Profitable global cyber market one incident away from a correction, analyst warns

Globally, commercial insurance customers are getting a great deal on cyber insurance right now, but this will only last until a major cyber incident causes a huge, one-time loss for the property and casualty insurance industry, a computer security expert warns.

For every dollar that insurers make in premiums from cyber insurance globally, they are paying out about 40 to 55 cents in claims costs, meaning the “attritional loss ratio is 40 to 55%,” said Pascal Millaire, CEO of CyberCube Analytics Inc., in a recent interview. Cyber insurance is “quite profitable for carriers,” and therefore pricing is “quite favourable” for customers, said Millaire, whose firm is based in the San Francisco area.

But Millaire contends that carriers, in deciding what premiums to charge on cyber insurance policies, have not built in the possibility of a catastrophic cyber incident. An example would be an incident in which several dozen, or several hundred, separate individual companies, all with cyber insurance from the same insurer, are affected.

By analogy, he said, a property insurer covering earthquake damage in California could have a “very attractive loss ratio” up until the time a major earthquake hits. In the same way, one single cyber incident could ultimately drive premiums higher.

“First, we would likely see substantial increases in exclusionary language in policies that otherwise cover cyber as a peril, resulting in reduced coverage,” Millaire said. There would then be a  “spike in pricing” on policies that do cover cyber risk.

In Millaire’s view, the insurance industry has experienced some very close near misses over the course of the last 12 to 18 months that have almost become catastrophic, single-point-of-failure events. An example is the NotPetya attack in 2017, he said.

NotPetya “was the most destructive and costly cyber-attack in history,” the United States Treasury department said March 15, 2018 in a release. NotPetya “resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines,” the department added. “Additionally, several hospitals in the United States were unable to create electronic records for more than a week.”

NotPetya caused “tremendous economic losses in the order of hundreds of millions of dollars from many companies simultaneously,” Millaire said.

Cyber insurance “is still a very immature market,” Millaire said. “The market is coming to grips with appropriate pricing for cyber risk and I think this is a story that will unfold over the quarters and years to come.”