Articles - Key reserving challenges for the cyber insurance market

 By Lynette Calitz, Actuarial and Risk Director and Shamsul Haque, Actuarial and Risk Assistant Manager at Grant Thornton

 Cyber threat is one of the biggest loss scenarios for UK businesses. A cyber attack can cripple the whole business operation and expose the business to litigation from its customers or other external stakeholders for causing data breaches. Below are some statistics to reflect the magnitude and frequency of the cyber attacks impacting the UK and global economy:
 
 
 Main UK cyber insurance covers and exclusions

 First party cover
 This covers the financial loss from a cyber event to the first party (insured). The main first party cyber risk exposures are loss or damage to data and software, business interruption, extortion, reputational damage, and theft of electronic funds.

 Third party cover
 This covers the financial consequence of any liability actions brought against the insured by the third party arising from a cyber event. The main third party cyber risk exposures are security and privacy breaches, expenses to notify customers of the breach, investigation, defence costs and damages arising from defamation, breach of privacy and intellectual property infringement, and loss of third party data, including denial of access.

 Exclusions
 The main exclusions, for first and third party covers, are antitrust violation, bodily injury and property damage, contractual liability, and war and terrorism. Exclusions vary among insurers, so it is important to understand the terms and conditions of the cover provided.

 Global cyber insurance premium trend
 The chart below shows the trends in historical global cyber market premiums, premium growth, and loss incidence growth.

 The cyber insurance market experienced steady growth between 2012 and 2020, and, due to low claims costs, insurers could keep the premium low during this period to increase their market share. However, in 2017, the world started to experience large cyber attacks, including the two largest attacks to date in terms of loss, the NotPetya and WannaCry ransomware attacks which happened in 2017, causing global losses of $10bn and $4bn, respectively. Alongside this, in 2018, the EU started the implementation of the General Data Protection Regulation (GDPR) and imposed a hefty fine of twenty million euros or 4% of annual turnover for breaching these data regulations.

 These recent events compelled the insurance industry to move from its low premium-high market share strategy to a high premium-hard market strategy. Insurance firms significantly increased cyber insurance premiums from 2020 to 2023 to maintain profitability. Insurance companies added more exclusions to their cyber insurance covers. They adjusted their policy wordings and terms and conditions following the Prudential Regulation Authority’s (PRA) Dear CEO letter in 2019 and Lloyd’s market bulletin in 2019. (Details of these documents are provided in Silent Cyber section of this article). This resulted in a reduction in claims frequency and severity between 2020 to 2023. Despite the falling trend of claim incidence, future premium growth is expected for cyber.

 Key challenges and considerations
 It is important to consider the latest developments in the market regarding product covers, claims experience, risk exposure, regulations, new perils, and any other relevant factors to ensure the reserving methodology and assumptions reflect the current risk landscape as accurately as possible. The key challenges and considerations are outlined below.

 Lack of available and credible data and long tailed nature of cyber insurance claims
 Traditional reserving methods assume that past data is a good predictor of the future. However, cyber data sources are scarce due to the low frequency and high severity nature of the cyber events. Due to the fast-changing cyber risk landscape and technological advancements, cyber risk exposure is growing extremely quickly and this has the potential to make past data far less relevant in determining current and future exposure.

 Accumulation of risk
 One of the biggest challenges when reserving for cyber insurance claims is the accumulation of risk. Cyber insurers are exposed to the accumulation of risks from cyber policies due to the systemic nature of the cyber attacks; for example, risk accumulated from a cyber attack through the failure of critical infrastructure like utility providers or internet service providers (ISP), supply chain disruptions (since modern production supply chain is heavily dependent on third parties), hackers exploiting zero-day vulnerabilities in the same software used by many businesses, and poorly maintained open-source software. Accumulation of risks can also happen because there is an interdependency structure between the risks impacted by cyber attacks. For example, a single cyber attack (within the first party) could affect thousands of systems within the firm (first party) and across firms (third parties), thus creating an accumulation of risk events. This could also result in interconnected loss scenarios, such as business interruption, a first party loss, and litigation for data breaches, a third party loss. These dependency structures between risks are overly complex; measuring the financial costs of intangible assets and liabilities such as data/privacy breaches, intellectual property infringements, and reputational harm is exceedingly difficult.

