The global economy has proven relatively resilient to material, widespread financial losses from cyberattacks to date. However, analysis of near-miss events suggests that far larger losses are quite possible, according to new research from CyberCube. I'm Yvette Essen, Head of Content and Communications for CyberCube, and I'm talking to Jon Laux, Vice President of Analytics for CyberCube.
Yvette Essen:
"Jon, can you tell me a little bit about how we conducted this research into near-miss events?"
Jon Laux:
"Sure, Yvette. Our team has built a library of events over the years, and we also conduct ongoing research on cyber events as they occur. I’m using the term 'event' quite broadly—we look at everything from attacks that might only affect a single organization to incidents with significant accumulation potential. We analyze these events both for what did happen and what could have happened.
The findings in the report represent about 100 events that took place over the last six years—actually about 150 in total if you look further back—that we evaluated as having significant accumulation potential for the industry. We analyzed those events to look for patterns and the repercussions for the insurance industry based on how those events played out."
Yvette Essen:
"Can you highlight some of the key takeaways from your research that we’ve published in the report?"
Jon Laux:
"Yeah, sure. So, the first thing to note is that 100 events over the last six years is about one every three weeks. If it feels like there’s a lot going on in the cyber area, that’s because there is. However, not everything plays out with equal impact on the insurance industry. In fact, of those 100 events, only about 10% have actually resulted in any kind of material impact on the insurance industry. And when I say 'material,' I mean events that result in a single loss ratio point type of accumulation for the industry.
In that sense, it’s been a good news story—very few events have resulted in insurance losses, even though from a cybersecurity perspective, there’s been a lot happening. But we also have to consider the other side of that. For some of these events, things could have been a lot worse, as you mentioned. We need to look at not just how the events played out, but how they might have played out differently—what we call counterfactual analysis. For example, NotPetya is often discussed, but with WannaCry, if the code hadn’t included a kill switch that was discovered early, the event could have continued with far greater impact. Similarly, with SolarWinds, if the attack had been motivated by destruction rather than espionage, it would have had a very different financial impact on the industry. So, when we think about how these events could have unfolded, there are significant implications for the industry that models like Portfolio Manager need to address."
Yvette Essen:
"You mentioned Portfolio Manager. Can you tell me a little more about how we used this analysis in Portfolio Manager for this report?"
Jon Laux:
"Essentially, the report delivers a good news story to some degree but with an important cautionary note. The primary purpose of Portfolio Manager is to help insurance and reinsurance clients understand the potential accumulations of cyber insurance risk. This report has helped us better identify both what the tail risk really looks like and to understand the shape of the risk curve. Those near-miss events that haven’t materialized are still somewhere on the curve, but the curve doesn’t necessarily rise as steeply as we might have thought initially. This is the fifth version of Portfolio Manager, and as an industry, we’ve learned a lot since the first version came out. We want to incorporate those findings into what the model tells our clients about risk."
Yvette Essen:
"How have the findings from the report been reflected in Portfolio Manager Version 5?"
Jon Laux:
"If you look at what our curve tells you about risk, we’ve tried to convey through the model, based on the factual analysis, that at the lower return periods, the things that we might compare against recent experience, it’s been a pretty good news story. So, if you look at our curve at those lower return periods, the numbers have come down, and we did that very conscientiously. We looked at frequency as well and felt that the frequency in our model was pretty well calibrated before, so that’s a similar story. The impact of those losses is lower than it used to be.
But further out in the tail, we wanted to make sure that the tail was thick enough to reflect the risk we believe is there. One significant impact we emphasized in that area was with widespread ransomware and wiper malware-type events. We’ve continued to see those in recent years, maybe not at the financial scale we’re concerned about, but events like Microsoft Exchange, Kaseya, and SolarWinds suggest that the tail risk could be significant. So that was an area where we consciously reflected greater potential accumulation than we had in the past."
Yvette Essen:
"It’s interesting how the report has been reflected within PMV5. The report also touches on policy wordings, which is quite an important element. Can you tell me a little bit about our findings there?"
Jon Laux:
"This is a really interesting area of innovation for the industry right now. Different carriers are experimenting with different ways of addressing policy language. The question everyone’s trying to answer is, 'In what way can policy language contain or constrain the amount of catastrophic risk in the policy?' This could be done with exclusions or sublimits, and the market is currently exploring that question.
As an analytics company, it’s not our job to decide which approach the market should embrace, but we should provide tools to help the industry think through the problem analytically and sensitivity test what different approaches might result in for a book of business. We’ve done some testing on the different wording approaches out there, and the impact on the potential capital an organization might need varies significantly depending on the approach. A more modest approach might reduce your capital need by, say, high single digits, while a more aggressive approach could cut your capital by 40 to 60 percent. These are still things that are being explored, but we wanted to convey to the industry that there are significant consequences—good or bad—depending on the decisions that are made and the approaches that come to dominate how the industry manages this risk through wordings."
Yvette Essen:
"Great. Thank you very much for explaining the findings of the report and how they’re impacting our thoughts on PMV5. A copy of that report can be found on our website, along with more information about Portfolio Manager. Our website is www.cybcube.com."
For CyberCube, I'm Yvette Essen.