Swiss Re head of cyber explains the reinsurers’ cautious approach

The insurance industry faces significant growth in cyber insurance demand due to advancing digitisation and recent attacks like Petya and WannaCry.

Individuals are becoming increasingly vulnerable due to the prevalence of Internet of Things, connecting all sorts of objects such as TV’s, cars and fridges. As the number of connected devices in use is already growing exponentially, experts believe that it is only a matter of time until personal cyber insurance will experience a similar boom as the commercial lines. In the commercial space, cyber insurance has been a hot topic for a while.

“Unfortunately, we have the emergence of the cyber risk insurance market while we are in a very soft market environment,” says Maya Bundt, head of cyber & digital solutions at Swiss Re.

Low rates particularly in property/casualty (P&C) have made profitable growth opportunities in this line of business scarce, tempting some re/insurers to embrace cyber risk instead.

Growth Potential

The total written premium of the cyber market globally has recently been estimated at $2.5 billion, but it is growing fast. Allianz believes that the market will increase to $20 billion by 2025.

“There is a drive towards growth which might go against underwriting discipline,” Bundt warned. “There are a few challenges we as an industry cannot ignore.”

Among the challenges Bundt sees for cyber underwriters is the accumulation risk which is potentially more complicated to understand and model than other risks. Furthermore, there is a general dearth of data. There are currently numerous initiatives in the industry to address this also on an international basis which is necessary to develop better risk management tools.

“We see the potential for the industry to make cyber a sustainable market, but there are some obstacles that need to be overcome,” Bundt says.

Swiss Re has a book providing cyber risk capacity and is also working together with its clients to better understand the risk.

In reinsurance, Swiss Re underwrites treaties, quota shares, non-proportional treaties, and the odd facultative acceptance.

“We have quite hard underwriting guidelines. I would describe our approach as cautious. We are certainly not among the most aggressive players in this business, but we want to participate in the market,” Bundt explains.

The industry cannot neglect this risk because there is a clear need for people and companies for protection in the form of insurance programmes, Bundt explains.

“If we weren’t addressing it, we wouldn’t be doing our job. We have a role here to play in society,” she notes. In order to promote the discussion around the issue, Swiss Re is organising industry events such as NORIS 2017 in Stockholm, at the end of August.

Cyber attacks on the rise

A major global cyber-attack has the potential to trigger $53 billion of economic losses, roughly the equivalent to a catastrophic natural disaster like 2012’s Superstorm Sandy, according to a scenario described by Lloyd’s and cyber risk analytics modelling firm Cyence.

The number of ransomware attacks quadrupled in 2016 and are expected to double again in 2017, according to findings in a report from Beazley.

A massive ransomware worm dubbed ‘WannaCry’ hit several organisations such as the UK’s health care system NHS and Spain’s telecoms firm Telefonica in 2017.

In June, many organizations in Europe and the US have been crippled by a ransomware attack known as “Petya”.

Swiss Re wants to support its clients and the risk owners in writing cyber exposures, and it is investing in understanding these risks. “But we need to approach it carefully, not least because the risk is evolving,” Bundt notes.

Insurers can diversify the cyber risk exposure by giving out low limits to clients. “There is enough capacity in the market but it needs to be distributed carefully because insurers don’t want to overreach on single risks,” Bundt says.

Diversification is key

A trend moving the cyber focus from the large corporate area to the smaller, SME-type risks helps balancing the portfolio, making it less lumpy and more diversified, she notes.

Diversifying the risk among industries is another option. In addition, reinsurance can help distributing the risk geographically.

“Insurers need to have a risk and capacity framework in place, estimating their cyber risk appetite and actively managing it, hopefully allowing for full transparency for the risk that is being underwritten,” Bundt says.

“This needs to include not only the actively underwritten cyber risk, but also the passive, silent cyber risk already sitting in the portfolio in other lines of business.”

Despite some major cyber-attacks that spread around the corporate world, the shock absorbing capacity of this line of business has yet to be tested.

“We have not had the big ‘cybergeddon’ yet, the California earthquake type of event,” Bundt explains.

The industry should set aside reserves for a large event. But pricing cyber insurance remains a challenge. The accumulating nature of the risk needs to be taken into account when defining the risk part of the premium. And since the return periods of potentially very large events can only be estimated, the overall premium an insurer should ask for the risk cannot be precisely defined, Bundt explains.

Instead, insurers should set a minimum threshold for themselves, Bundt suggests.