Cyber: Greatest Threat or Greatest Opportunity for P&C Insurers?
The cyber risk landscape continues to evolve rapidly, with ransomware attacks and business email scams increasing, as well as new threats emerging. This puts cybersecurity and protection in the form of cyber insurance high on every business agenda, and rightfully so. We sat down with Pascal Millaire, CEO at CyberCube to explore if cyber is the greatest threat or the greatest opportunity for P&C insurers.
Pascal, are you excited for the future of Cyber?
Pascal: “Cyber may be the largest opportunity that has come along for P&C insurance in generations. If we look at a typical enterprise today, cyber risk will often be the number one risk on the minds of the enterprise insurance buyer.
“We’ve seen explosive growth in this market. Gallagher Re predicts that cyber reinsurance will be larger than Nat Cat reinsurance by the early 2030s and Jefferies estimates that by 2040, cyber insurance will be 30 times bigger than what it is today and one of the largest lines of insurance in P&C Insurance globally.
“Yes, there are challenges. Yes, there are threats. There’s a lot of work that needs to be done. I’m excited about cyber, not just because of the market opportunity for risk transfer, but because of the incredible value that insurers are providing to clients when they need it most. If you look at this market and some of the largest players, they have paid out hundreds, in some cases over a thousand, claims. If you think about a business that is having a potentially existential moment because they’ve been breached, because of a ransomware event or a business interruption event, the insurer can be of enormous help during the first 24 hours. Think about marshalling incident response, crisis communications, forensics, regulatory engagement, and dealing with the ransom side. If you compare and contrast enterprises that have experienced a breach that do have insurance and those that don’t, the difference is not just the reimbursement. The difference is they are so much better equipped to handle the fallout that comes with these incidents.”
Where specifically do you see the most opportunity?
Pascal: “I would say that some of the largest opportunities are with SMEs. Both in terms of not buying coverage, but also in the incredible role that insurers can play, not just as preventers, but also in providing those valuable pre- and post-breach services.
“The challenge is that not enough businesses buy cyber insurance even though they really should. Europe is a far less penetrated market than the US in particular. Those who do buy aren’t buying large enough limits, and often that’s not because they don’t see the value in insurance products per se. It’s just that the insurance market hasn’t grown rapidly enough to create the towers that hit the multi-billion-dollar exposure that they have. So if you’re an insurer looking at markets where typically mature lines of insurance might struggle to grow at the rate of GDP, here the underlying risk is growing so much faster than that. And the risk is under-penetrated today, which just leads to the sea of opportunity. If you’re an insurer, this may be a once-in-a-generation opportunity for this industry.”
If this is such a huge opportunity, why isn’t this flying off the shelves?
Pascal: “Capacity is absolutely an issue. One of the drivers of capacity and reinsurance capacity is understanding the tail risk and understanding what are the catastrophic aggregation scenarios that could occur and the amount of capital that needs to be held against those scenarios. In the early days, reinsurers and insurers were concerned about this issue. So back when CyberCube was still a part of Symantec, the first problem that we tackled in a development partnership with Guy Carpenter was the issue of accumulation and cat risk management. What we found in the seven years since we’ve been modelling cat risk is that the internet is far more resilient than one might have expected.
“We have tracked 100 mini-cat events over the last six years. There’s about one a month, and that one typically only results in minimal insurance losses. About once a year we see an event like Blackbaud or MS Exchange where there’s a single-digit impact on industry loss ratios. In the last decade, we’ve seen one cat event in terms of NotPetya, which was an attack by the Russians on Ukraine that led to collateral damage that caused around $10 billion of economic losses, predominantly against European enterprises.
“Over time, reinsurers in particular have been getting more and more comfortable understanding, what those cat events are. What are the ones we need to be most concerned about? And as we think about the scope of an insurance policy, let’s make sure that we’re not covering those events. Now, some of the same conclusions that were reached in other lines of insurance over hundreds of years are the same conclusions that we’re reaching today, which is that the insurance industry does not have balance sheets large enough to cover the outright war between nation states.
“CyberCube worked with Lloyd’s to develop its Realistic Disaster Scenarios on cyber cat events. This has translated into a better understanding of what should be included and excluded from a cyber policy. As we get more comfortable with what can be covered by the public sector and think of the role of the private sector in covering that most extreme risk, there’s more and more capacity coming into the market which fuels the growth we’ve been talking about.”
What does this mean for the market? Is it sustainable?
Pascal: “We are looking at exceptional next-generation MGAs and carriers that aren’t just growing, but they’re growing in a really important market long-term where the sky’s the limit in terms of how big premium could reach and doing so at highly attractive loss ratios.
“Sustainability is going to require thoughtful single-risk underwriting. In some ways, CyberCube provides to incumbent carriers what many of these exciting MGAs are doing in-house in terms of single-risk analytics, to drive better risk selection, better pricing, and a more thoughtful selection of enterprises to provide cover to.
“Underwriters trying to write cyber risk five or six years ago faced enormous challenges. Today they can use platforms like CyberCube’s to understand thousands of data points and to correlate claims and incidents against security indicators that might increase the likelihood of a claim. As an underwriter, you can instantly understand hundreds of technology vendors used by the company that you’re underwriting right away. This isn’t just theoretical information that underwriters can now use to make sustainable and profitable decisions. In the case of ransomware, they used it to enforce multi-factor authentication, open RDP ports, and signs of open ransomware infections that drove down loss ratios, improved global cyber security, and empowered underwriters to make a positive difference. So this market’s going to need to be sustainable with good single-risk underwriting, as well as an understanding of catastrophe risk and what should and shouldn’t be covered by a policy.”
Any last tips?
Pascal: “Occasionally I come across insurers or reinsurers that want to put their head in the sand and feel that cyber insurance is too new and too complicated. That’s an area where CyberCube can bring in their expertise. Any insurer, reinsurer or (re)insurance broker must understand the risks associated with internet-connected technologies because ultimately that is risk in the 21st century. As the industry that creates risk transfer products, it’s essential to understand, quantify, underwrite, and understand cat events, both for cyber as a new affirmative standalone line of business, but also just for the future of this being a viable and vibrant industry, covering the risks that matter.”