Solving Systemic Risk Is the Cyber Market’s Number One Priority
Cyber insurers can sometimes feel like systemic risk is unique to them. It isn’t. The COVID-19 pandemic was about as systemic as it gets. Business interruption (BI) insurers faced an avalanche of claims following the first lockdowns. And the industry failed in the eyes of thousands of small business owners. The reason was a failure to address the perennial problem of systemic risk. The cyber market mustn’t repeat the same mistakes.
Insurers have always fretted about systemic risk: exposure to a single event that triggers an enormous number of claims and a colossal, accumulated financial loss. The 1906 San Francisco earthquake spawned over 100,000 claims, costing insurers over $5 billion in today’s money. Nearly a century later, the 9/11 terror attacks triggered nearly $50 billion in payouts. Cyber insurers worry about similarly systemic scenarios.
In 2017, a self-propagating malware named NotPetya targeted Ukraine, but quickly spread. It infected hundreds of thousands of computers in more than 60 countries. The virus paralyzed banks and hospitals, and crippled global shipping companies. With an estimated economic impact of $10 billion NotPetya is the costliest cyber event to-date.
But COVID was a biological virus, rather than a digital one, which showed how potent systemic risk can be. The human cost of Covid was devastating with nearly 800 million recorded infections and close to 7 million deaths. It was economically unparalleled, too. The International Monetary Fund estimates the economic impact at $12.5 trillion.
As lockdowns set in around the world, nations of small business owners looked to their BI policies to plug financial holes. Mass legal action ensued. In the U.S., policyholders have filed roughly 2,500 lawsuits against insurers. Insurers also faced suits in Australia, Canada, across Europe and in the UK. Details of the legal actions are numerous and complex but they boil down to the same thing: Customers thought they had cover for an event which, according to their insurers, they didn’t. The core problem was a lack of clarity.
Cyber insurers need to be careful not to fall into the same trap. The list of systemic risk exclusions in cyber policies is long and growing. They tend to be scenario-specific, which creates gaps. Technical language is being used to address complex issues like digital infrastructure failure and mass vulnerability exploitation. Brokers and underwriters – let alone policyholders – can struggle to pinpoint where cover starts and stops. The market must agree on where the lines get drawn. This means agreement on how to define systemic risk.
The U.S. property market could help on that front.
Weather events vary from the small-scale to the extreme. The wind in Florida can blow a light breeze one day or a category 5 hurricane the next. Property insurers need to be able to delineate between the two. They’re able to do so because everyone agrees on what a hurricane is.
A group of weather experts at the National Hurricane Center in Miami identify and classify extreme weather events. They decide when a storm becomes a hurricane and assign it a severity rating of 1 through 5. Insurers use this designation to delineate between regular and extreme weather events in policies. And they’re able to buy reinsurance for the most extreme events because there is a clear and unambiguous trigger.
The digital world is in desperate need of a comparable system. We need to be able to identify and classify “cyber hurricanes” so that we can manage the risk they pose. An independent body set up to do this would bring many benefits. It would foster a shared understanding of what a systemic cyber event is. Existing definitions are unclear and inconsistent, and breed uncertainty around what they cover. A transparent classification system defined by an independent body fixes this problem. Events would be easier to reinsure. Clear definitions mean objective policy triggers, reducing ambiguity.
Systemic exposure would become more certain and easier to model. This would attract more reinsurance and third-party capital, creating a true cyber catastrophe market.
More accurate modeling would bring better calibrated reinsurance pricing. Insurance premiums would be reduced, bringing more customers to market. They’d buy a simpler product because the existing systemic exclusions could be scrapped. They’d be replaced with a single catastrophe exclusion tied to a declaration made by the body.
Most important of all, the market would be aligned on how cyber insurance responds to major events.