 Ransomware
 Ransomware is malware that prevents the user from accessing their computer. It can cause various prohibitive and intrusive actions, such as locking the computer and deleting, stealing, or encrypting the data on the computer. It can also affect other computers connected to the same network. For example, in May 2017, WannaCry malware infiltrated the NHS network and affected thousands of systems in the network. Ransomware claims are the costliest cyber claims peril, as shown in the chart below.

 
 Source - note that 2022 is an incomplete year for this study and the bubble size represents the average claims size.

 Silent Cyber
 Silent cyber refers to other classes unintendedly exposed to cyber risk, such as potential cyber exposures within traditional property and liability insurance policies due to not implicitly including or excluding cyber risk under the policy terms. It is sometimes also called "non-affirmative" cyber.

 In 2017, the PRA published its "Supervisory statement SS4/17 - Cyber insurance underwriting risk ”, in which the PRA recommended that Solvency II insurers should introduce robust wording exclusions to manage Silent Cyber exposure. As a follow-up to the SS4/17 supervisory statement, in 2018, the PRA surveyed UK insurers and published the results of the survey in 2019 in its “Dear CEO Letter: Cyber underwriting risk , providing an opinion that the UK insurers’ response to managing the Silent Cyber exposure was not adequate and advising firms to increase their activity in this area. In line with the PRA’s expectations, Lloyd’s published a bulletin Ref: Y5258, setting out requirements for Lloyd’s underwriters to explicitly put the wording in the terms and conditions of the insurance contracts to exclude or include the coverage of cyber risk. They wanted this to be implemented in phases: for the first-party property damages policies through phase 1, starting from the beginning of 2020, and other liability classes and reinsurance treaties through phases 2 and 3 in 2020/2021. The London Market Association (LMA) also produced sample wording for one hundred model classes for seventy lines of businesses in Lloyd’s. This initiative aimed to reduce the uncertainty around the risk exposure and create a more robust estimation of future claims cost. Moreover, the Institute and Faculty of Actuaries (IFoA) Cyber Risk Investigation Working Party produced a Silent Cyber Assessment Framework, which provides a detailed process for identifying silent cyber exposures in non-affirmative cyber policies.

 Due to the volatile cyber landscape, some exclusions might still be loosely defined, creating scope for coverage disputes. Such disputes and the resulting litigation can significantly lengthen the tail of cyber exposures.

 State-backed cyber attack exclusion
 A state-backed cyber attack can affect the major infrastructures of a country, which could affect millions of people. In June 2017, NotPetya, a ransomware that attacked the Ukrainian energy and financial industry and many multinational companies, including Maersk, pharmaceutical giant Merck, and FedEx’s European subsidiary TNT Express, caused a global loss of $10 billion. It is believed to have been a Russian government-backed attack .

 In bulletin Ref: Y5381, Lloyd’s stated its requirement for the syndicates offering stand-alone cyber policies to add a suitable clause to exclude liability for losses arising from state-backed cyber attacks. Lloyd’s also recommended that other non-cyber policies should include clauses and robust wording to exclude cyber attack exposures arising from war and non-war state-backed cyber attacks. That was a significant development in limiting cyber risk exposure from war and non-war state-backed cyber attacks.

 However, it would be extremely difficult to prove that an attack was state-backed because countries would participate in this form of warfare in such a way as to make their participation discreet.

 Post-COVID-19 working environment
 Employees have been more exposed to cyber attacks due to changing working arrangements, for example, remote and hybrid working, as a result of COVID-19. Cloud computing, broadband connectivity, increasingly powerful collaboration tools, and employees using their own technology have opened more opportunities for cybercriminals to access workstations more easily compared to when employees were office based.

 Geo-political risk
 Munich Re anticipates that targeting critical infrastructure, intellectual property, or processes like governmental elections, which in 2023 alone took place in around 70 countries, will be part of geopolitical cyber risks going forward. Cyber warfare between countries will attract commercially interested cyber criminals capable of using the sophisticated tools of machine learning, AI, deep fakes, chatbots, social media and other digital channels for the purpose of disinformation and destabilisation efforts.

