CyberCube’s Pascal Millaire believes we’ve only seen the tip of the iceberg when it comes to cyber catastrophe aggregation in the insurance industry and that, once you start layering on the appropriate loads onto coverages, the market is not as profitable as it appears.
“This is a market that’s expected to double in the coming years from an affirmative standalone basis, and even then the vast majority of cyber aggregation sits in silent covers,” noted Millaire, who has led the data-driven cyber analytics firm as Chief Executive Officer since 2018.
Silent, or non-affirmative, cyber occurs when insurance or reinsurance policies across multiple lines fail to explicitly exclude cyber risks, and can result in an accumulation of losses within other policies from a single event.
In most traditional P&C insurance products cyber is often not explicitly mentioned or considered, as they were developed at a time when cyber was yet to emerge as a major business risk.
Millaire considers this an area where we can expect to see considerable movement over the course of the next 12 months.
“Many of our clients are currently undergoing a process of reviewing their policy wordings to see where cyber aggregation may lay.
“If I was to put out a prediction based on the work that we’ve done with our clients over the course of the last 12 months it would be that there will be considerable re-writing of P&C policies to more explicitly exclude or include and price for cyber risk,” he added.
“Unfortunately it took billions of dollars in cyber claims for the insurance industry to react in this way.”
Millaire also noted how one of the big developments of the last year or two has been cyber’s rise to prominence in the boardroom, and how the threat is an issue of concern to business leaders above and beyond those that work in IT.
“I think that’s been one of the biggest catalysts towards transforming cyber from being something that is an IT issue to something that is a business critical issue for the future of almost any enterprise,” he noted.
Of the myriad ways cyber risk is challenging the re/insurance industry’s preparedness for the 21st century, catastrophe modelling often features heavily in the conversation.
Millaire says modelling approaches that worked in the past for other lines of insurance, particularly those that rely heavily on historical data, simply will not be sufficient in cyber risk.
“That’s why at CyberCube, we supplement historical modelling approaches with alternative modelling approaches.
“One of those approaches looks at threat actors, including the nation state and non-nation state actors that have the potential to undertake attacks.
“We look at their capabilities and motivations and how those are changing over time and we use that information to model the potential for an aggregation event.”
Another approach, which Millaire considers an important evolution in cyber modelling, is something called ‘kill chain modelling’.
“Before you actually see a cyber claim, you typically will see various attempts at undertaking attacks. You’ll see reconnaissance, you’ll see the installation of malware, you’ll see failed attempts at attacks that are caught in a particular industry.”
Millaire says this helps insurers understand precursors to catastrophic events before they become claims, and is an important part of the firm’s modelling process.