Report

Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study

By: Siobhan O’Brien, Jeremy S. Platt, Erica Davis, Christopher Shafer, Rebecca Bole and Yvette Essen

The inexorable spread of the digital economy is fundamentally changing the nature of risk, presenting unique opportunities – and challenges – to the (re)insurance industry. How the industry responds to the rapid pace of technological change is crucial to its long-term relevance and growth.

The constantly evolving nature of cyber risk makes it challenging to definitively quantify, yet it is critical for (re)insurers to understand the impact of severe events to inform strategy and risk tolerance. It is essential to develop a deep understanding of the characteristics of cyber catastrophe events and the financial impact they could have on the standalone cyber insurance market today. As the (re)insurance industry seeks to reduce protection gaps and drive cyber product adoption, the future growth that results will help develop a robust market better equipped to absorb the potential for large-scale losses.

With that premise in mind, CyberCube Analytics, which offers a software-as-a-service analytics platform for cyber risk aggregation modeling and insurance underwriting, and Guy Carpenter collaborated on an endeavor to help (re)insurers quantify cyber risk. This was done by pooling data resources and analytics capabilities in order to cultivate a view of the potential U.S. cyber industry loss from among a range of cyber catastrophe scenarios. This study aims to contribute to the discussion surrounding the key drivers of catastrophic insured loss within the U.S cyber insurance market and how these results can be incorporated into portfolio construction, risk retention and transfer strategies and capital allocation.

We focused on the five scenarios that drive the highest loss values. For each, we considered the size of the loss, the single point of failure (SPOF) targeted to execute the attack and the implications of these findings on the insurance market. The five major contributing catastrophe scenarios are:

  • Long-lasting outage at a leading cloud service provider (USD 14.3 billion loss)
  • Large-scale cloud ransomware at a leading cloud services provider (USD 11.5 billion loss)
  • Widespread data loss from a leading operating system provider (USD 23.8 billion loss)
  • Widespread theft from major e-mail service provider (USD 19.1 billion loss)
  • Large-scale data loss from cloud service provider (USD 22.2 billion loss)

Insurance companies and the organizations they insure need to be aware of these major catastrophic scenarios, and understand the response plans necessary and potential financial losses in each. Bearing this in mind, the industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption, and quantifying cyber risk to promote the purchase of adequate insurance limits.

The following are the five key considerations we highlight for (re)insurers and other stakeholders to help protect profitability and examine capital adequacy of the existing U.S. cyber standalone insurance industry:

  • The U.S. industry 1-in-100-year return period produces total annual cyber catastrophe insured losses of USD 14.6 billion (this can include one or more events within the same year).
  • Both on-premise and cloud service providers face exogenous threats from malicious third parties. Focusing on cloud service providers, the calculated probability of ransomware is four times larger than the probability of other outages.
  • The top five scenario classes comprise roughly 75 percent of the total average annual loss (AAL).
  • The costliest cyber catastrophe scenario is widespread data loss from a leading operating systems provider with potential to generate up to USD 23.8 billion of insured loss.
  • The most likely cyber catastrophe loss scenario is widespread data theft from a major email service provider.

Growing pains

According to some estimates, the global market volume for cyber insurance will grow to USD 8 to 9 billion by 2020 – more than twice that of 2017. With many traditional lines of insurance experiencing stagnating growth, cyber is increasingly viewed as having large growth potential for commercial property and casualty (re)insurers.

Despite this growth potential, there are headwinds to overcome as cyber insurance continues to grow and evolve. Increasing competition as new entrants seek to take advantage of the growth potential has created pressure on rates as well as an expansion of available coverage. The exposure data needed by (re)insurers to quantify and price cyber risk appropriately is a moving target as coverage matures and (re)insurers develop a deeper understanding of how to translate cybersecurity metrics into indicators of loss.

Historically, cyber insurers have seen a series of one-off data breach losses, some of which – the Marriott data breach in 2018, for example, with breach costs estimated at more than USD 2 billion are not fully captured by industry loss performance, since the insurance limit purchased was far less than the expected ultimate economic loss. The largest multi-insured loss arising from a cyber-attack is the NotPetya event in 2017, estimated by Property Claim Services (PCS) at more than USD 3 billion. However, due to underinsurance and low product penetration by the affected businesses, most of that loss will likely fall to the non-affirmative insurance market.

There is consistency with the scale of financial impacts as a result of cyber events, regardless of line of business:

  • Cybercrime costs are predicted to hit USD 6 trillion annually by 2021. This followed a record year in 2017 of USD 600 billion.
  • The World Economic Forum’s 2019 cybercrime estimates put economic losses from cybercrime at USD 3 trillion in 2020.
  • In the “Bashe Attack: global infection by contagious malware 2019,” the global economy is described as underprepared, with 86 percent of the total economic losses uninsured, leaving an estimated insurance gap of USD 166 billion.”

Identifying Vulnerabilities

After analyzing enterprise data for millions of companies worldwide, including:

  • Organizational footprint: assessed against factors internal and external to the enterprise, enabling a comprehensive view of key technology dependencies and the “attack surface” available to malicious actors.
  • Organizational attractiveness: measuring a range of assets and characteristics that could provide a motive for any class of threat actor to target the enterprise.
  • Cyber vulnerabilities: derived from analysis of internal and external telemetry. This holistic view enables measurement of the relative success rate of cyberattacks.
  • Cyber security posture: measured against a wide range of indicators that provide insight on the quality of security in place

A few key technology dependencies recur and manifest as potential vectors for a widespread cyber-attack on multiple companies across multiple geographies at one time. We call these Single Points of Failure (SPOFs). Key SPOFs that could lead to the costliest losses include: operating systems providers, email service providers, cloud service providers and critical utilities providers.

Many cyber underwriters consider the cloud to be a major SPOF in causing a systemic cyberattack. Adoption of the cloud for business use is certainly increasing dramatically. A LogicMonitor survey in 2018 suggested that 83 percent of companies will be using the cloud by 2020. There is less understanding within the insurance industry of the implications of cloud services. The cloud is not one service, but rather several different types of service – storage, computational power, backup services and so on – and the dependencies on these vary.

However, our study found that major cloud service providers are just one class of SPOF generating catastrophe loss. Other SPOFs that should be considered include operating systems providers, email servers and critical infrastructure providers, because these also serve as points of aggregation, thus enabling a systemic loss in the event of cybersecurity failure.

We strongly believe that taking a robust, modeled and forward-looking view of cyber catastrophe risk can help enable the cyber insurance market to grow sustainably. Ultimately, sustainable growth will better position insurers to bridge the protection gap for businesses and form lasting partnerships as part of robust cybersecurity frameworks.