Canadian Underwriter
News

Why systemic cyber remains an industry risk

January 30, 2024   by Jason Contant

Cloud computing and global cyberattack concept

Print this page Share

Editor’s Note: An earlier version of this article said that CFC established the cyber monitoring centre when in fact they were the driving force behind its establishment. As well, the article implied that the centre has a link to insurance language, which it doesn’t. The centre is hoping to classify cyber events for U.K. organizations. Canadian Underwriter apologizes for the errors.

 

Systemic cyber risk remains a concern for capital providers and reinsurers, particularly as more and more businesses look at outsourced cloud-based IT operating models, a cyber underwriter told Canadian Underwriter recently. 

“A lot of capital providers and reinsurers, they need comfort around some of the systemic risk modelling,” John Sinclair, senior underwriter with CFC Underwriting, said in an interview. “A potential long-term break on cyber capacity will be around systemic risk and that very much is a pressing concern for capital providers. 

“No one wants to wake up and find that 10, 20% of their portfolios effectively had a loss from a single incident.”

Systemic cyber risk is essentially a single cyber event that triggers multiple failures. One recent example that affected Canada was the global data breach of file transfer software MOVEit. The breach of the third-party system in June 2023 affected the personal information of at least 100,000 people in Nova Scotia, government officials said at the time. MOVEit had deployed a patch on May 31, just before the breach.

The provincial government used the software to transfer employee payroll information. The hack affected current and former employees of the public service, including current and former teachers, students, inmates and even some newborn babies. 

“That’s very systemic by its nature because a single attack…was able to lead to hundreds of businesses having an incident,” Sinclair said, adding that the attack also indirectly affected service providers, like accounting or legal firms using the software. 

‘Cascades downstream’ 

“So, you can see how it really just cascades downstream from effectively a single attack,” Sinclair said. “The concentration of risk is only increasing, which does lead to more systemic exposure across the market. 

“All roads lead back to systemic.”

Lloyd’s has also raised concerns about systemic risk, saying that a global systemic cyberattack could result in widespread disruption to global businesses and trillions of dollars in economic losses. The “hypothetical but plausible cyberattack on a major financial services payments system” would cost $3.5 trillion in economic losses over five years, Lloyd’s said in a report last October. 

Lloyd’s has been concerned as well that war exclusions traditionally used in cyber insurance policies do not adequately address the inherent systemic loss risk associated with cyber threats. A single cyberattack that has a widespread impact across multiple organizations could, Lloyd’s says, affect the insurance market’s ability to pay any covered losses. 

While there has been some innovation in the cyber space, “a lot of it does come back to the systemic nature of cyber,” Sinclair said.

“And that’s obviously a concern if you’re providing a product which is basically linked to the failure of major cloud providers. How much systemic exposure does that potentially bring?” he asked. 

Marc Lipman, president and attorney-in-fact at Lloyd’s Canada, said last October systemic cyber risk needs to be tackled with more capacity and ways of dealings with the attritional cyber market. 

“Just like there developed a traditional, attritional property market and a separate Cat property market, we need to develop the same sort of bifurcation for cyber in order to properly price the attritional cyber market and encourage sufficient, reliable capacity,” Lipman said during Insurance Bureau of Canada’s Commercial Insurance Symposium. 

“Carriers can then sell as a standalone product, with a separate pricing structure, supplemental coverage addressing the risks associated with a systemic cyber event like a state-backed cyberattack.” 

For its part, CFC has been the driving force behind the establishment of a U.K. cyber monitoring centre that defines and categorizes cyber events.

Sinclair said that if the independent body does succeed in its aim of classifying cyber events impacting U.K. organizations, it could eventually lead to insurers using this classification to apply single catastrophe exclusions to policies. Insurers could then allow clients to potentially buy back that exclusion by getting reinsurance capacity to sit behind that cyber Cat exposure in exactly the same way in that a specialist property Cat market has developed because of the categorization of those incidents. 

 

Feature image by iStock.com/LaymanZoom

Print this page Share

More News