Cyber: How Bad Could 2017 Have Been?

Four hurricanes and six wildfires made for a busy 2017. So, with all the losses mounting through the third and fourth quarters, it’s understandable that you might not have noticed the heavy cyber losses that occurred as well. Three large risk losses led to approximately $430 million in cyber insurance losses last year, according to data from PCS® Global Cyber. That’s almost as much as the previous four years combined.

Source: PCS Global Cyber.  Note: Loss amounts in $ millions$.

 

At current levels of insurance penetration, the aggregate industry cyber insurance loss is likely more relevant for cyber than Hurricanes Harvey, Irma, and Maria were for the global property-catastrophe sector. The global property-catastrophe market can easily absorb tens of billions of dollars in losses. For the cyber folks, several hundred million dollars is a big deal. And what’s interesting is that it’s easy to see how 2017 could realistically have been much worse.

When you take a look at the nature of the losses that occurred in 2017, as well as some of the companies that were uninsured, it becomes clear that a few minor twists and turns could have led to aggregate affirmative cyber losses of more than $3 billion last year. And that means we could see such loss levels in the near future, particularly if the cyber insurance industry continues its current growth trajectory.

 

How 2017 Would Have Looked:

Let’s start with cyber insurance penetration, which continues to grow rapidly. Several companies in the table above were affected by cyber events but didn’t have insurance (a situation that some have since remedied). If the companies in the analysis had had towers of around $500 million, which isn’t unusual in today’s market, then the industry’s total insured loss would have been a bit over $2 billion (using the PCS Global Cyber methodology). This would also be the case if both FedEx and Maersk had towers of around $300 million.

Now, let’s think of a rosier scenario—one we could see at some point in the future, although it’s likely to take a while. Consider the industry loss if the companies above had sufficient insurance coverage to address their reported insured losses. If that were the case, thinking strictly of affirmative cyber, the aggregate industry loss would have reached an astounding $3.5 billion for 2017. While that’s more than seven times the aggregate industry loss actually sustained, it’s still indicative of a very real possibility the industry faces today.

And the risk is poised to tick higher, specifically because of how the industry is expanding right now. For the time being, insurance penetration is increasing rapidly, but the towers aren’t getting high enough fast enough. What this means is that more companies could be loss-affected while still being underinsured. There’s a distinct possibility that a $5 billion aggregate loss year is on the horizon.

The question remains whether the global cyber insurance industry can reasonably get to the sort of premium base where an annual aggregate loss of that magnitude is possible. Today, global premium is estimated to be somewhere between $2.5 billion and $3 billion. Could we see a loss year that’s twice global premium? Three times? It’s certainly conceivable. And with the sector expected to grow faster horizontally than vertically, large total losses could accumulate even faster in an expanded market, creating a clear need to hedge for the extreme scenarios that could decimate a market still in its infancy. Further cyber market development could make a loss year of even $10 billion far more realistic than it seems today.

About Tom Johansmeyer

Tom Johansmeyer is Assistant Vice President and co-head, PCS at Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Tom launched the new specialty lines loss reporting program (marine and energy, cyber, and terror), and brought PCS into Turkey. Previously, Tom launched the first corporate blog in the reinsurance sector at Guy Carpenter and did some insurance industry work at Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.