U.S. Property Insurers Could be Facing $12.5B in Hidden Cyber Losses

October 18, 2021

The U.S. property insurance market is accumulating cyber exposures that could result in $12.5 billion in non-physical damage losses and cause capital adequacy ratios for some carriers to deteriorate.

A study conducted by CyberCube, AM Best and Aon found that the accumulation of cyber risk could trigger a one-in-100-year loss of $12.5 billion, which would be enough to cause a downward transition of the Best’s Capital Adequacy Ratio (BCAR) for 18 U.S. property insurance carriers.

For the study, “Spotlight on Cyber: A study of aggregation risk in the US property insurance market,” cyber risk analysts at specialist CyberCube created a sample portfolio based on the U.S. small business property industry. They then subjected this portfolio to modeled cyber loss scenarios, quantifying non-physical damage losses. The results were then used by financial ratings agency AM Best to assess the impact on the balance sheets of 579 U.S. property insurers. Aon assisted with quantifying the risks and exposures written back into property policies and highlighting best practices for managing these risks.

The analysis revealed that of the 579 property insurers analyzed, 12 carriers fell one level in the BCAR, four dropped two levels, and two insurers each fell three levels and four levels respectively.

The authors of the report stress that BCAR assessments are not the sole determinant of a company’s financial strength rating. Other factors such as reinsurance, diversification, and liquidity are considered to evaluate balance sheet strength. However, a “significant deterioration in the BCAR assessment may lead to a downgrade of an insurer’s financial strength rating,” they noted.

The report concludes that, while current levels of cyber exposure within U.S. commercial property are manageable by the property industry as a whole, the exposure could have ratings impacts for a section of the property market.

“While losses of $12.5 billion are relatively low when placed in the context of natural catastrophes, considering these exposures are often unpriced or unaccounted for in enterprise risk management, the impact on carriers can be significant and more importantly, unexpected.” Sridhar Manyem, AM Best’s director, Industry Research, commented.

The report also cautions that the large growth in cyber exposures anticipated over the next few years will challenge the industry’s ability to cope with rapidly increasing risks.

Cyber scenarios used by CyberCube to analyze the impact were large-scale data losses, large-scale ransomware attacks and a targeted ransomware attack on a medical devices manufacturer.

The research notes that insurers have been explicitly excluding cyber coverage from non-standalone policies where “silent” cyber exposure may exist.

However, the report warns that insurance carriers offering explicit cyber coverage in U.S. commercial property policies may not typically be underwriting or pricing the risk accordingly.

CyberCube’s modeled loss figure of $12.5 billion suggests that the U.S. property market is exposed to $9.5 billion of attritional losses and $3 billion of catastrophic losses. “It is apparent that the property market is already paying attritional losses for non-affirmative cyber coverage,” said Rebecca Bole, CyberCube’s head of Industry Engagement.

Jon Laux, Aon’s head of Cyber Analytics, said the research shows quantification of the aggregation potential from cyber-related losses in property policies is real. “With property insurers affirming elements of cyber cover in their policies, insurers are exposed to significant losses, which are not necessarily priced accordingly. Through better information, industry participants will be able to make better decisions about placing cyber risk.”