A new report from the Geneva Association examines growing cyber risk accumulation and suggests ways to better manage the peril.
Cyber perils – malicious or accidental acts that compromise the confidentiality, availability or integrity of data
or IT services – can cause harm to many people and organisations, perhaps simultaneously and across different geographies. This potential for significant aggregate.
losses is particularly problematic for insurers that assume cyber-related risks from their customers, either as part of regular property and liability policies or through dedicated cyber cover, according to a new report from The Geneva Association.
Worries about potential cyber loss accumulation are not new, according to the report. Rising geopolitical tensions over recent years, however, have materially worsened the cyber threat landscape and heightened fears about a serious cyber incident. Global cyberattacks increased by 38% in 2022 compared with 2021, with ransomware attacks a continuing menace. Nation-state threat actors have become ever more aggressive in cyberspace, even beyond the ongoing Russia-Ukraine conflict, including using cyber weapons for destructive purposes.
Although we have yet to witness a truly catastrophic cyber incident, adversaries are increasingly targeting critical infrastructure and digital supply chains – key pathways through which economic losses could escalate. This includes executing mega-scale attacks, exploiting previously unknown vulnerabilities in widely used corporate software or weak legacy cybersecurity protocols to encrypt critical computer systems and data across multiple victims, as well as disruptions in cloud-based services.
Large and persistent cyber protection gap
The more hostile cyber environment has only served to highlight the actuarial challenges that cyber risks pose. In particular, the factors that drive the frequency and severity of cyber losses are not always well-understood and typically cannot be modelled with standard statistical approaches. Cyber is an anthropogenic peril and the extent of any harm depends on the interplay between the incentives, motives and resources of both victims and attackers, which often involve complex, non-linear relationships among multiple factors.
Against that background, the report suggests, it is perhaps unsurprising that prudent insurance companies underwrite cyber risks with tightly defined contract wordings and limited risk-absorbing capacity. Yet as firms, individuals and governments become ever more reliant on digital technology, the overall costs from a major cyber incident or campaign of attacks continue to grow. Guesstimates of the annual cost of cybercrime range widely from around $1 trillion to as much as $8 trillion, yet relative to global cyber premiums of $12–14 billion, suggesting a sizeable chunk of cyber-related losses are uninsured.
Improved methods to quantify extreme cyber risks will be crucial in further expanding the size and scope of cyber insurance and helping to close the implied protection gap. As the cyber insurance market has grown and matured, underwriting practices for managing accumulation risks have evolved. New approaches to modelling and quantifying catastrophic cyber risks are progressing alongside a general understanding of the factors that might lead to accumulated losses as well as those that limit extreme cyber exposure. Similarly, more and better quality data and insights can now be gathered from a variety of sources that together help build a picture of the cyber risk landscape. This includes information about the different threat actors, their resources, motivations and habits that can throw light not only on the prospects of attacks but also the potential for multiple victims and the severity of incidents.
Nascent actuarial approaches differ, but often amount
to variations and combinations of three main types: extended frequency-severity models, network propagation models and expert-led scenario analysis. Many re/insurers now use formal models to support their assessment of cyber risks and help steer their exposure management. Primary insurers tend to rely more on external vendors than re/insurers, who have their own in-house models (Figure 1). This includes comparing insights from multiple external models, although in practice different model setups make that challenging, while strict licencing arrangements mean it can become prohibitively expensive.
However, says the Geneva Association, cyber models remain immature and their results can be volatile and inconsistent. Some simulations suggest a rare, industry-wide cyber incident could generate insured losses broadly comparable to some natural catastrophes, although the estimates are very sensitive to the assumptions employed. Other deterministic scenario analyses, which capture broader cyber-related claims, also indicate potentially much larger catastrophic losses, with re/insurers especially alert to the sizeable threat from a malware attack that indiscriminately affects many firms or disrupts key internet architecture (Table 1 below).