A Review of Cyber (Re)insurance in 2022 Guided by the Lyrics of The Verve’s Bitter Sweet Symphony
Many things have changed in cyber (re)insurance since I wrote a ‘Year in Review’ piece in 2021—a year which was best known for newsworthy events like Kaseya, Colonial Pipeline, and Log4j. A recent PLUS San Diego panel touched on topics pertinent to cyber (re)insurance’s growing pains in 2022, but I would like to take this opportunity to dig in a bit further.
To start, let me disclaim that my point of view on this is my own, based on my experience employed with a large (re)insurer. Please forgive the generalizations I make here as I attempt to synthesize a great deal of information.
“You know I can change, I can change, I can change”
The cyber insurance industry had considerable challenges coming into the year as the significant losses from 2020 came into focus. The impact to loss ratios due to ransomware and rise in systemic events added pressure to get it right this year. I’m not wholly convinced we did.
Don’t get me wrong. The year 2022 was a great year for cyber in many ways. If we are talking about results-oriented action, insurance carriers in all segments reported a strong rate environment, a stabilization of results in 2021, and relatively lower frequency of ransomware events. According to PCS, cyber insurance will have reached a critical milestone of around $8.5B in Gross Written Premium for affirmative cyber by the end of the year. There also is generally more engagement and appreciation for the line of business as an opportunity for scale and continued profitability for insurance companies, as well as its downside risk of high severity, high frequency, and potential systemic implications. Additionally, we observed better underwriting and risk mitigation practices adopted by cyber underwriters across insurance companies and insurtechs, which are staffed, for the most part, with dedicated cyber experts. Our respective business services continues to mature with an eye on emerging markets, including personal lines, and has expanded into a diverse array of geographies, deploying creative solutions to risk mitigation and overall lending credibility to the product.
“But I am here in my mold, I am here in my mold”
And yet the biggest threats to the cyber (re)insurance industry remain largely the same as what they were a year ago, but in some respects more amplified, or at very least, unsolved. These threats include the geopolitical environment, a dynamic threat landscape, and uncertainty in quantifying downside risk.
Let’s focus for a moment on one of the biggest themes of 2022: geopolitical conflict. The year kicked off with a decision on the application of the war exclusion arising out of the Notpetya attack of 2017, which impacted many companies, including Merck. The Superior Court of New Jersey held that the Hostile/Warlike Action Exclusion in various property policies did not prohibit coverage for the NotPetya cyberattack launched by the military arm of the Russian Federation government against the country of Ukraine because such an exclusion only intended to exclude ‘traditional’ forms of war. As this decision was being contemplated, Russia was mobilizing against Ukraine, not only by traditional military invasion but by deploying destructive wiper malware attacks and by positioning themselves in networks of Ukrainian energy and IT providers. In February Russia invaded Ukrainian territory; an ‘army of ants’ formed in support of both countries. Microsoft helped us gain insight into what a “hybrid” war means, offering detailed illustrations about the realities of modern cyber warfare as it was unfolding (spoiler: not so ‘traditional’.) Shortly after the military invasion came the unprecedented Conti leaks, occurring not long after the group vowed to support Russia’s kinetic war by hacking Ukraine’s critical infrastructure. In turn, we witnessed the disbandment of the threat group, along with the public release of confidential corporate (yes, these gangs have gone ‘corporate’) information, including methodology, operations, and other juicy information. The result was threefold: widespread exposure of the sophistication of organizations like these, celebration of its demise, and fear and unknown about the aftermath. And most recently, Zurich and Mondelez International settled a pending action in Illinois state court regarding the application of the war exclusion as it pertained to Notpetya, leaving unresolved open questions as to how an Illinois jury would understand its application.
Even with all this rich real-life experience to educate our industry and our world as to what constitutes “cyber war,” I would argue that we are not much further along than we were a year ago as to understanding how judiciary bodies will interpret contemporary versions of the war exclusion, especially as they appear in affirmative cyber form. Nor do we have a uniform industry approach to cyber warfare. This is an area needing additional intellectual capital, especially as our policyholders and capital backers (like Lloyds of London) demand that we engage in further work on this subject.
“Well I’ve never prayed, but tonight I’m on my knees, yeah”
If it sounds at all like I am bemoaning the fact that we did not experience a large-scale cyber event this year, I am not. Most important to note is what we did not experience this year, which is a singular catastrophic cyber event with the financial and widespread impact equivalent of say, Hurricane Ian. We continue to see the proliferation of zero-day vulnerabilities just as we did in years past. Additionally, Russia’s cyber capabilities and motivations loom (even though the Defense Intelligence Agency has recently remarked that Russian’s cyber campaign has largely been underwhelming for a myriad of reasons.) Concurrently, there is a developing cyberwar by China against Taiwanese companies. Circumstances like these make the possibility of an impactful systemic event incredibly real. Yet, this cyber systemic risk issue largely remains a theoretical one (with a notable exception or two), discussed behind closed doors by underwriting leaders and CAT modelers. We industry folk have the privilege to do so, as the digital world is completely accessible to our literal fingertips due to the highly sophisticated networks that our company’s CISOs and vendor partners dutifully defend throughout the year including weekends and during holidays when we are at home cooking turkeys with our families.
