Cyber capital

March 9 2018 by Nick Ferguson

Cyber risk has so far presented a dilemma for the insurance and reinsurance industry, particularly in Asia. Demand for protection is reportedly growing rapidly, but a lack of historical data and poor understanding of the exposures makes it tough for the industry to commit capital that it might be able to use more profitably elsewhere.

However, new tools are continuously being developed that are helping the industry to better understand cyber exposures and therefore allocate risk capital and design products and risk solutions that reflect the full nature of cyber risk. This week, for example, RMS released what it describes as the industry’s first probabilistic cyber risk model.

The new platform provides losses at different return periods for all five of the major cyber loss processes: data exfiltration, contagious malware, financial theft, cloud outage and denial of service attacks.

“Statistical experience data only provides a few years of benchmarking, and the patterns of loss continue to shift,” said Christos Mitas, head of cyber model development at RMS. “Our models show that loss processes such as contagious malware have the capability to scale and trigger large losses much more easily than others, such as data exfiltration, where attackers target individual companies to steal their sensitive data, or cloud outage, which is currently limited by the customer base of cloud service providers.”

Crucially, the model also adds functionality for reinsurers, providing financial perspectives to all reinsurance stakeholders and allows model users to incorporate their own loss experience into the model and develop their own view of risk.

Such tools could allow cyber risks to be transferred more easily to reinsurers and even to the capital markets through insurance-linked securities.

“Clients are seeing demand for cyber insurance growing rapidly and their ability to pursue this opportunity is constrained by their ability to allocate risk capital with confidence,” said Adam Sandler, head of cyber solutions at RMS. “Cyber is still relatively unknown and doesn’t behave like other perils. Our clients’ highest priority request to RMS over the past couple of years has been for cyber loss probabilities, particularly for our accumulation scenarios, to assess the cost of capital needed to support this growth opportunity.”

In terms of the trends in cyber risk, data theft continues to be the main cause of insured losses. RMS says that while the frequency of smaller data breaches has reduced in the US, incidents are increasing elsewhere, particularly in Asia. In May last year, for example, China suffered one of the largest data breaches ever recorded when 2 billion phone records were stolen from the popular Chinese call-blocking tool DU Caller.

The cost of such losses is also rising due to tougher regulations, escalating legal complexity and the growing cost of compensation.

Belatedly, countries in Asia are starting to take cyber risks more seriously. China passed a strict new cyber security law last year and Australia and Japan have introduced mandatory notification requirements. However, other developed markets such as Hong Kong and Singapore have still not introduced mandatory notification.

But pressure is mounting even in smaller, less mature markets. Malaysia, for example, has started to consider tougher regulations after it was revealed in October that a series of data breaches at 12 telecommunications companies, a job-seeker website and databases belonging to three medical associations had led to around 46 million personal records being offered for sale on the dark web.

The move towards tougher rules is leading more Asian companies to buy cyber policies, according to JLT, but there are other factors driving adoption.

“Demand is also being driven by the international nature of some Asian businesses, which are exposed to more stringent data protection rules in the US and EU,” said Sarah Stephens, head of cyber, content and new technology risks, in a recent note to clients. “Asian companies are increasingly required to purchase cyber insurance under contractual requirements with customers and business partners.”

Better tools and stronger rules are both signs of a maturing cyber market, though it is still early days in Asia. Regulations are only as good as the enforcement regime behind them, and it remains to be seen how seriously authorities will pursue offenders.