Business interruption ranks as the top global risk of 2018 and out of all the causes of business interruption, cyber incidents are feared the most according to the Allianz Risk Barometer 2018. A recent report also found that insurers are most worried about cyber-related business interruption because it has a potential systemic impact. In other words, insurers worry that a single cyber incident could trigger multiple claims, possibly at a catastrophic level.
So, what’s the deal with systemic cyber risk? What causes it and how do you measure it?
An Insurance Minefield
The sources of systemic cyber risk are many, and the insurance industry’s inability to navigate this potential minefield and quantify risk is limiting the growth of this line of business. A few land mines, or sources of systemic cyber risk, include:
- Leading IT service providers. Companies are increasingly relying on third-party IT service providers that own significant market share for on-demand rental of software and hardware. For example, the top 15 cloud service providers own a 70% market share.
- Common vulnerabilities. Undiscovered or unpatched hardware and software vulnerabilities can be weaponized by hackers to maximize damage. The WannaCry ransomware attack was the result of exploiting a vulnerability in Microsoft’s Windows operating system.
- Internet infrastructure. Providers of the hardware networks and software layers that support internet communications, such as ISPs and content delivery networks, are high-profile targets. In 2016, a DDoS attack on a domain name system temporarily shut down many popular websites.
These sources of systemic risk aren’t mutually exclusive, which can lead to unexpected losses for cyber insurers with unclear policy wording regarding the failure or compromise of these sources of risk. In addition, unlike natural disasters—whose risk is correlated by easily verifiable geographic location—systemic cyber risk aggregates itself around sources like these, which are more challenging to understand.
Because cyber insurers don’t have a good understanding of systemic cyber risk, many have employed a conservative strategy by mostly offering narrow coverage with low limits, high deductibles, or long waiting periods.
Quantifying Systemic Cyber Risk
Insurance portfolio managers and analysts need to understand the nature of systemic cyber risk to effectively manage it. To do nothing means further risking adverse selection and growing the hidden risk. For that reason, the accumulations of risk within a portfolio must be regularly measured and monitored.
Accumulation analysis can be approached in two ways:
- Market share. A market share approach relies on broad assumptions to estimate the systemic risk in a portfolio. This approach is useful when information about the exposures is limited. For example: If a major cloud provider owns 30% of the market, then 30% of the exposures in your portfolio would be impacted by a downtime event of that cloud provider.
- Detailed accumulation. A detailed accumulation approach uses organization-specific data to determine exactly which companies would be impacted by the systemic risk scenario. For example: Having identified which cloud providers each company uses, you can see the specific companies that are impacted, and the ones that can be omitted from the analysis.
A report from AIR and Lloyd’s studied the differences between these approaches and found that the more a portfolio deviates in composition from the industry at large, the greater the difference in outputs will be between the two approaches. These findings demonstrate how both approaches have a place within the risk management process. If you don’t have access to detailed exposure data and are confident your portfolio aligns with the industry, then you can afford to use a market share approach knowing that there will be some uncertainty in the output, although reduced.
But when both approaches are used together, more powerful insights about the nature of risk at hand can be obtained and used to inform underwriting and portfolio management decisions. For example, if a detailed accumulation approach analysis shows lower losses than a market share analysis, then it’s likely that your portfolio is overexposed to systemic risk and underwriting guidelines can be adjusted to take on more risk and premiums. Alternatively, if a detailed accumulation approach analysis shows higher losses, then a diversification strategy needs to be considered.
AIR’s cyber risk data analytics platform, ARC, can quantify systemic cyber risk using both market share and detailed accumulation methods. ARC features many cyber risk scenarios such as cloud service producer downtime and electric grid blackout that help portfolio managers understand the financial impact of these types of incidents.
How has your organization been managing cyber accumulations?