Businesses and (re)insurers should be concerned by risk aggregation, given the possibility of single attacks leading to losses across a large number of firms, which can create counter-party risk for the insured and potential failure for the insurer. At the moment, a large systemic event has not materialized, but that does not mean that the risk is not present.
While some market participants have suggested that a possible government backstop may be necessary, there is no conclusive evidence of the need for such a solution at present. Where a government "pool" might be required is in the area of "systemic" losses that could potentially exceed the resources of the insurance industry, as with terrorism or flood. However, the establishment of such pools requires a clear articulation of the systemic peril, as well as a significant market dysfunction, which is generating a meaningful consumer response. Cyber is not yet at this stage. One of the roles for the data pooling forum described above will be to improve insights on aggregation risk and cyber disaster scenarios. The insurance sector will continue industry discussion on market capacity and the cyber risk pool.
Therefore without the governmental back-stop and the industry's ability to address/absorb these risks in the marketplace through traditional insurance products and risk transfer methods, cyber risk has become a factor for rating agency evaluations:
- Fitch Ratings recently stated that "the potential for any future credit impact to major providers is kept in check by the still relatively small size of the cyber-related insurance market." Fitch also noted that it is "less clear how loss aggregation could play out under a severe cyber-attack that leads to insurable events covered by non-cyber related catastrophe policies, including standard commercial liability, business interruption and professional liability."
- A.M. Best indicated that it will ask:
- Specific questions on cyber risk on its Supplemental Rating Questionnaire.
- How the policy is sold - whether it is standalone or as a sublimit within another policy.
- Enquire about lines of business and types of coverage purchased, such as business interruption or theft of cyber assets.
- In meetings with rating analysts, there will be questions, such as whether the client has ever been the target of a cyber-breach or attack and where responsibility lies within the organization when it comes to managing cyber related risks. There will also be a focus on premium and loss expectations for cyber risk as well as estimated costs for crisis services and legal defense (1).
With the increased scrutiny from these types of outside institutions, (re)insurers will need to quantify and address these questions in the future to ensure they are viewed favorably.
Note:
1. A.M. Best Insurance Industry Update IASA NY/NY Chapter May 18, 2015.