Major cyber accumulation scenarios
Starting in 2016, businesses worldwide were exposed to a series of cyber incidents that put a spotlight on this peril like never before. From NotPetya to WannaCry, ransomware and malware attacks and their aftermath created havoc for businesses, sometimes causing losses in the hundreds of millions – or even billions –in economic terms. One particular problem was that these attacks proved to be globally contagious, infecting organisations across 65 countries.
It is evident that in cyber a significant accumulation potential on a global scale arises from shared software or hardware vulnerabilities, the disruption/outage of central IT services, and attacks on critical infrastructure, such as power supply or telecommunications networks – including the internet. Each of these events may cause various types of financial losses to thousands of companies, and hence a major accumulation loss.
Although the major cyber accumulation risk scenarios are essentially man-made, not all are malicious. In addition to malware attacks and attempted data breaches, technical failures and human error can also have devastating consequences.
In February 2017, a simple human error by an employee caused a widespread outage event of over four hours for one of the world’s largest cloud infrastructures. Economic losses at S&P 500 companies reached US$ 150m, while financial services firms lost US$ 160m. This elucidates how a single event can cause high losses, not only for many businesses, but for insurers and reinsurers as well.
Challenges in accumulation control
The increasing interconnectedness of risk in cyber supply chains and the shared vulnerabilities of commonly used software or hardware components makes the whole chain vulnerable to disruptions of IT services or networks, untargeted widespread malware or ransomware attacks, and large-scale data breach and exfiltration campaigns. In terms of accumulation modelling, it is extremely challenging to identify the full set of dependencies among risks, define scenario footprints, and assess the severity of an event’s impact on the many companies affected.
Historic events are only of limited use in predicting the frequency and severity of future events because threat vectors continuously and rapidly change, as threat actors aim to develop new and unforeseen attack patterns. Just as companies are continuously bolstering their defences against future attacks, the threat actors are, in turn, redoubling their efforts and improving their attack capabilities. Moreover, loss potential will further increase due to the reliance of basically all companies on digital technologies.
Adding further complexity to the modelling and management of accumulation potential is the fact that there may be hidden cyber exposure within existing coverages. In a large number of traditional property and casualty policies, cyber risks are not mentioned or are not explicitly included or excluded, which may lead to exposure in such portfolios. Some policies do define cyber risks, but are not always clearly worded. As a consequence, insurers may face additional accumulation potential from this kind of non-affirmative (“silent”) cyber exposure.
Even with modelling approaches improving further, insurers be exposed to risks that are seen as uninsurable due to the underlying accumulation potential. This is particularly the case with critical infrastructure disruptions such as power outages or the unavailability of the internet. In terms of cyber, the accumulation exposure that Munich Re is concerned with is an unintentional and unplanned infrastructure failure impacting a large number of clients, with huge exposure to business interruption losses and certain other first-party elements of a typical cyber policy. Due to its systemic nature and the uncertainty surrounding the potential quantum of such an event, Munich Re does not believe the failure of such infrastructure is insurable, and as a consequence does not want to insure this kind of risk at this time.
Quantification approaches for cyber accumulation risk
In the quantification of cyber accumulation risk, the most conservative/restrictive (but also least sophisticated) approach is the aggregation of full insurance policy/layer limits for all exposed participations in an insurance portfolio. This is often applied if there is no limiting feature for an accumulation path, or if the individual risk information is not available to assess the exposure with respect to a defined scenario.
Given the limitations related to the aggregation of full policy limits, a more sophisticated approach is to define the narrative and specify deterministic assumptions for a cyber catastrophe scenario, and to assess the economic as well as insurance loss implications thereof. For that, the number (incident rate) of affected companies and average costs per affected company as well as potential claims types and available coverage per claims type (silent and affirmative) have to be assessed and estimated. Once an insured market loss is arrived at, the portion of loss for an insurance company can be approximated and used as a benchmark for further risk management considerations.
The probabilistic modelling of scenario events, which goes along with the increased data requirements to be met, is the ultimate goal but, also the most challenging: models have to be continuously reviewed, and – if necessary – revised and adapted to the dynamic threat environment and to technological and legal changes. In order to develop a probabilistic model, the frequency and severity of events have to be modelled by probability distributions.
Ingredients for modelling cyber accumulation risk
Based on major cyber accumulation paths, “single points of failure” are to be identified that could result in widespread impact (business interruption and/or data-breach losses) across thousands of businesses all at once.
In recent years, the technological tools for quantifying the incident rates of various cyber threats have evolved in line with the challenges. Insurers aiming to model loss frequency and loss severity for commercial businesses, for example, first had to begin to build a framework of appropriate risk criteria. By measuring various IT system components within a company and the malware propagation rates attributed to each device, server and applications, it became possible to evaluate the impact of various security measures on the frequency and severity of claims. This, together with statistical data on cyber incidents, is the prerequisite for building pricing and accumulation loss models.
Ways to proceed
Even though accumulation risk from malware, data breaches, IT service provider outages (or any other threat) remains a challenge, the role of the insurer is evolving to tackle these challenges head on. Insurance companies are actively working to close this margin for loss through better quantification and modelling of accumulation risk, by creating smarter tools, and by using data analytics when searching for predictability measures. Through modelling, understanding and holding a unique position to support businesses whether before or after a potential event, insurers and reinsurers should actively promote and provide the prerequisites for new innovations in cyber coverage.
Please feel free to speak to us to find out more about accumulation modelling in cyber insurance.