January 7, 2022 by Greg Meckbach
Cyber exposure is a bit of a moving target, and efforts to quantify the risk are challenging some of the underwriters in the business.
“Cyber is fairly unique in that you are playing against a human adversary,” said Tim Zeilman, vice president and global product owner for cyber at Hartford Steam Boiler. “As the fences get better, the attackers get better.”
Zeilman and other cyber experts in the industry were speaking in an October webinar hosted by Oldwick, N.J.-based A.M. Best. They observed that the pervasiveness of digital solutions in business has evolved to the point where coverage is now essential for even the smallest commercial clients.
But while ransomware criminals can make money “hand over fist” by devising new ways to defeat cyber protection, one reinsurer is warning some cyber risks are not insurable at all.
Cyber risk can be frustrating for underwriters, said Annamaria Landaverde, senior vice president and cyber team lead for Munich Re U.S.
“You can’t nail down the exposure. Cyber threats will continue to evolve. There have been years where the loss costs come from data breaches or from specific events and it just keeps on changing,” Landaverde said.
Factors affecting cyber risk are changing faster than traditional property risks, such as water and fire damage, Zeilman said during the webinar. One example is rapid evolution of ransomware, which can lock a system’s screen or a user’s files unless a ransom is paid.
Before 2018, cyber criminals were testing the ransomware business model, said Zeilman, by stealing confidential information and making relatively small demands.
“Cyber criminals found [that ransomware] really works. They can make money hand over fist … and the likelihood of getting caught is much lower than it was with the breach-of-personal-information business model,” he added.
The panel also discussed small business cyber coverage, specifically whether that should include ransomware coverage.
It’s important because small businesses have become increasingly digitized. “This has happened gradually over the course of the last 10-to-15 years,” said Zeilman. “It is hard to find a business, regardless of size, [that is] not incredibly reliant on their IT systems, on their data.”
One audience member asked whether cyber risks will remain insurable or whether the P&C insurance industry will need to pool cyber risk among insurers, reinsurers, and government.
Munich Re would deem a risk insurable if it’s measurable, said Landaverde. Some widespread events such as malware, data breach, or a cloud outage are insurable because the reinsurer could quantify its maximum probable loss.
But, she warned, widespread critical infrastructure outages are generally uninsurable. Examples include major shutdowns of satellite communications, the internet, or the electrical grid.
Cyber insurers need to manage their losses by setting maximum limits and sublimits to a point where the insurer can manage systemic events, she observed. They also need to raise rates as the loss ratio increases.
“There are several approaches that need to be taken simultaneously to ensure the sustainability of this market,” she said.
Feature image by iStock.com/COMiCZ