 Cyber reserving methods
 Although the issues and considerations discussed above lead one to conclude that predicting future cyber insurance claims losses is very difficult, actuaries can still develop estimates using traditional reserving methods in conjunction with benchmark data, guidance from claims specialists, underwriter input and pricing loss ratios.

 For less developed claims or in the earlier years of the claims development, an exposure based method like the Expected loss ratio (ELR) method can be used with a blended approach of deriving (or selecting, where appropriate) the loss ratios from pricing or benchmark sources. Another exposure based method would estimate Incurred but Not Reported (IBNR) as a percentage of premiums written for different development years using benchmarks derived from market practice or specialist knowledge. For more developed years, claims development methods like Chain Ladder can be applied with benchmark claims development factors or a blend between the factors based on historical data and benchmark development factors.

 Different loadings can be applied to existing methods to make an allowance for large or catastrophe claims. For example, benchmark cat loads, derived from market practice or specialist knowledge, can be applied within the ELRs to estimate the catastrophe cyber reserves. This can be viewed as a contingency reserve, which can reduce the pressure on free reserve requirements under the Solvency II regime. Similarly, the full cyber risk exposure has to be considered when Technical Provision (TP) are calculated under the Solvency II and Lloyd’s requirements. TPs are based on the best estimate, including the Events Not in the Data (ENIDs), which includes the risk arising from exposure to cyber loss events that are not reflected in the historical claims experience.

 Another useful reserving method is frequency-severity modelling, which models the frequency and severity of the claims separately to estimate the total expected losses.

 In its IRIS 2022 report (IRIS-2022 Information Risk Insights Study ), Cyentia analysed ten years of data between 2012 and 2021 to construct both frequency and severity models and provide useful statistics for the cyber insurance market. Insurers can use rolling annualised data each month to increase the number of observations and improve the model's predictive ability. The underlying model chosen is the Poisson Log-Normal for frequency and Log-Normal for the claim severity. The parameters are determined using the maximum likelihood method and running the Kolmogorov-Smirnov test and the Cramér-von Mises statistical tests to analyse goodness of fit (Parameters used for these models can be found in IRIS-2022 Information Risk Insights Study ).

 Validating Reserve Adequacy
 It is important that reserving actuaries are aware of the full exposure to the cyber risk faced by the policies written, especially the risk sitting in the tail, and what risk mitigating strategies the insurer has in place to mitigate the risk. Only with that knowledge can they accurately estimate the reserve. Below, we discuss a few cyber risk quantification methods, some of which are more prominently used in capital modelling and pricing but could be used to validate the reserves.

 Simulation methods
 Monte Carlo techniques can construct the aggregate loss distribution by simulating the possible combinations of loss frequencies and magnitudes. This method is particularly helpful when data is sparse; if an underlying statistical distribution of the data can be assumed, this method can simulate any range (thousands and millions) of loss events from the underlying distribution and thus allow the actuary to estimate the aggregated loss level at a certain percentile of the distribution or quantify the probability of a given loss level.

 Scenario analysis
 A scenario analysis aims to estimate the likelihood of an extreme scenario occurring in a year to quantify the exposure to such an event. This analysis can be based on information provided by the claims department on a large loss scenario. That large loss exposure can be compared with the risk mitigating strategies the insurer has, such as reinsurance, to evaluate the adequacy of the reserve held for large losses.

 The maximum and average loss for a scenario related to a cyber threat can be estimated based on historical events and industry trends and discussions with experts from internal sources like claims, underwriting and risk management teams or external experts. Examples of modelled scenarios could be business interruption (caused by ransomware attacks), service provider outages and data breaches. Some scenarios could be interconnected, so a correlation matrix needs to be constructed to explain the dependencies between these scenarios. This matrix could be estimated by analysing any historical loss events of a similar nature and talking to experts from IT and the claims departments. Allowing for correlations between different scenarios will capture the accumulation of risk. The scenarios and the correlation matrix can then be used as input for Monte Carlo simulations.

