The budding cyber insurance and reinsurance industry is already in the process of rapidly maturing with policy limits currently five times larger than those of just 4-5 years ago, according to loss trends highlighted in a new PCS report.
2017 became the most active year for cyber risk losses in market history, with more than $400 million in aggregate losses across just three events.
PCS cites the availability of larger coverages as part of the reason for record-level losses; since 2013, reporting only single risk losses worldwide, nine cyber risk loss events with insured loss estimates of at least $20 million have been identified.
2013 and 2014 losses came with policy limits of around $100 million, however, today there are programmes in place that offer $500 million in protection — sometimes more, PCS noted, demonstrating the rapid growth and innovation within the cyber re/insurance industry to accommodate the growing threat.
In 2015, the gap between insured losses and the number of major cyber events recorded by PCS was at its largest since 2013, with about $125 million in insured losses compared to nearly $300 million in major global cyber risk losses.
The last two years have shown a strong decline in the gap between insured losses compared to the number of major cyber incidents, with 2017 marking the first year in which the scale of insured losses matched the number of cyber events reported by PCS.
However, economic losses still tend to exceed cyber cover limits.
Equifax and Merck left economic losses estimated to be in excess of $1 billion, and many firms lacking in cyber cover were affected by events like Petya/NotPetya, Maersk and FedEx.
PCS commented that; “there are still some companies that lack cyber coverage, and they were affected by events like Petya/NotPetya. Maersk and FedEx, for example, had large economic losses but didn’t have any cyber protection in place.
“Earlier cyberattacks affecting multiple companies occurred at a time of low affirmative cyber insurance penetration. Low levels of insured loss would keep those events from being considered under our methodology.”
PCS announced plans to expand its Global Cyber Report from a focus on single risk losses to include events large enough to be classified as a cyber catastrophe with sufficient insured loss to warrant investigation and has so far identified Petya/NotPetya as the sole “cyber catastrophe” event since 2013.
The insurer said it expects to launch an expanded Global Cyber methodology to include cyber catastrophe events later this year.