The Changing Nature of Risk: The Cyber Risk Landscape

The insurability of systemic risk is going to be one of the defining issues of the next decade for the re/insurance sector. Rapid technological changes, digitalization in particular, have already transformed the characteristics of risks assumed by the re/insurance market. COVID-19 will only accelerate these trends.

As cyber risk is one of the most dynamic perils in the industry, carriers must carefully manage exposures – and not only for competitive advantage. As regulators formalize capital requirements and quantitative and qualitative measurements of risk appetite in this rapidly evolving market, companies must enhance cyber underwriting and reinsurance strategies, leverage innovative modelling capabilities and develop technical and underwriting risk talent to continue offering clients the best security possible.

Re/insurers face many challenges in formulating a cyber risk management strategy, including divergent views of the potential silent cyber exposure of property, casualty, aviation, transportation, marine and other policies. This is compounded by the fact carriers must constantly re-evaluate underwriting strategies to stay abreast of the latest cybersecurity innovations, software patches and attack vectors, all while market demand for cyber products is increasing.

As companies depend more on technology to conduct business, they are also increasingly subject to technology’s unique vulnerabilities. These are wide-ranging and can include system or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks that may result in increased costs and lost revenue. The timing and severity of these issues can be difficult to predict, with companies increasingly looking to their insurance policies to cover business interruptions stemming from these events, creating an increasing demand for cyber re/insurance.

Potential New Attack Vectors and Technology Impacts

For the insurance industry, cyber and technology risks pose a number of opportunities, challenges and threats. Cyber risk is constantly evolving and at an increasingly rapid rate, causing insurers, businesses and nation states difficulties in measuring, assessing, communicating and responding to cyber events.

Increasing reliance on technology makes us more vulnerable to risks inside and outside the organization. The common trends emerging are:

  • The proliferation of big data and cloud computing - confidentiality, integrity and availability of data is critical to organizational survival, whether nation state secrets, industrial intellectual property (IP) or personal sensitive data.
  • Cyber-attacks on mobile devices are increasing and are likely to become a primary phishing vector for credential attacks in 2020. As a result, dual-factor authentication will move to multi-factor authentication.
  • The continued use of social engineering through phishing and smishing.
  • An increase in the proliferation of malware and ransomware.
  • An increase in opportunities for organized crime.
  • A lack of global governance and agreement, which creates a unique opportunity to exploit vulnerable individuals, companies and nation states.
  • The increasing use of artificial intelligence.
  • Increasingly interconnected supply chains vulnerable to multi-party cyber security incidents.
  • Global adoption of 5G infrastructure technology.
  • Newer technologies like deep fake video and audio technology.

The Impact of COVID-19 on Business Models

As companies and their employees continue to adjust to working remotely, changing product demands and supply chain interruptions are forcing them to adapt their business models. This has resulted in increased potential for cyber risk events, and we have observed the following cyber risk amplifiers:

Insurer Growth Strategies

Despite the challenges cyber presents for the industry, particularly in light of the COVID-19 pandemic, a variety of growth strategies exist for insurers looking to explore the space. Some companies are targeting only large corporate risks, while some are looking exclusively at small- and medium-sized enterprises (SMEs), as they do not want to take the chance of the larger corporate claims destabilizing their portfolios. Others are looking into how to balance their large corporate cyber with SME business through white-labeling or supporting managing general agents.

Target Segments

The number of companies purchasing cyber insurance continued to increase in 2019, driven by growing recognition of cyber threats as a critical business risk and appreciation for cyber insurance’s role in mitigating its economic impact.

Prior to 2019, manufacturing and data intensive industries led the growth in cyber sales, however, in the United States the prominent buyers of cyber insurance in 2019 were the education, healthcare, hospitality and gaming, media and telecommunications industries.

How Changes in Cyber Risk Could Drive a Hard Cyber Insurance Market

As the threat landscape continues to evolve, we have already seen shifts in ransomware attack behaviors. These attacks are no longer just ransomware, and are often combined with data theft or credential harvesting. This carries the potential to increase cyber claim-related costs, and given the impact this is having on SME cyber portfolios, we are seeing corrections in pricing and terms and conditions.

Non-Affirmative Modeling and Guy Carpenter Solutions

Moving away from affirmative cyber coverage, the non-affirmative, or silent cyber modeling space has also developed in recent years, following the NotPetya and WannaCry attacks, which highlighted the potentially catastrophic impact of silent cyber within non-cyber lines of business. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the (re)insurance industry.

Global regulators, including the European Insurance and Occupational Pensions Authority and the National Association of Insurance Commissioners in the United States, have issued similar statements and guidelines on managing silent cyber risks.

To address this challenge, (re)insurers require an effective means of qualifying and quantifying the risk of silent cyber across entire portfolios. Guy Carpenter has established relationships with cyber risk modeling platforms CyberCube and RiskGenius, an insurtech firm that utilizes artificial intelligence to evaluate potential silent cyber exposure at an individual policy level. This provides clients with a means of assessing corporate silent cyber exposure at scale, while generating deeper risk insights.

GC Cyber Analytics has also developed an in-house solution that combines the RiskGenius tool with an in-house modeling tool for silent cyber - GC SCOPEsm.

We are working with our clients to help them to proactively address both affirmative and non-affirmative cyber risks, including silent cyber in property, casualty and several other lines of business.