Russell Group attended the Zywave Cyber Insights Conference held on the 19th April at Bishopsgate in London where an audience of (re)insurers, cyber experts, legal firms, data analytics firms and risk managers heard a range of speakers outline their thoughts on the state of this burgeoning market.
Cyber growth premium to date has come almost exclusively from the U.S., according to David Howden, Founder and CEO of Howden in his conference keynote speech, but there is plenty of potential for Europe to expand into this exciting emerging market. The market today is worth $14 billion GWP but that could grow to $30-35 billion GDP by the end of the decade. Cyber risk is unique in the fact that more than 40% of policies are reinsured, this poses a problem for availability of capital. Insurance must remain relevant, with 95% of policies auto renewing this makes ‘us’ lazy – so there is no incentive to innovate. Insurers must do several things:
a) become relevant,
b) Provide a marketplace (for systemic risk),
c). Acquire capital,
d) Understand aggregation and risk transfer. Any product or wording must deal with the ‘systemic risk’ issue.
The 2023 Allianz Risk Barometer lists cyber incidents as the number 1 risk, ahead of Business Interruption in second place and macroeconomic developments in third. Insurance needs to be a partner to and help shape the world as it evolves– the future is in cyber.
A Mactavish survey showed that the high cost of cover is cited by respondents as, by some distance, the main barrier to cyber insurance uptake in the UK. This is despite the fact that cyber loss ratios fell from 70%+ in 2020 to 40%+ in 2022. The other barriers are cover not being fit for purpose, distrust over claims payouts and the lack of available cover. More generally, referring to traditional products, insurance is never bought (it is sold) and the purchasing is typically driven by regulation. The D&O insurance market 20+ years ago is how the cyber market is today.
Cover not being fit for purpose is reflected in the fact that only 8% of mid-size companies have taken out cyber insurance in France, for example, compared to 87% of large companies that can afford it. Meanwhile, the perception that cyber does not pay out on claim appears to be contradicted by the fact that in excess of 90% of claims are paid. Cyber premiums are only 0.3% of the total $4tr global insurance market. By contrast, the global derivatives market, which is a slightly more fancy form of risk hedging, has from a standing start grown to become a $6tr global concern in the matter of a few decades. What are they doing that we can learn from?
We need to employ diverse talents to talk positively and specifically (in the language of the cedant) communicate the value of insurance, and how, when it is underpinned by good quality data, it will appeal to a diverse range of investors with capital that will be attracted to good, believable modelling. In such a top heavy cyber reinsurance market, we should see many benefits from employing talented people from outside to bring a fresh perspective to issues such as Risk Accumulation.
Cyber “fat tail” risk is relatively hard to quantify and the same holds true for basis risk. The question for putting systemic cyber risk in focus is to define “what is a systemic risk?” It was agreed that indiscriminate (damage occurs but it is unknown) war risk is not insurable. War can also be viewed differently across different classes. CAT risk, however, has a role to play that is more discriminate.
By defining systemic risk and communicating this understanding to clients and investors better, the market will find it easier to attract the capital it requires to grow, diversify and spread the risk, which chimes with the appeal made by David Howden earlier in the conference to source new market talent. Insurers should look for ‘commonality’ between risks to better understand the catastrophic events.
How can data and analytics help to quantify cyber risks? The accumulation challenge is the biggest issue that the market faces. The risks are becoming more ‘ opaque’ – it becomes harder to clearly see the detail and impacts of events until they happen, which makes it difficult to be pro-active without data/insight. Knowing the risk better and being able to measure it will help here.
The upside will be a broader cyber offering with a more diverse capital base, which yields more innovation e.g. not one single, homogenous market, but many markets. More cyber players bringing more capital will lead to more competitiveness for policyholders. But we need to remove systemic risk from the equation to give comfort to capital.
In particular, the representative from a cyber risk modelling firm made reference to a ‘cyber triangle’ with three main threats (data breach, ransomware & cloud outage). Specifically he was challenged about the less known ‘frequency’ of these events. He argued the difficulty lies in quantifying these major events with so few datapoint examples. More work/innovation is required to ‘normalise’ the losses across different types and sizes of company.
The panel disagreed on the extent to which geography is an important determining factor in the loss and loss behaviour with one side stating that cyber events are becoming more global and spread wider more quickly and uniformly. Conversely, the data specialist argued that cloud outage specifically has geographical differences i.e. most of the western world uses Goggle/AWS/Microsoft but in Asia they use other providers like AliBbaba net which are their dominant suppliers – and so geography can be important.
The cyber market is unusual compared to other classes in that reinsurance assumes a greater share of the risk pie (40% of global cyber, with around $5/6 billion GWP), which is huge concentration risk. Market-wide collaboration and partnerships is going to be vital, not just in cyber but at local, national and supranational nation state levels. There is “no room in politics” for cyber because it is everywhere and, essentially, borderless.
Energy infrastructure is often cited as a critical cyber risk but as the final conference speaker, who was the head of Israel’s cyber defensive capability (the nation’s CISO) explained, “democracy can be described as critical infrastructure.” Democracy is despised by the world’s more autocratic regimes, which are straining every sinew in their attempts to attack democracy’s “open, soft underbelly.”
Anti-democrats prefer cyber “hybrid” asymmetric warfare as it does not require expensive hardware to inflict damage and cause mayhem to their opponents. The technology and the talent required to cause harm is cheap, flexible, and anonymous. However, it is not true to state that governments and their spy agencies cannot attribute cyber-attacks within a country. They can, but choose not to for a range of reasons, including national security concerns, a desire not to “empower baddies” and the legal minefield that often ensues.
Russell has relationships with a number of data providers, including Zywave, which allows us to be increasingly proactive in addressing many of the themes mentioned in this article. Russell is working on a connected solution and a framework which could help to move, not just the cyber market, but all the classes forward. We provide insight, analysis and action – a timely call to arms for these uncertain and unquantified times.