Catastrophes: Cyber Insurance
NotPetya paralyzed businesses and put cyber on the map as an emerging catastrophe risk.
- Kate Smith
- June 2019
- Cyber Cat: Insurers should be thinking of cyberrisk as potentially catastrophic.
- Defining Moments: Cyber has had significant events, but not defining events yet.
- Behind the Numbers: Favorable loss ratios give a false sense of how big cyber losses could be.
It was a June afternoon in 2017 when Maersk's internal systems began to shut down. One by one, computer screens throughout the shipping giant's Copenhagen headquarters went black. At ports around the world, Maersk's terminals came to a standstill.
The NotPetya virus had gotten a foothold in its system and paralyzed the company's global operations.
The world's largest shipping company went dark.
It took 10 days for Maersk to rebuild its network, company chairman Jim Hagemann Snabe later told the World Economic Forum. Maersk replaced 4,000 servers and 45,000 computers. But the biggest cost, the chairman said, came in lost business.
All told, the NotPetya attack cost Maersk an estimated $300 million.
Maersk was not alone. NotPetya, a malware attack disguised as ransomware, disrupted and disabled businesses around the world. Pharmaceutical giant Merck, FedEx subsidiary TNT Express, U.S. food manufacturer Mondelez, French construction company Saint-Gobain, and British manufacturer Reckitt Benckiser were among the multinational companies inadvertently hit by NotPetya.
PCS, a Verisk company, tracks cyber losses going back to 2013. NotPetya is the first event it has labeled a cyber catastrophe.
It won't be the last.
It's no secret that cyberrisks are increasing as the world becomes more dependent on and interconnected by technology. Nearly $600 billion, or about 1% of the global gross domestic product, is lost each year to cybercrime, according to estimates from McAfee. And Lloyd's of London projected that a major global cyberattack could trigger $53 billion in economic losses, the equivalent of Superstorm Sandy.
The numbers and scale of potential damage mean one thing: Cyber is an emerging catastrophe risk.
“The insurance industry definitely should be thinking of cyber as a catastrophic risk,” Devin Page, underwriter for Hiscox, said. “The more ingrained cyber writers and more sophisticated reinsurance writers already are.
“The world we live in is becoming more reliant on electronic and digital assets and infrastructures. Those resources themselves are becoming more interconnected, which means the potential for a systemic or wide-reaching disruption is heightened by that interconnectivity. And because we rely on it so much, the ramifications of the disruptions are growing massively.”
The insured losses on the large loss side of cyber at the moment are effectively being capped by the amount of cyber insurance people are currently purchasing.
In the realm of property catastrophe insurance, names like Andrew, Katrina and Sandy stand out. They were defining events for the industry.
Cyber insurance hasn't had that yet.
“Just like in property, you have big cats and small cats,” Page said. “I think we've had small cats on the cyber side. I don't think we've seen a big cat yet. Because the insurance penetration and take-up rates within cyber are still low, the insured losses are nowhere near what their potential could have been.
“So I don't think there's been a true defining event, not in the likes of a Katrina or an Andrew or a Sept. 11. From an event basis, you'd talk about WannaCry or NotPetya, but they are high profile only because of the lack of larger events affecting our industry as of yet.”
NotPetya exemplified the fragility created by global interconnectivity. Multinationals weren't the target of that attack. They were bystanders in what is widely believed to be a Russian military cyberattack on the Ukraine. That attack caused $10 billion in global losses and, according to PCS estimates, $3 billion in insured losses.
While those numbers are significant, experts say they could have been much worse.
“NotPetya was concentrated as an attack on the Ukraine but had collateral damage with a relatively small number of large corporates,” Graeme Newman, chief innovation officer for CFC Underwriting, said. “So in essence, had that attack been leveled against a more developed market where cyber penetration was higher, we'd have seen greater economic loss but also much greater insured loss, which would have made it a defining event in that sense.”
WannaCry, a ransomware worm that spread in May 2017, caused $8 billion in economic losses. Most of that was uninsured, though. PCS, which provides individual risk loss estimates as well as cyber catastrophe loss estimates, said WannaCry did not meet the criteria for a catastrophe, which it defines as an event having at least two insureds and $250 million total in insured losses.
“WannaCry didn't meet our insured loss threshold,” Tom Johansmeyer, assistant vice president at PCS, said.
It did have a huge impact, however, due to the mainstream attention it received.
“WannaCry and NotPetya are both significant events because they attracted a lot of media publicity, particularly at a time when the cyber market is starting to mature and we're all looking at aggregation and trying to model what it might look like,” Newman said. “They happened to coincide with a point in time when we're all focusing on this. By no means will they be the largest or most significant events; they're just the ones we've heard about.”
Since the start of 2019, a new breed of ransomware called LockerGoga reportedly has hit at least five industrial firms, including Norwegian aluminum manufacturer Norsk Hydro, U.S. chemical company Hexion, French engineering firm Altran, European zinc producer Nyrstar and U.S. materials manufacturer Momentive.
PCS has designated the Norsk Hydro attack as an individual risk loss, which it defines as having insured losses in excess of $20 million. PCS is monitoring the other four companies.
