In this post, Stephanie Lynch provides an excellent summary of the recent Guy Carpenter and CyberCube study “Looking Beyond the Clouds,” which looks at potential U.S. cyber insurance industry catastrophes and their financial fallout. You can download the study itself at here the Guy Carpenter website.

It is crucial that we, as the cyber insurance market, put in the work to understand the characteristics of catastrophic cyber events and the financial impact they could have on our industry. Guy Carpenter and CyberCube Analytics have collaborated on a study to quantify cyber risk, specifically looking at potential U.S. cyber industry catastrophic and systemic loss events.

The study is done on a synthetic cyber portfolio representing the U.S. standalone cyber market, informed by Guy Carpenter’s view of the market. GC started with a base portfolio of just over 6k policies with a combined premium of $285m, estimated to represent about 10% of the U.S. cyber market. It was tested and extrapolated out using a proportion of risk sizes seen in underlying exposure dataset, to create a total market view of $2.6b and about 55k policies. It’s important to note that this study does not contemplate endorsements, package policies or non-affirmative cyber within other lines of business, but exclusively looks at standalone cyber policies.

CyberCube had developed 23 catastrophic loss scenarios on their platform, ranging from attacks on critical infrastructure, to large scale cloud ransomware at a leading cloud service provider, to widespread theft from a major email service provider.  The unique characteristic about CyberCube is that they have access to data from both inside and outside the firewall, which builds a more unique and complete view of the risk, due to their exclusive access to information from Symantec, the world’s largest cybersecurity firm.

All modeled results are based on 10k simulations run on the synthetic portfolio through these 23 loss scenarios in the CyberCube platform. The analysis and results can be found in much more detail within the study itself, but a few key takeaways:

  • The costliest cyber catastrophe scenario modeled was widespread data loss due to zero-day vulnerabilities within a leading operating system, which caused a $23.8b insured loss to the market. The likelihood of this event is also the lowest (beyond the 1:300 year return period), but it is similar to what occurred with the NotPetya attack that was mostly uninsured.
  • The most likely loss scenario was widespread data theft from a major email service provider.
  • The second most likely was large-scale ransomware at a leading cloud services provider.
  • Companies with revenues greater than $1b, regardless of industry, represent about 75% of the insured loss.
  • Financial firms were most impacted by these systemic events, accounting for ~20% of the insured loss. This isn’t all too surprising due to the larger insurance takeup rate in the cyber market by these firms.
  • While the loss drivers of each of these scenarios are different, it is important to note that Business Interruption costs, caused often by supply chain delays, are a big part of these catastrophic loss costs. The BI component of cyber insurance has evolved rapidly over the last few years, and we have seen waiting periods and sublimits erode considerable over this time as well.

Rebecca Bole of CyberCube Analytics says, “Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”

Hopefully this study has got the conversation started within the businesses with these exposures, insurance carriers covering them, and reinsurers backing them. Since there hasn’t quite been a U.S. insured catastrophic, systemic cyber loss yet, it is a challenge for (re)insurers to estimate the size and scope of what such a loss would look like on their balance sheets. It is encouraged to read through the article and the details of the top 5 catastrophic loss drivers. It is important for us all to analyze our portfolios with these catastrophic scenarios in mind, and this study is a great place to start.

SLynch_HeadshotStephanie Lynch is a treaty reinsurance underwriter and account executive with 5+ years of full time industry experience. She is responsible for developing, growing, and managing treaty reinsurance broker and client relationships and underwriting proportional and non-proportional professional liability programs.

Her treaty reinsurance background began on the actuarial side of the business, working on the reserving team at Arch Reinsurance. After a few years, she made the transition to underwriting, working with the professional liability treaty reinsurance group. Stephanie joined the professional liability underwriting team at Safety National Re in September of 2017 working on both medical and non-medical professional liability.

Stephanie is a graduate of The College of New Jersey with a Bachelor’s degree in Mathematics and a minor in actuarial science. She has achieved the CPCU, RPLU, CYB, ARe, AINS designations and is a licensed NJ producer in property, casualty and surplus lines.