Possibility of a Billion-Dollar Systemic Cyber Event ‘Real’

A systemic event and the threat it could pose to insurers’ portfolios is not the million dollar question, but perhaps the billion dollar question, according to Norman Niami, immediate past chairperson and member of The American Academy of Actuaries.

“It’s real, and it’s there,” Niami said. “And there’s hardly any industry that’s not impacted in terms of segment. Maybe 10, 12 years ago, it was mainly the financial entities and healthcare, but these days, it’s pretty much hard for any industry not to be impacted.”

Insurance Journal’s webinar Weathering the Storm: Cyber Insurance Risk in 2024 included Niami as well as Max Perkins, head of strategy and innovation for cyber and technology at AXIS Global, and Erica Davis, managing director and global co-head of cyber at Guy Carpenter.

While all lines of business are exposed to systemic risk, Davis said it can be defined in a few different ways.

“At a macro level, [systemic risk] is the probability of an event that ignites a series of successive losses,” she said. “And that could be across a chain of institutions or markets, and it’s deeply related to interdependence and interconnectivities.”

Essentially, it’s risk that affects the entire market, she explained. Some of the most commonly cited examples are natural catastrophes. However, systemic risk could refer to any financial crisis at a global level or at a regional level that has widespread implications, Davis added, such as the COVID-19 pandemic, political risk, or climate change.

“Really anything that causes a series of disruptions across the financial sector or across value chains,” she said. “When you look at cyber relative to all those lines of business, what we actually find is that the tail evaluation has shown that cyber actually does not represent outsized aggregation loss compared to some of those more established cat perils. So, exposed from all lines of business, the modeling credibility around it is difficult, but certainly something that I think people are more attuned to in the current risk environment.”

Don’t Worry. Be Focused.

Perkins encouraged underwriters to spend less time pondering the billion-dollar systemic risk question and more time focusing on improved security at the individual insured level to prevent systemic events.

“To be blunt, I’d actually rather our underwriters not worry about systemic risk within the individual accounts that they’re working on,” he said. “That’s actually the job that we’re focused on as we look at the book’s construction, the portfolio of our book, and how we manage it, and how we retain certain risks or see risk out.”

Insurers need to focus on demanding greater accountability for risk management so that insureds can access coverage.

“You need to manage the risk—the original risk—in order to be able to transfer it out,” Perkins said, pointing to the early days of growing the market when there were few barriers or requirements for those seeking cyber coverage.

Now, he said, things have changed.

“The reality is that we really need to get back to establishing minimum-standard controls,” he said.

Having endpoint protection, multi-factor authentication, monitoring and other controls can help first on the attritional loss side and add a layer of protection against criminals looking for easy targets.

“And the reason why I’m not flippantly saying our underwriters shouldn’t really be thinking about the systemic loss is because their job is to focus on that individual,” Perkins said. “But if they focus on the individual with the attritional in mind, it will all bubble up to help us and let us as the management team think through the portfolio construction—how we want it to look, and how we want to again seed it out the back end.”

Perkins said insureds need to consider cybersecurity as an investment that will be made in capital expenditures over time.

“You’re usually thinking about that in terms of property,” he said. “Let’s do the same thing with our IT systems and with our virtual or intangible business assets. Because if we do that, then that will help us all to reduce the systemic.”

He clarified that while systemic risk is not going to disappear with individual insured efforts, “hopefully, we will reduce the likelihood and push it further out in the tail.”

The Ransomware Challenge

Focusing on security controls at the individual insured level is particularly relevant as ransomware is back in the conversation for insurers after attacks dipped slightly in 2022, with privileged access management provider Delinea reporting a 61% decline in organizations reporting an attack compared to 2021 levels. This was based on a survey of 300 U.S.-based IT decision makers, conducted on Delinea’s behalf by Censuswide.

“First, refreshed ransomware is what a lot of people are talking about right now,” Davis said.

Ransom payments have now reached unprecedented levels, soaring to $1.1 billion in 2023, according to a recent Chainalysis report. The report found frequency was up every quarter in 2023, with Q3 doubling year over year.

The year ended with a bang, with ransomware groups like BlackCat executing high-profile events like Caesars and MGM hacks and disruption across the healthcare industry with the attack on UnitedHealth.

Davis added that data exfiltration, in which data is copied, transferred, or retrieved from a computer or server without authorization, has become a major component of cyber attacks.

“So, I think 90% of ransomware attacks now include elements of data exfiltration,” she said. “That is bringing about sort of new waves of third-party claims.”

Indeed, privacy regulation is creating claim activity from class-action litigation filed as a result of unauthorized collection of personal data.

“We’re looking at those elevated risk controls that were implemented by the business community in recent years and making sure that those do keep relevant and keep pace with some of the new tactics and techniques that these attack groups are using,” Davis said.

A Broader Lens

With all of these challenges in mind, Perkins said it’s critically important for insurers to examine portfolios through a broader lens when it comes to cyber risk.

“It’s making sure that you’re doing it in partnership with those who you work with—reinsurance brokers being one—with the modeling firms that you choose to subscribe to where you have direct relationships there,” he said. “Similar to having the wherewithal to respond in a cat event, you really need to have the wherewithal within your actuarial base, whether it’s exposure management, pricing, capital modeling. You really need to make sure that you have resources dedicated to the analysis around cyber.”

This is an ongoing process because risks are ever-evolving, panelists agreed.

“We have, as a market, significant penetration into the U.S. market, but there are other markets around the globe [where] that’s not necessarily the case, and there’s a lot of green fields,” Perkins said. “Before you know it, you can have some accumulation building. If you’re a global organization, that builds quickly—where you can have some points of aggregation that maybe you didn’t realize.”

It’s more than leveraging third party tools, he said. Insurers need to think about using the right tools and building the right models to understand the risks they face.

“And working out what you’re going to toggle on and off within the model to be able to have it to help it to shape better to the risk that you’re taking because there are a lot of assumptions that are taken by the by the modeling firms for good reason, that don’t necessarily fit your portfolio construction,” Perkins said.

Insurers also need to be strategic about how they’re acquiring capital to back the risks they’ve taken, he added.

“What I’m saying by that is thinking about the rated reinsurance world—the investment community through ILS or other creative structures—and thinking about what today looks like, but more importantly what we need in four or five years’ time as the market grows,” he said.