Three of the top 20 cyber insurance providers could see significant gross losses ranging from 15-119% of their estimated 2022 policyholder surplus, based on a modelled single-event cyber catastrophe in a stress-test scenario.
This finding is from a new A.M. Best special report, “Cyber Insurance Market: Stress Testing the Future”, for which the rating agency worked with Guidewire’s Cyence Risk Analytics team to extrapolate and model current cyber insurance market trends to 2022.
In the study, five typical policy profiles were created, each with certain attributes such as business revenues, specific policy limits, self-insured retentions and attachment points. Using two scenarios as described in a Lloyd’s 2017 emerging risk report — a cloud service provider interruption and mass vulnerability — A.M. Best applied Guidewire’s Cyence Risk Analytics application to the top 20 carriers’ modeled cyber portfolios in various scenarios to model their gross loss potential.
In the first scenario, numerous cloud-based customer servers fail, leading to widespread service and business interruptions. In the second scenario, a common software application is compromised and exploited on a global scale. In addition to the two event scenarios, an assessment against both events occurring over a 12-month period found that at the 1-in-200 event level, five companies incurred gross losses ranging from 11% to 233% of their estimated 2022 policyholder surplus.
While the gross losses under the 1-in-50 and 1-in-200 scenarios do not take into consideration ceded reinsurance arrangements to which these companies may be party; the analysis also does not take into consideration companies’ silent cyber exposure (i.e., when perils are neither specifically included nor excluded), which potentially could be significant.
“For the majority of these companies, even the gross losses do not come close to the natural catastrophe probable maximum loss estimates used for stressing the balance sheet strength of the companies,” said A.M. Best associate director Fred Eslami. “However, under these circumstances, a handful of companies could lose a significant amount of surplus, which potentially could create ratings pressure or even trigger a downgrade.”
”Cyber risk inherently will span multiple functional skill domains, requiring expertise from claims, underwriting, actuarial and enterprise risk management, and making the process truly a team effort across an insurer. Addressing the talent gap will be a critical aspect of risk management,” said director of industry research and analytics Sridhar Manyem.
According to A.M. Best, stress-testing cyber risks against a company’s balance sheet to confirm that the cyber portfolio does not pose capital stresses, and an evaluation of risk mitigation strategies, such as selective underwriting, reinsurance, establishing risk preferences and risk pricing, are key aspects of its review of an insurer’s approach to managing cyber risk.