“Norsk Hydro won't be one of the largest losses. It'll be significant, but not one of the largest PCS has seen since 2013,” Johansmeyer said. “The bigger implication is whether the malware, LockerGoga, will cause a cyber cat loss. That's the part we're trying to sort out right now.
“Norsk Hydro is the only one where there is a known affirmative cyberrisk loss. We're watching the others to see if there's an affirmative cyber claim. If they don't have affirmative cyber, they may try to claim on property.”
Even the large individual losses in cyber, such as Marriott's estimated $600 million data breach in 2018, have not been catastrophic from an insurance standpoint.
“A lot of people will talk about Marriott, which is the largest single loss we've seen in the affirmative cyber market as of yet,” Page said. “And to be honest, it's not that big. That's a function of how much limit is being purchased. The insured losses on the large loss side of cyber at the moment are effectively being capped by the amount of cyber insurance people are currently purchasing.
“You'll hear about Home Depot with a cyber loss of $100 million, but their actual loss is much greater than that. Target was around $90 million of cyber loss, but their actual loss was much greater than that as well. The numbers we are using within the historical data set as cyber insured losses are not completely representative of the actual economic losses that these events created.”
Had [NotPetya] been leveled against a more developed market where cyber penetration was higher, we’d have seen greater economic loss but also much greater insured loss, which would have made it a defining event in that sense.
The deceptive losses are problematic in two ways.
“It gives a false sense of the loss ratios and the loss experience within the cyber market when you're using it to project out what the insurance market will look like for cyber in coming years,” Page said. “Also, with take-up rates increasing and limits purchased increasing, those losses are going to look dramatically different going forward than they have in the past, which contributes to the cyber cat potential in the market.”
Loss ratios for cybersecurity insurance dropped from 64.3 in 2015 to 35.4 in 2017, according to AM Best data. Those numbers can give a false sense of comfort, though.
“Had NotPetya really targeted the U.S., the economic damage could have been in the tens of billions of dollars, which for a cyber market where the total global premium is $4 billion or less, that would be hugely significant for the market,” Newman said.
“That said, I don't think within the industry there's any complacency at all. Sitting here in the heart of the cyber market, the market has never been more alive to the potential of significant large losses stemming from global malware outbreaks.”
Businesses are waking up to the potential losses, as well. The rise of malware reflects a shift in the nature of cyberattacks. Whereas hacking incidents once targeted sensitive information and gave rise to notification obligations, today's malware and ransomware attacks are aimed at disrupting business.
“It wasn't really until cyber extortion and other malware that caused lockups of networks, causing network business interruption loss, that things really escalated,” said Willis Towers Watson's Dan Twersky, a claims advocate and global cyber claims leader, FINEX North America. “Not only did it escalate things from a damages standpoint, but it also really put cyber insurance on the map across the board. It wasn't just for companies that possessed a large amount of personal information or protected health information. Or even sensitive corporate information of others.”
Twersky said the highly publicized WannaCry and NotPetya attacks brought new buyers into the cyber insurance market and prompted existing policyholders to increase their limits.
“Those events served as an abrupt wake-up call for risk managers and the C-suite of various companies that otherwise had no reason to believe that cyber insurance was for them,” Twersky said. “Even those who perhaps haven't been sold yet on the concept, the staggering loss figures are at least causing them to consider the purchase of some of this from a risk transfer standpoint.”
NotPetya also has raised concerns among businesses about whether they will be covered in the event of a cyberattack. Mondelez and Zurich currently are engaged in a legal battle over losses stemming from NotPetya.
After 1,700 servers and 24,000 laptops were corrupted in the attack, Mondelez filed a claim against its property policy. Zurich refused to pay, citing a war exclusion in the contract. Mondelez then sued the insurer for $100 million.
Observers are watching the case closely, but Twersky said the publicity alone has been bad for cyber insurance.
“A casual reader assumes since it's based on a cyberattack, it must be a cyber policy,” he said. “But this was not about a cyber policy.
“A good cyber policy will have a carve-back on the war exclusion for cyber terrorism. Cyber terrorism is the premeditated use of disruptive activities against a computer system or network by any individual, organization or government, intending to cause harm and in furtherance of objectives—including political. That's not war, as we know it. And it's an important distinction, and certainly one that as brokers we're very conscious of when negotiating these policies. Because the war exclusion could be misconstrued or misapplied.”
The growth of cyberrisk and the ambiguity around coverage demonstrate the need for affirmative cyber insurance, experts say. And cyber insurance uptake is, indeed, on the rise. For its 2019 Cyber Readiness Report, Hiscox surveyed 5,400 companies and found 41% had a dedicated cyber insurance policy, up from 33% in 2018. An additional 30% said they plan to purchase cyber insurance in the next 12 months.
Experts say the market will continue to grow. But in order to keep up with demand, more capital will be needed, particularly in the reinsurance and retrocession spaces.
“We're bumping into a scenario quite soon where people will be reaching the amount of exposure that they can take on the books,” Page said. “New capital coming into the market and ways to write more limit for the capital that is in the market, those two things hand-in-hand have to come.”