While underwriting cyber risks is seen as one of the biggest opportunities in insurance and reinsurance right now, the risks to re/insurers could be equally large.
Cyber attacks such as the recent WannaCry ransomware have clearly demonstrated that self-propagating cyber exploits could become major sources of aggregated losses for the insurance and reinsurance industry.
The Wannacry attack struck over 150 countries around the globe, making it one of the most far-reaching cyber events ever. While the insurance claims from this are anticipated to be relatively low, the event is a clear demonstration of the potential for re/insurers to be hit by a massive number of claims, something security experts at Symantec have highlighted.
Pascal Millaire, VP for cyber insurance at Symantec, told publisher eWeek recently; “The WannaCry worm is one of the most significant and virulent forms of malware ever seen and therefore the insurance industry is taking notice.”
Millaire explained that it is the aggregation of claims from cyber attacks that could really hurt insurers in years to come, particularly as cyber coverage becomes more prevalent. The resulting claims that would then hit reinsurers could also be huge, which raises the requirement for coverages such as stop-loss in the cyber risk arena.
“Insurers underwriting cyber-risk can handle ten losses or a hundred losses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims, at that point there are solvency issues that can threaten the future of an insurer,” Millaire warned.
Experts at risk modelling firm RMS said recently that WannaCry represents the “first ever cyber-catastrophe” which demonstrates the systemic nature of cyber risk.
Estimates of the economic loss from WannaCry range from as low as $1 billion to as much as $8 billion, although insurance capacity is likely to only cover a very small proportion of the financial impact at this time.
However, interest in buying cyber insurance coverage has jumped since the WannaCry attack, which will increase the penetration of these types of ransomware coverage, meaning a similar attack in the future could result in a much greater proportion of the costs falling to re/insurers.
Symantec said that WannaCry is just one of three examples of a cyber attack that could be deemed systemic that have been seen in the last 12 months, citing the Mirai botnet and internet of things vulnerability and the Amazon S3 outage as two other cyber related events that could have resulted in a massive aggregation of claims.
“Fortunately each of the three events likely only had a modest financial impact on cyber-insurers,” Millaire told eWeek. “However insurers can no longer look at their portfolios and ignore the fact that there are hidden cyber-aggregation risks, regardless of whether the insurer is writing a specific cyber-insurance policy or other policies that might get triggered by a cyber-catastrophe.”
So far in 2017 ransomware is thought to have cost industries around $5 billion, which is fifteen times the number seen two years ago, according to.
This figure includes much more than just the costs of paying ransoms, with business interruption due to system downtime a major contributor, as well as loss of productivity and damaged or destroyed data.
It’s clear that a wide-reaching self-propagating attack, similar to WannaCry, that hits an unpatched vulnerability in a major computer operating system could result in huge numbers of insurance claims. This aggregation could then result in numbers big enough to see reinsurance markets having to support the claims payouts.
Deductibles are of course an issue, particularly with ransom payments themselves typically being low. But if the aggregation of claims relates to business interruption and other related classes of business, the total could rise very quickly indeed.
WannaCry has certainly provided a wake-up call to underwriters and to re/insurers assuming cyber risks. Whether it will prove the catalyst for a new way of analysing, underwriting and transferring cyber risks remains to be seen.