 Exceedance Probability Curve
 Accumulation of risk can be quantified using an extreme scenario distribution by producing an Exceedance Probability (EP) Curve or Loss Exceedance Curve (LEC). The purpose of EP is to demonstrate the probability of experiencing a minimum amount of loss in a given time period. EP can evaluate the portfolio’s risk exposure from a given scenario against the firm’s risk appetite and take risk mitigating actions. It can also evaluate the adequacy of the ultimate reserve estimated using other methods.

 Tail risk
 Another method to quantify the tail risk is the Tail Value-at-Risk (TVaR). This method only considers the tail of the claim distribution and estimates the average loss value at a certain percentile. For example, at the 95th or upper 10th percentile, what would the TVaR loss value be? TVaR can capture extreme events or risks, such as risk accumulation, and can be compared to the ultimate claim amount estimated by other methods.

 Reserve risk mitigation strategies.
 With robust risk mitigation strategies, reserve risk can be reduced, shared or transferred to different parties, which in turn reduces reserve uncertainty. Below, we discuss some of the most common strategies currently used in the market.

 Controls
 Insurers can limit their exposure to cyber risks by ensuring that their insureds have effective systems of controls in place against the risk of cyber attacks. Underwriters may require potential policyholders to provide information on the controls they have in place. This information can be used in pricing the policies and, later, estimating the future cost of claims if policyholders report incidents. In the latter case, the claims specialists and actuaries can work together to use the information provided by the underwriters to gauge the risk, allowing for the mitigation provided by the controls and to estimate the ultimate and IBNR reserves for those claims.

 Marsh Commercial has identified the following key controls to strengthen a Company’s cyber security:
 • Multifactor authentication (MFA)
 • Email and website filtering
 • Secured, encrypted, and tested backups
 • Incident response plans
 • Cyber security awareness training
 • Replace or protect end-of-life (EOL) systems

 Reinsurance
 Reinsurance is an effective cyber risk mitigation strategy. Cyber insurers can cede the potential larger or catastrophe (cat) claims to reinsurers, who might have better expertise in estimating and managing large and cat losses. With an effective reinsurance arrangement, cyber insurers can limit the risk exposures to large and accumulation losses.

 According to The Geneva Association , the following initiatives could increase the cyber reinsurance market:
 • Offering more excess-of-loss reinsurance instead of proportional reinsurance will make insurers more comfortable managing the attritional claims risk.
 • Creating or extending formal private sector re/ insurance pools to share certain types of cyber risks. For example, in the UK, Pool Re, which was created to cover terrorism risks, is considering providing cover for war and non-war state-backed cyber attacks.
 Cyber Insurance-Linked Securities (ILS)
 Offering cyber ILS investment products to capital market investors can be a way for larger insurers to mitigate cyber risks. Key recent developments in the cyber ILS market have been:
 • In 2023, Beazley issued the Cairney cyber catastrophe bond series, which raised over $81.5m of fresh capital and covered all perils from catastrophic cyber events.
 • In 2023, Hannover Re23 established a collateralised reinsurance agreement with Stone Ridge. This was a quota share reinsurance structure and the largest publicly revealed cyber ILS transaction with a $100m limit.

 In a nutshell
 The global cyber insurance market is a fast-growing market. However, increased threats of large losses from ransomware, including inherent accumulation of risk, data scarcity and the ever-changing risk landscape of cyber insurance, such as current geo-political risk, result in significant claims uncertainty. Moreover, silent cyber and clauses to exclude state backed cyber threats have reduced the risk exposure but increased the possibilities of disputes due to ambiguous wording in insurance policies. Actuaries must be mindful of all these factors while reserving for cyber insurance. Various methods can be applied when determining cyber insurance claims reserves. These approaches all have strengths and weaknesses, and actuaries should consider these in their modelling and a suitable validation process to ensure the robustness of methods and assumptions should be implemented. Lastly, actuaries should be aware of the various risk mitigation strategies in the cyber market, which can reduce reserve uncertainty.