Library: Swiss Re – Cyber insurance: strengthening resilience for the digital transformation

Executive summary

Cyber risks are on the rise

Cyber is growing, but insurers must adapt to changing risks

The world of today is one of increasing geopolitical and economic instability. This has many drivers, most prominently the war in Ukraine and simmering tensions between the US and China. With many facets of life going increasingly digital contemporaneously, the spectre of cyberattacks looms large. The prospect of a state-sponsored or private attack on another country/region with catastrophic fallout is very real. It could take the form of an attack on infrastructure facilities such as power grids or key communication systems, among others. The resulting losses from a systemic cyber event could be very large, impacting companies, the broader economy and society at large.

The cyber risk landscape is evolving fast

So far there has not been such a systemic incident. Nevertheless, the cyber risk landscape is evolving fast, with ransomware incidents and cybersecurity worries from businesses and governments at an all time high. McAfee estimates global monetary losses from cyber crime in 2020 at around USD 945 billion. Attacks have become more sophisticated. Hackers now use “triple extortion” techniques, and ransomware-as-a-service has lowered entry barriers to rogue actors. Small and medium-sized enterprises (SME) with little defence capacity have become easy targets for cyber criminals, while digitalisation of industries including the healthcare and critical infrastructure sectors, has increased vulnerabilities across entire supply chains.

Insurance plays a key role in risk management

Before the NotPetya attack of 2017, cyber risks centred around data breaches and third party liability. For re/insurers, the proliferation of data privacy regulations opens the door to litigation procedures and increases long-tail risk exposures. In the last two years, first party claims have become dominant, with ransomware incidents from organised crime shifting damages to core business. Firms, insurers and public authorities have redoubled risk management efforts, and industry associations and insurers have worked together to address the related issue of “silent cyber” by clarifying the scope of traditional policies. Insurance plays a key role, providing not just for risk transfer but incentivising risk mitigation, supporting monitoring and aiding responses to cyberattacks.

But compared to losses, the market is small

But the cyber protection gap remains large, with premiums amounting to just a fraction of total losses from cyberattacks. Most firms are uninsured or significantly under-insured for cyber risks. In a recent survey, only 55% of businesses reported having cyber cover and less than one in five have cover limits above the median ransomware demand. We estimate that the total claim arising from a cyber-incident targeting an SME is in relative terms three times more than for large corporations, with forensic costs typically ranging from US$20,000 to USD$100,000 for a firm with turnover of less than US$50 million.

Insurers have addressed surge in ransomware losses, next is catastrophic events

The surge in ransomware attacks drove loss ratios higher in 2020. Insurers responded by increasing prices, improving underwriting discipline, introducing sub-limits and coinsurance, clarifying terms and conditions, and excluding – or explicitly pricing for – cyber exposures in other property and liability policies. These actions had a degree of success: loss ratios plateaued in 2021.

But cyber risk does not meet all characteristics of insurability

Some of today’s cyber risks do not fully meet the typical characteristics of insurability. Most notably, the aggregation of losses could quickly and significantly impair diversification and/or challenge market capacity. The risk is hard to quantify because of immature data and a lack of model consensus. Limited insurability restrains capacity despite growing demand, creating challenges for market growth in the longer term. To address these limitations, more cyber talent, standardised data, better modelling, greater contract consistency and new sources of capital are needed. Likewise, there is scope to consider opportunities for new types of public-private risk sharing mechanisms. These measures can help mitigate overall exposures, improve risk understanding and help make society more resilient to attacks with devastating and potentially systemic consequences.

The human and networked nature of cyber means the risk will continually evolve and require a coordinated response. Enhancing resilience will require collaboration between corporations, insurers and governments. Cyber risks have risen with geopolitical and economic instability, and with society’s increased reliance on digital technologies.

The cyber risk landscape is evolving fast and the associated attack threats are becoming ever more sophisticated. Risk management efforts have increased in response, with insurance playing a key role and the market growing quickly…but the market remains small compared to economic losses. Insurers have addressed the surge in ransomware losses and must now deal with catastrophic events. Cyber risk does not meet all the characteristics of insurability, limiting the potential growth of the market.

See the full report for more…

Link to Full Article:: click here

Link to Source:: click here