A 1 in 200-year cyber event could cost the global cyber insurance industry between $15.6 billion and $33.4 billion while a 1:50-year event could cause losses between $5.5 billion to $24.4 billion, according to a new analysis from reinsurance broker Guy Carpenter.
A 1:200-year ransomware/malware event created the largest potential losses across models, per the report titled, Through the Looking Glass: Interrogating the Key Numbers Behind Today’s Cyber Market. Other scenarios included cloud disruption and data theft events.
To develop the report, Guy Carpenter used data associated with 1.8 million cyber policies to model loss scenarios in three industry cyber models — CyberCube, Guidewire-Cyence, and Moody’s RMS. The broker found wide variation among the models, especially on the 1:50-year events, with output from CyberCube trending higher, Moody’s RMS on the lower end, and Guidewire-Cyence in the middle for each scenario.
Some of the variation could be explained by different parameters considered by models. For example, CyberCube’s model has a larger footprint of affected insureds for the ransomware scenario and includes financial fraud as a significant loss cost contributor to the data theft scenario. On the cloud outage scenario, all three vendors differed in their view of average severity per company.
Guy Carpenter advised “focusing as much on the ‘why’ as the ‘how much’ of model divergence and noted that natural catastrophe models also show variations. However, the industry should be prepared to carefully evaluate model output.
“There is no question that modeled losses from a significant cyber event would impact the market. However, given the industry’s resilience to significantly greater losses from other classes, in most cases these should not be insurmountable,” said Anthony Cordonnier, global co-head of cyber for Guy Carpenter.
The broker added, “Cyber sits firmly within the range of a class with an extended tail and a high degree of uncertainty, but not in the realms of unfamiliarity for insurers, reinsurers and investors. While precedents and modeling evolve, the relative convergence or divergence between the models will be closely followed, which will bring comfort to sources of potential capacity for the future.”
The insurance-linked securities (ILS) sector has gradually shown more interest in the cyber space, due partly to the improvement in modeling, Guy Carpenter noted.
“The improvements to data quality and nimbleness of the cyber models are instrumental in continuing to attract capital to the cyber market,” said Erica Davis, global co-head of cyber for Guy Carpenter. “As the models continue to evolve, reinsurance buyers and sellers will be able to hone in on what truly differentiates each portfolio and more accurately identify, price and trade key catastrophe risk.”
Guy Carpenter conducted a similar study in 2019 – the cyber market has changed significantly since then not only in terms of model maturity, but in premium, cyber threat landscape, and insurance take-up rate.
By the latest measures, the U.S.-domiciled cyber market has reached $9 billion in premium, with the rest of the world contributing about $5 billion. While still dominated by the U.S. at 62.5% of the global market, UK and Europe have shown “accelerated growth,” according to the report. Large organizations account for 41.7% of global premium, while medium, small, and micro-sized companies account for over 58%.
“It is apparent that the cyber market has become a much more significant constituent of the global insurance industry. At no time in the past has it had as much critical mass as it has now, and there are no signs of slowing down,” said Guy Carpenter.