In any event, it’s my opinion that such a cyber event could have resulted in extreme human suffering, stressed or failed businesses, and many other terrible circumstances, both economic and social. We already have a lot on our plates. And I’m endlessly grateful to the efforts of those who embraced a resounding “Shields Up” mentality to prevent such attacks, including those individuals comprising the cyber insurance industry, many of whom are motivated to prevent human suffering at the hands of bad actors.
“I’ll take you down the only road I’ve ever been down; You know the one that takes you to the places where all the veins meet, yeah”
I realize there are skeptics out there about the realities of a systemic cyber event materializing. For what it’s worth, I do not find the debate regarding ‘will it or won’t it?’ very fulfilling. The COVID pandemic was not the result of a debate; it simply happened, regardless of whether we were prepared for it, and regardless of whether we accurately predicted it.
We are living in an age of high connectivity and increasing dependence on technological solutions to run our businesses and our day-to-day lives. Sometimes such business includes the business of warfare, largely believed to be an uninsurable risk. In the face of this, the insurance industry, which has survived multiple world wars, the Titanic, 9/11, and various other human tragedies, does not bury its proverbial head in the sand and say, “well, it hasn’t happened, and it won’t.” While it is not necessarily the most efficient use of capital to invest in something that is unlikely to bear down upon our world in the immediate future, it is also illogical to ignore something that has happened and absolutely could happen again. ‘Will it or won’t it actually happen?’ aside, we must get better at quantifying what could happen and prepare for surge demand for remediation services in a very complex economic and geopolitical environment.
Why the paradox? Because systemic cyber risk a business reality we have yet to disprove or to fully exclude. Because insurance and reinsurance work well for quantifiable uncertainty or ‘risk’, but they are not very useful for dealing with the unknown. And because the threat of a widespread cyber event is an opportunity for the private sector to solve some serious problems. Right now, the market can offer only limited cyber capacity to limited amounts of businesses because of this ‘quantifiable uncertainty.’ In that vein, there is limited (or no) appetite to cover certain exposures: war, attacks on critical infrastructure, and to a certain extent, widespread events. The less the[BK1] private sector is able to absorb and price for cyber exposure, the less relevant it becomes. Put more positively, the more we can predict, model, and price for these types of cyber exposures, the more pertinent cyber insurance becomes as a risk transfer product. If we don’t come up with a solution, the questions become: a) what are the alternative solutions? (e.g, more investment in company security over insurance, reliance upon a federal backstop?); and b) will such solutions allow the bad guys to gain ground?
“Trying to find some money”
The challenges direct insurers of cyber will face in 2023 are nothing new in isolation: decelerating rate, increased competition on the underwriting side, sophistication in threat environments, geopolitical uncertainty, inflation, the rise of Nat Cat risk, and a continued capacity crunch in reinsurance for our respective outwards programs. These challenges are particularly hard to swallow in the same cocktail, especially for a product that is evolving maturing and one that is challenged to hire, train, and keep talent in an industry that is overwhelmingly facing a talent shortage.
Let’s linger here for a minute on the topic of access to reinsurance.
Cyber (re)insurance faces great uncertainty in ways of tail protection. Risk transfer is a choice, not a necessity. A capital-rich insurance company can withstand significant losses, even catastrophic ones, but greatly improve its financial and capital resilience with the support of reinsurance and alternative capital solutions. While gross written premium increased for cyber over the course of 2022, the capacity provided by insurance providers stayed relatively flat. Cyber reinsurance capacity also stayed relatively flat. Alternative capital is certainly interested in the space but there are multiple hurdles preventing this from developing at rapid pace, including credibility of the modeling, fund diversification, availability of leverage, correlation with financial markets, and fatigue from Nat Cat losses. As such, we are now experiencing an “exacerbated shortfall of [reinsurance] capacity in 2023, following several consecutive years of insufficient cyber reinsurance supply already.”
“I let the melody shine, let it cleanse my mind, I feel free now”
Despite all this, I remain optimistic about the future of cyber (re)insurance and the capabilities we have as industry people to make necessary changes. With the challenges facing us, come additional opportunities. The fact is we must go beyond the adoption of new underwriting and risk mitigation tools and leveraging hard market conditions. We must support the further development of cyber modeling tools, become better at segmentation and diversification of our portfolios, and potentially leverage emerging reinsurance solutions aimed at tail risk mitigation.
Insurance is an institution in the best sense of the word. Meaning this: insurance is an established organization with a purpose. The individuals who comprise this institution are in the business of making sense of the randomness of the universe. On our loftiest days, we are inventors, ingénues, financial engineers. On our worst days, we are paper pushers. I believe we have some of the best people in the industry working on the risks and opportunities presented to cyber (re)insurance at the moment and we are committed to improvements. As Josephine Wolff aptly pointed out in her new book “Cyberinsurance Policy,” the auto industry has taken almost a hundred years to mature and now the auto insurance industry is a cornerstone of modern society (and still not entirely without emerging challenges). As we approach the a quarter of a century of the cyber insurance market (give or take), I think it is safe to say we may have made a lot of progress, but have a long way to go.
In the competitive spirit that drives us all to win for our businesses, but also to promote a product we believe protects businesses across the globe, let’s be our best cyber selves in 2023.