One of the faster growing areas in insurance is cyber risk. Cyber is fast becoming the new cat drawing outsize attention due to the headline grabbing nature of the peril.
While there is a lot of excitement about cyber, there is not enough fear. Let me state what everyone knows but is afraid to say in polite company:
We have no idea what to charge for cyber risk and whether it can ever be profitable long term.
I’m sure lots of people will try to tell me I’m wrong about this (and perhaps I am), but I am relying on a very simple proposition. There is a lack of historical data and, what data there is, is unlikely to be predictive of the future.
In basic terms, cyber insurers are chasing a moving target. It is a non-stationary risk. Trying to predict future expected cyber losses is like trying to predict the future level of the S&P 500. Yet insurers treat it as if they are predicting how many car accidents will happen each year.
For those writing vanilla, low limit small commercial cyber that pays for basic costs like credit monitoring, breach notifications, and such, this conclusion is not terribly worrisome.
However, if you are writing large account cyber, where the exposures can run well into the nine figures, your company is being reckless. Let me explain.
Ian’s Law of Cyber
Everyone is familiar with Moore’s Law related to advances in semiconductor productivity. Well, I have a new version for cyber insurance.
Ian’s Cyber Law says the bad guys will come up with new tricks twice as fast as the insurers figure out the old ones.
Think about it. Ransomware has been a thing for like a decade. Sure, it got worse in the past few years, but there was nothing surprising about the escalation in frequency…except to insurers. They were behind the curve and did nothing to limit language when they first became aware of the threat.
Then, several years later, as frequency spread and ransomware attacks were in the news daily, they suddenly realized, oops, maybe we shouldn’t have covered the ransomware attacks. Really???
Lloyd’s even wrote a big RDS report on a global ransomware attack in 2019 forecasting a $27B insured loss! If they had only reacted to that, they could have avoided all those 2020 losses. But nope, they followed Ian’s Cyber Law.
If insurers can’t even keep up with the super obvious threats, what do you think their knowledge is of the newest things the bad guys are testing?
If they were a decade behind on ransom, that means they’re not just behind on the new things that are being cooked up. They’re behind on the things the hackers started deploying five years ago and have only started to gain mainstream attention. Which means there should be a lot more IBNR than currently exists.
IBNR: What Is It Good For?
Cyber is the line IBNR was invented for. In this case, it’s not just “our models tell us there are likely some loss exposures that have occurred but we haven’t been notified of yet”.
It’s more like “we have no idea if our client’s network has been infected with some potential virus that the perpetrator has yet to activate but there’s a good chance it has. If it has, we have no idea how severe the threat is and how much it will cost us because we’re not sophisticated enough to know the difference. Because we can’t estimate the potential loss, we will assume it doesn’t exist, or, at least, that it’s small.”
In other words, insurers put up IBNR for the “known unknowns” whereas they should be putting it up for the “unknown unknowns“. How much should we put up for the latter? Shrug.
Ian’s Cyber Law would suggest more IBNR than the year before, because the gap between insurer’s knowledge and the hackers continues to grow. Unfortunately, even if insurers took this approach, we all know what would happen next. Two years go by with no reported loss? OK, we can release that IBNR now!
Man Made Cat
Back after 9/11, I remember one of the arguments for TRIA was terror couldn’t be underwritten, because it was a “man made cat“, meaning that it couldn’t be predicted actuarially because it was impossible to know how many Al Qaeda operatives were out there and how many buildings they might target. While that was an expedient argument, it was also largely correct.
That lesson has been forgotten in the cyber world. Except it’s worse. It’s not just that we don’t know how many devious hackers there are around the world looking to make a few bucks for themselves. It’s that they are far more sophisticated and have far more resources than Al Qaeda or ISIS did.
Most hacking attacks (at least those of the size to generate serious losses) are perpetuated by state actors. Think of it like state-backed terrorism. But instead of it being smaller countries committing the acts, it is places like China and Russia. The US isn’t going to drop a bomb in retaliation.
Even worse, while experts can suspect certain countries of being responsible for certain attacks, it is near impossible to actually prove this. Thus, war exclusions are worthless. If enemies of the US decide to commit cyber crime for financial gain, insurers will pay for the acts of those foreign governments.
Why should cyber be the one line where acts of war are essentially covered?
Large Scale Cyber War
Which brings us to the holy **** moment. The US and China have a confrontation over Hong Kong or Taiwan. Events escalate. Rather than light the match for a potential World War III, what is the obvious response by China?
Publicly call a truce while privately launch a cyber war. Take down AWS. Take down Azure. Cut off bank websites. Do things like Stuxnet that take out manufacturing facilities.
There are lots of nasty things you can do. Obviously, China would be smart enough to not tie it directly to the earlier confrontation. Maybe you wait a few months. Maybe you design it so it looks like North Korea did it. Or like it was some “independent” group of rebels dispersed throughout China to create plausible deniability.
However it happens, if it causes a giant clash event across Corporate America, we could be looking at a $1T economic loss! It’s a little tough to think through insured losses but there’s probably $100B of cyber limits out there? Then, add on all the silent cyber in property and BI.
And, if there is no proof a foreign national did it, the act of war exclusion is meaningless and large chunks of the insurance industry might go bankrupt.
You can feel free to substitute Russia or even North Korea for China if you like. The fact that there are several candidates for bankrupting insurers should make you feel worse, not better.
Oh, by the way, how much capital does S&P make cyber insurers hold for that stress case? Or even the Lloyd’s RDS event? Right, I thought so.
Cyber is like cat before Hurricane Andrew. We all know the tail risk exists, but we don’t attempt to quantify it and thus can convince ourselves we don’t need to hold any capital for it.
What makes it worse than cat is at least, after Andrew, we could study climate and geological data and try to model the frequency and severity of large cats. What would be the equivalent model for cyber? Remember, it’s man made so we can’t do it!
You could probably model total exposure and perhaps clash risk. I’m not sure you could model the frequency, especially if you believe in Ian’s Cyber Law.
Actually, that might be the way! Use Ian’s Cyber Law and assume the industry is always behind the perpetrators at an increasing scale! Unfortunately, that model would probably suggest you couldn’t price the risk at a rate where people would purchase it.
I can write some long concluding argument or I can go back to the very simple opening statement. We can’t price cyber accurately and, if we can’t price it, we can’t insure it.
There’s really nothing else to say other than that it’s worse than the average thing that can’t be priced because of the catastrophic potential. And because the price being charged is likely materially inadequate to even cover the known unknowns.
Other than that, it’s a perfectly fine write!
The only way to fix it is to repeal Ian’s Cyber Law. Unfortunately, that requires getting ahead of the bad guys which means substantial investments in technical resources. Even if that were somehow practicable (a centralized Insurance Cyber Institute whose expenses are shared by the industry?), where is the human talent going to come from?
Are the world’s best cybersecurity experts going to choose working for an insurance company over a corporate or government job where they can be on the front lines of defense or a mercenary role working for the enemy? It’s hard to see that happening.
Until the industry can figure out how to raise their talent level in cyber to the level of the enemy, Ian’s Cyber Law will persist and the coverage will be low return at best and solvency threatening at worst.