{"id":6309,"date":"2023-11-16T08:21:27","date_gmt":"2023-11-16T08:21:27","guid":{"rendered":"httpss:\/\/www.advantagego.com\/?p=6309"},"modified":"2025-03-10T13:43:07","modified_gmt":"2025-03-10T13:43:07","slug":"should-the-market-need-to-rethink-systemic-cyber-risks","status":"publish","type":"post","link":"https:\/\/www.advantagego.com\/en-us\/content\/should-the-market-need-to-rethink-systemic-cyber-risks\/","title":{"rendered":"The Big Question: does the market need to broaden its thinking on systemic cyber risk?"},"content":{"rendered":"\n<p><em>Cyber-attacks continue to be a relentless source of concern for business \u2013 and also for the (re)insurance market, which I think it\u2019s fair to say is becoming increasingly concerned about its aggregations and the extent of exposure to a possible \u2018systemic\u2019 cyber event.<\/em><\/p>\n\n\n\n<p><em>With this in mind, last month Gallagher Re released a report which emphasised the rising concern among business and insurance sector leaders regarding the potential for a large-scale systemic cyber- attack, or \u2018cyber catastrophe\u2019.<\/em><\/p>\n\n\n\n<p><em>The report underscored that while the cyber insurance market is rapidly evolving, it has yet to confront the potential fallout of a <a href=\"https:\/\/www.advantagego.com\/en-us\/content\/unveiling-cyber-war-exclusion-clause-in-the-lloyds-market\/\" target=\"_blank\" rel=\"noreferrer noopener\">cyber catastrophe of unprecedented scale<\/a>. As it suggested, unlike markets for natural catastrophe risks, which frequently witness events like hurricanes, wildfires, tornadoes, and floods, the lack of historical data and inconsistency in coding frameworks make modelling and pricing cyber catastrophe events particularly challenging. The result is a high level of uncertainty that affects the industry\u2019s ability to assess and manage this risk effectively.<\/em><\/p>\n\n\n\n<p><em>We thought we\u2019d dig a little deeper into the issue, and in this latest Big Question we caught up with Gallagher Re\u2019s Head of International Cyber, Jennifer Branney, to ask : does the market need to broaden its thinking on systemic cyber risk?<\/em><\/p>\n\n\n\n<p><strong>Ian Summers, Global Business Leader, AdvantageGo<\/strong><\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u201cWhen you talk about systemic risk, it\u2019s worth noting that you can have two different types,\u201d says Braney. \u201cYou can have a cat risk, but then there is also an attritional systemic risk, which can be through pricing, so you\u2019ve under-priced for the risk. If the risk involves, then you might think that \u2018we haven\u2019t quite priced that right\u2019, and I think we saw that with the ransomware losses in 2019 and 2020 \u2013 there was a bit of a market correction rather than a market hardening, where there was a revisiting of the limits being given, the questions being asked, and the understanding from the claims coming out led to an adaption of the underwriting.\u201d<\/p>\n\n\n\n<p>\u201cYou have also something like ransomware , which is a systemic risk even though it isn\u2019t quite a cat because it is ongoing, a bit like a pandemic. There is this argument: is a pandemic a cat event or is a pandemic kind of an attritional systemic loss? So when you think about the word systemic, you can look at it in various different ways. At the moment, most people would think about systemic as being a big tail-event cat: probably a big cloud outage or a big ransomware event, potentially even a big data breach.\u201d<\/p>\n\n\n\n<p>\u201cBut I think we shouldn\u2019t completely miss out on the other systemic exposures. I actually think of regulation here as well because, as we increasingly rely on software, there are going to be a lot of risks that come out of that, and when regulation changes \u2013 we\u2019ve seen it with privacy regulation but I\u2019m sure there are going to be other things happening such as artificial intelligence \u2013 then that also leads to a different type of systemic risk, so I think we should also broaden our view as to what exactly we mean by systemic risk.\u201d<\/p>\n\n\n\n<p><strong>Capital constraints?