The aggregation of risk is ever more present because cyber insurance is a global class of business with losses emanating from any part of the world. The non-physical nature of cyber risk makes it possible for (re)insurers to suffer losses from a vast number of insureds spread across different geographies as a result of a single event. That creates aggregation risk, for which an insurer or reinsurer could find itself burdened with catastrophic losses.
Some of the steps for (re)insurers meeting these challenges involve enhancing the quality of data available and to continue the development of probabilistic modeling for cyber risk, particularly with respect to potential loss accumulations.
Modeling the aggregation of physical risks is well established. For example, a large amount of historical data is used to build probabilistic models with regard to natural catastrophes. This level of data does not exist for cyber risk, which means that (re)insurers have to rely on experts making educated assumptions when assessing the severity and frequency of possible cyber catastrophe scenarios. This has led to there being an extremely wide range of estimates for the likely cost of each of the scenarios listed in Part I.
So too with the difficulty facing individual firms in quantifying their cyber risk, an alternative approach is to look at total exposure and capacity. If we consider that the cyber insurance market could treble in the next three to five years, the industry’s probable maximum loss (PML) for cyber risks could easily exceed the global (re)insurance capacity available for other aggregating events, such as nuclear disaster (GBP3 billion) or natural catastrophe (GBP65 billion).
An “extreme loss scenario” does not necessarily arise solely from a single large loss event involving numerous insureds. It also may stem from a number of unrelated loss events affecting numerous insureds during any given annual period or a combination of scenarios. A final layer of complexity arises from the potentially high level of systemic risk overlapping multiple insurance lines of business.
Despite the lack of a clear consensus of the size of the PML that the insurance industry could face, at the moment most insurers are comfortable with the size of their total exposure to affirmative cyber coverage provided through stand-alone policies and/or endorsements. That being said, given the nature of this emerging risk, some insurers are exploring and electing to purchase reinsurance solutions to protect their portfolios against volatility and catastrophic loss.
It is possible that aggregate exposure either does already or will soon become a problem for the market to absorb, since the fact that such an event has not yet occurred is no doubt encouraging the market to continue to increase its exposure.