that’s it’s quite challenging to suddenly overnight be alright with cyber.”
Surely underwriters are understandably wary because of a lack of data and the fact it’s such a fast-moving environment, though? Braney is not sure so sure.
“I don’t think it’s a lack of data, I think it’s more an issue of how you are harnessing the data,” she says. “That’s a universal issue outside of cyber as well. There are so many data points but can you actually get them into your system and into a format that you understand and actually use?” There are also new tools and new technologies such as outside scanning that can be used to get data, she adds, “which is obviously going to help understanding, so I wouldn’t necessarily say that the market is lacking data”.
“It’s also worth noting that it’s sometimes the failure of a person, not a system. Recently there have been instances, for example, where you have a phishing campaign and you have an IT department giving you access because you asked very nicely. So you have all the procedures and processes in place – you’ve got your firewalls, you’ve got everything- but it’s just a person giving access to another person. We don’t want to overly blame people here, but at the end of the day, despite everything you do perfectly, accidents can still happen, and that’s where the insurance comes in.”
Braney adds that the scale and sophistication of cyber-attacks shouldn’t necessarily make underwriters wary of writing certain risks:
“There’s a give and take, a bit of back and forth: there’s an attack and then you learn from the attack. And it’s never just a one-sided thing. I think a lot of the outside scanning allows you to look at risks in the same way that an attacker would. So we’re using the same tools. And I think that those who are going to be the most vulnerable to attacks are the ones who aren’t thinking about their exposures at all. Obviously, if you have someone trying to target a large corporate then you are going to have to have quite a high level of defence.”