<\/strong><\/p>\n\n\n\n<p>Gallagher Re\u2019s report suggests that to an extent capital remains constrained for <a href=\"https:\/\/www.advantagego.com\/en-us\/lines-of-business\/cyber\/\" target=\"_blank\" rel=\"noreferrer noopener\">cyber cover<\/a>, but Braney says she thinks there are signs of improvement:<\/p>\n\n\n\n<p>\u201cWe have done a huge amount of work to capacity hunt; it tends to take we find sometimes three years to bring new capacity to market and I think it\u2019s an education and knowledge-sharing piece. As humans we fear the unknown, and people think that cyber is scary and they just don\u2019t want to think about it. It holds people back. But the big capacity providers that are in the market, they have done a huge amount of research into this class of business and into the risk. They really have a plan to deal with it, and right at the top level of these companies cyber is understood and recognised as an opportunity as well as a threat. And I think that, unless you are approaching it in that way, that\u2019s it\u2019s quite challenging to suddenly overnight be alright with cyber.\u201d<\/p>\n\n\n\n<p><strong>Data issues<\/strong><\/p>\n\n\n\n<p>Surely underwriters are understandably wary because of a lack of data and the fact it\u2019s such a fast-moving environment, though? Braney is not sure so sure.<\/p>\n\n\n\n<p>\u201cI don\u2019t think it\u2019s a lack of data, I think it\u2019s more an issue of how you are harnessing the data,\u201d she says. \u201cThat\u2019s a universal issue outside of cyber as well. There are so many data points but can you actually get them into your system and into a format that you understand and actually use?\u201d There are also new tools and new technologies such as outside scanning that can be used to get data, she adds, \u201cwhich is obviously going to help understanding, so I wouldn\u2019t necessarily say that the market is lacking data\u201d.<\/p>\n\n\n\n<p>\u201cIt\u2019s also worth noting that it\u2019s sometimes the failure of a person, not a system. Recently there have been instances, for example, where you have a phishing campaign and you have an IT department giving you access because you asked very nicely. So you have all the procedures and processes in place \u2013 you\u2019ve got your firewalls, you\u2019ve got everything- but it\u2019s just a person giving access to another person. We don\u2019t want to overly blame people here, but at the end of the day, despite everything you do perfectly, accidents can still happen, and that\u2019s where the insurance comes in.\u201d<\/p>\n\n\n\n<p>Braney adds that the scale and sophistication of cyber-attacks shouldn\u2019t necessarily make underwriters wary of writing certain risks:<\/p>\n\n\n\n<p>\u201cThere\u2019s a give and take, a bit of back and forth: there\u2019s an attack and then you learn from the attack. And it\u2019s never just a one-sided thing. I think a lot of the outside scanning allows you to look at risks in the same way that an attacker would. So we\u2019re using the same tools. And I think that those who are going to be the most vulnerable to attacks are the ones who aren\u2019t thinking about their exposures at all. Obviously, if you have someone trying to target a large corporate then you are going to have to have quite a high level of defence.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyber-attacks continue to be a relentless source of concern for business \u2013 and also for the (re)insurance market, which I think it\u2019s fair to say is becoming increasingly concerned about its aggregations and the extent of exposure to a possible \u2018systemic\u2019 cyber event. With this in mind, last month Gallagher Re released a report which [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":6310,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[7],"tags":[],"line-of-business":[],"class_list":["post-6309","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogs"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/posts\/6309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/comments?post=6309"}],"version-history":[{"count":0,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/posts\/6309\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/media\/6310"}],"wp:attachment":[{"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/media?parent=6309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/categories?post=6309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/tags?post=6309"},{"taxonomy":"line-of-business","embeddable":true,"href":"https:\/\/www.advantagego.com\/en-us\/wp-json\/wp\/v2\/line-of-business?post=6309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}