As cyber continues to remain one of the biggest lines of business across the re/insurance industry, there are a number of challenges that the cyber market is currently facing, in light of the recent number of data breaches and major cyber events that the industry has seen throughout the past year.
Reinsurance News recently spoke to Shawn Ram, Head of Insurance at Coalition, who explained what some of the biggest challenges currently within the cyber re/insurance market are today.
“I think the first dominant challenge in cyber insurance today is the topic of systemic risk, and this is notable for many reasons. Looking at this past year, we’ve had multiple events that gave pause and consideration to the topic of aggregation. There was the Change Healthcare data breach in the first quarter of the year; a material event, which caused nearly a billion dollars of economic loss to the United States, where one company was ransomed causing two-thirds of pharmacies to go down,” Ram explained.
“You then had the CDK breach in May, which impacted 15,000 auto dealerships in North America, and then the most recent and notable one was obviously what happened with CrowdStrike.
“So two events were caused by an adversary, a security failure, and the CrowdStrike matter was not a security event, but still caused a large number of companies to have a cyber-related event stemming from one company. The notion of how to understand, calculate and underwrite systemic risk is the most dominant challenge in the industry.”
The second challenge that Ram highlighted is today’s cyber environment. He noted how during the COVID-19 pandemic, the world went digital and started trying to figure out how to work from home, and how there were a lot of security-related events during that time.
“Ransomware became a substantial problem in the industry, which led to quite a dramatic hardening of the market from a pricing perspective. As a result, many companies who were less interested in cyber due to lack of understanding or lack of comfort felt like there was rate adequacy. So, you had a lot of capital enter into the market, which drove a material softening of the market, beginning in the fourth quarter of 2022,” he said.
“The final topic that I would address is just the diversity of underwriting practices. In many areas of the insurance industry, you have consistent underwriting practices and beliefs around the core exposure variables and data elements needed in order to truly understand a risk, and how to underwrite. In cyber, it’s just incredibly diverse. The methodologies that are utilized in order to: number one, understand risk, and number two mitigate risk vary quite widely across the industry. I think the evaluation of cyber underwriting from a reinsurance perspective – the value that’s being provided by reinsurers to the cedents – is a growing challenge.”
Going back to CrowdStrike, we asked Ram to explain how major cyber events, including CrowdStrike, have called for new ways of approaching cyber reinsurance.
He explained: “I think one of the nuances about cyber and CrowdStrike is most people, when they think about cyber-related risk, they think about an adversary or a security-related matter, like being hacked and as a result of me being hacked, I caused financial damage to myself or to a third party. The most prominent trigger in a cyber policy is security failure.
“The nuance of CrowdStrike is that security didn’t fail. CrowdStrike’s an extremely prominent, quality security provider across the world, and their security did not fail. What simply happened was there was a technology update that caused a lot of systems to go down. The visibility, or perhaps notoriety, of a non-security matter causing this type of cyber-related event was not as prominently known perhaps as it should be.
“Being a cyber provider at Coalition, we’re keenly aware of the risk of what’s referred to as systems failure, or a non-security event causing an outage, a business interruption related event like this. The industry has been very focused on security failure-related matters, and CrowdStrike has brought a lot of attention to the need to equally focus on systems failure as well.”
Moving forward, Ram also shared his thoughts on artificial intelligence (AI), and whether he feels that it has a positive or a negative impact on the cyber reinsurance market?
“AI has both a positive and negative impact on cyber-related risk. Artificial intelligence provides a tremendous amount of data, real-time information and analytics to the nature of how we evaluate, monitor and mitigate cyber-related risks within a security framework. So in terms of how we manage IT and how we prevent losses from occurring, AI provides a lot of value there.”
He continued: “AI equally provides value to adversaries. An easy example is adversaries commonly hack companies from international locations, and language and communication becomes a barrier. If you’re going to ransom someone, you actually have to interact with them. AI has voice recognition and the ability to speak in accents – all those types of things can make communication a lot easier, and there aren’t as many limitations when hacking someone in a different country with a different language. It’s much easier to do.
“On another hand, AI provides positive and negative benefits just to the core risk of cyber. As it pertains to underwriting and reinsurance, I think artificial intelligence provides a tremendous amount of speed and scalability towards underwriting. AI also provides a tremendous amount of scalability around understanding and underwriting individual accounts within a portfolio.”
Concluding: “The greatest value to reinsurance is the data and information quality that AI can bring to underwriting. It does a really good job of helping us understand the unknown unknowns. It’s the questions you don’t know to ask. Looking at the portfolio and understanding where are the critical risks, where is the aggregation of the most concerns, and what is the cat load that I should apply on a particular portfolio versus an attritional loss aspect? We can do this through AI at a far greater speed and scale than a human could ever do alone.”
