July 21, 2017
The danger of risk aggregation is nothing new to the insurance industry, but a recent joint report by Lloyd’s of London and cyber risk analytics firm, Cyence, just took the conversation up a notch.
The report found that a hypothetical catastrophic cyber-attack targeted against a cloud service provider could result in average losses of $53 billion in just 2-3 days. In the most extreme situations, an attack could cost $121 billion, greater than the total losses from catastrophic natural disasters such as Hurricanes Katrina and Sandy.
This report brings to life what the insurance world has long feared. Unlike other lines of business, which rely on hundreds of years of historical data to hedge risk, cyber insurers struggle to estimate potential losses due to the possibility of aggregate loss scenarios. “Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” explains Lloyd’s of London Chief Executive Inga Beale.
The report also highlights the problem of insurers not offering ample coverage due to their concern of taking on a risk that is not completely understood. However, insurance buyers are also often wary of purchasing coverage due to a lack of understanding cyber-risks or the fear that “cyber insurance doesn’t work,” according to a recent Financial Times article.
In fact, the UK’s Prudential Regulation Authority (PRA), a financial services regulatory body, has urged insurers to administer “stress tests” to gauge the e impact of what would happen should insurers’ clients submit a host of claims simultaneously. According to the PRA, insurers should have “board level oversight” of their cyber book’s risk exposure, according to a recent PYMTS article.
This concept is far from hypothetical. The WannaCry ransomware attack in May infected more than 230,000 computers in more than 150 countries. Most recently, TNT Express, a FedEx subsidiary based in the Netherlands, announced that the (not) Petya virus recently crippled supply chain operations. The malware, disguised to appear as a ransomware attack, outright wiped the computers’ data instead. FedEx explained that while the financial impact of the event cannot yet be determined, bottom line losses could be substantial.
Unfortunately, FedEx explained to investors that the company did not have a cyber policy in place that would cover this type of attack. Just goes to show the critical importance for the insurance industry to work together to negate the material risk of an extremely dangerous aggregation of exposure in the market.