The insurance and reinsurance industry loss from the NotPetya cyber-attack has the potential to increase by over 30% as the ongoing development of the event brings the tail into focus, according to Tom Johansmeyer, Co-Head of Property Claim Services (PCS).
The NotPetya attack was the first designated cyber catastrophe event under the PCS Global Cyber Index.
PCS explained in November of last year that the re/insurance industry loss from the event had exceeded $3 billion and was still developing, with around 85% of this being driven by non-affirmative (silent) property losses.
“For the first two years of its development, NotPetya remained mostly a property event. Although there have been some questions and concerns along the way, NotPetya became fairly stable faster than anyone expected for a cyber catastrophe,” said Johansmeyer in a discussion with Reinsurance News.
Of the $3 billion+ insured loss figure, two major risk losses contributed over 80%, and without them, Johansmeyer explained that the overall economic and industry loss would have been much more modest.
The high property loss component of the NotPetya cyber catastrophe event shifted the focus of the insurance and reinsurance industry from potential large professional lines losses, to the potential impact on the property market through both affirmative and non-affirmative cyber losses.
A lack of historical data surrounding cyber events and importantly the development of events over time, and the impact of this on the re/insurance sector, means it’s important not to be complacent with cyber catastrophes.
“It’s worth revisiting the potential concerns associated with professional lines claims from a cyber event. It looks like this issue is about to become relevant to the market,” said Johansmeyer.
“In past years, market players on the sidelines of the cyber sector would worry that a directors and officers (D&O) claim represented the nightmare scenario. D&O claims can drag on for years, and even successful claims handling can be an expensive and burdensome proposition. Now, think about what that means for a D&O claim resulting from a cyberattack.
“All the challenges that exist for professional lines claims on a good day are brought to bear on a “silent cyber” case—the sort of cause that may not have been contemplated by the original cover. This is the kind of difficulty that’s kept some capacity providers out of the market—particularly collateralized markets that worry about the risk of a cash drag during a drawn-out claim-handling process,” he continued.
Despite the fact that NotPetya ultimately became fairly stable faster than expected, this could all be about to change as a result of the arrival of a shareholder class action lawsuit, as reported by The D&O Diary, from the impact of the event on a subsidiary of FedEx, TNT Express.
“The potential impact on the industry insured loss estimate is not trivial – likewise the duration of the post-event development,” said Johansmeyer.
According to PCS analysis, NotPetya resulted in an economic impact of roughly $1 billion for FedEx, up from an initial disclosure of $300 million.
Johansmeyer explained that it remains to be seen whether the total at risk from the events discussed in The D&O Diary, but nevertheless, the revealed economic hit so far, provides a base for analysis.
“If this economic impact were to become an insured loss, it would result in an increase of more than 30 percent to the overall industry insured loss from NotPetya. Also, it would provide another dimension for analysis because cyber (re)insurance underwriters would be able to segment affirmative cyber, non-affirmative cyber losses to property, and non-affirmative cyber losses from professional line.
“The segmentation across classes of business could also turn the practical lessons of NotPetya into near-term risk- transfer flexibility. Cedents and capacity providers could use more granular triggers to shorten the tail and home in on specific risks that they want to trade in, rather than take an all or nothing approach to the tail. For example, an instrument could include affirmative cyber and non-affirmative cyber excluding D&O and E&O claims.
“In NotPetya, it took two years for the D&O claim to arise, while the property and affirmative cyber losses were fairly stable by then,” explained Johansmeyer.
Ongoing development of NotPetya shows how inherently complex the cyber risk landscape is.
At the same time, the evolution of the event does support greater market experience and knowledge around the risks and the potential tail from such events, which supports an increased understanding of a peril which seems set to impact the insurance and reinsurance industry more and more in the coming years.
“Cyber catastrophe remains a new and little-understood line of business, but lessons come every day. Of course, the only true source of experience is participation in the market. And where there’s original risk to be covered, there’s an opportunity for profitable growth,” said Johansmeyer.