As greater understanding of the cyber peril is gained, a chief concern for (re)insurers is risk aggregation. Unlike traditional property insurance where aggregation is monitored by physical locations, insurers are exposed to the possibility of a single attack or a series of attacks either against multiple insureds or a single insured (such as a cloud provider) that could lead to substantial losses across multiple geographies. While a large systemic risk has not yet materialized, it does not mean the risk is not present. The challenging part is that there is limited history and lack of data for this emerging exposure, which makes it difficult for insurers to measure cyber risk and calculate capital needs.
This creates opportunity for the reinsurance marketplace. Reinsurers’ raison d’etre is to quantify and protect insurers from catastrophic exposure. The use and development of cyber models will be a crucial step for both insurers and reinsurers in the identification of cyber exposures, but several challenges exist:
What is the potential size of a loss?
- This has been largely addressed in many property models. Instead of faulty wiring causing a fire, assume the short in the wire was caused by a cyber breach. The resulting fire is the same value regardless.
What is the likelihood of an event occurring?
- This is the more difficult part to quantify. There is greater understanding of the number of breaches because many jurisdictions require notices, but property losses caused by a cyber-attack are not as well known.
What is the inter-connectedness of companies in the cyber space?
- Different industries may use the same underlying technology platform, so an attack on one system may impact another system in a completely different company that was unknown previously.
In efforts to quantify these potential losses, much of the industry continues to rely on multiple models and actuarial approaches that encompass: model applications, probable maximum loss estimates, realistic disaster scenarios and experience and exposure ratings to create a broad set of scenarios and deterministic views. These methods do not utilize the probabilistic methodologies so frequently used in the property marketplace. For example, applications can identify and quantify emerging “aggregating” exposure concentrations, but do not include an element of how often those concentrations could be impacted by an event.
Guy Carpenter has developed tools and solutions to help our clients better understand, manage and quantify their cyber risks, with the goal of turning them into opportunities for growth. By understanding the potentials for loss and developing an approach to deal with the peril, insurers may be in a position to implement risk management strategies that allow for continued growth of cyber risk solutions.
To view the recent announcement of Guy Carpenter’s strategic alliance with Symantec to develop a cyber aggregation model, CLICK HERE.