The latest Cyber Threat Index from insurtech Coalition anticipates more than 1,900 new common vulnerabilities and exposures per month in 2023.
“The reality is that the number of security vulnerabilities and breaches are consistently increasing – from 1,000 in 2002 to over 23,000 in 2022. Defenders are fighting a battle on all sides and at all times,” said Tiago Henriques, vice president of security research at Coalition.
In addition, growing systemic exposures are being exacerbated by increasing digital supply chain risk, explained Josh MacDonald, chief underwriting officer at Elpha Secure.
Speaking at a webinar hosted by cyber risk analytics platform CyberCube, MacDonald said: “We're seeing the prevalence of digitalisation across all revenue segments and industries. It's more and more creeping into the mainstream, as cyber risk and the attack surface has increased significantly over the past five years.”
Beazley’s latest Cyber Services Snapshot report highlighted fraudulent instruction, ransomware, business email compromise and cyber extortion incidents with data exfiltration as concerning trends that will continue in 2023.
As cyber extortion tactics increase in sophistication, severity and frequency, the subsequent data exfiltration from these attacks will give rise to US class actions in 2023, giving cyber extortion incidents a longer tail.
“It's no longer just about locking people out of files – cyber extortion with data exfiltration will also drive class actions in 2023,” Beazley said.
“Threat actors don't need to manipulate data; they can just steal and distribute. They’ve also made accessing this data easier; traditionally available only on the Dark Web, stolen data is now searchable on publicly accessible websites.”
In this environment of increasingly sophisticated attack tactics, Tokio Marine HCC International (TMHCCI)’s recent ranking of the top 10 cyber incidents for 2022 was dominated by cyber attacks against national governmental institutions, led by Russian use of cyber warfare in Ukraine to supplement traditional combat.
TMHCCI noted that several distributed denial-of-service attacks were documented before the invasion, targeting Ukrainian critical infrastructure, public administration and private companies, including the government website, banks and radio stations.
Cementing fears around malicious use of data, ranked fourth by TMHCCI was malicious access to the IT system of emerging high-growth fintech Revolut in September. Through social engineering methods, threat actors accessed the natively digital system, impacting personal data of 50,000 clients, including names, addresses, emails and account data.
Cyber (re)insurance: Past the pinnacle of a hard market?
Competitive pressure seen at 1 January is indicative that the cyber (re)insurance market is in a transformation phase as (re)insurers better understand the risk they take on, according to Aidan Flynn, E&O strategy lead and underwriter at Beazley.
Flynn noted that rapid change in the market over the last two years has brought both growing pains and growth opportunities compared to the wider P&C market. With a general consensus that rates are stabilising and loss ratios are flattening, he said this demonstrates that remediation work on cyber portfolios by underwriters has worked.
Discussing the rating environment, Mickey Estey, senior vice president at RT Specialty, said there is an opportunity for the pie to continue to grow.
“Hopefully, we can level off and get a little bit more level playing field where we can have better discussions between insurance and carriers about limits and offering capacity in a reasonably priced way,” he said.
Flynn added: “I feel optimistic, I think fundamentally, the cyber market is better equipped to understand the risk it is taking on going forward.
“One indication of that, as we started 2023 we've seen a lot more competitive pressure. This was very evident in the domestic US market at 1.1. Competition is healthy, but I don't see that rates will fall off the cliff.”
He added: “We have an amazing opportunity to be able to further develop the product. But I think we are still grappling with a lot of uncertainty in key areas which could inhibit that growth. How do we attract more capital? How do we drive efficiency at scale?”
Cyber reinsurance models and ILS collaboration
Acknowledging the progress made and work still to be done, Justyna Pikinska, head of cyber analytics at Gallagher Re, said that although the market is still not at maturity, the introduction of data, benchmarking and modelling means it has evolved past the “Wild West” phase.
“Modelling convergence is a very interesting subject. Obviously, there are many aggregation models out there, it's that every single model has to spit out exactly the same number. However, that convergence is slowly starting to emerge, which is good,” she said.
For example, MacDonald noted that with the help of the modellers, a market consensus has begun to form around understanding tail risk.
“A necessary step in the evolutionary process, as the amount of total insurable value on the insurance carriers’ balance sheets is now at a level where aggregation risk, if not managed appropriately, will result in rating downgrades even if no event occurs,” he warned.
“Worse, should we actually have a systemic event, severely impaired balance sheets are not out of the realm of possibility.”
As detailed in CyberCube’s predictions report, which described 2023 as “ripe” for expansion of the cyber ILS market, there is increasing potential for the reinsurance value chain to collaborate with ILS fund managers to transfer tail risk and bring new cyber reinsurance capacity to the market.
Earlier this month, Beazley secured $45mn in “groundbreaking” reinsurance coverage through the industry’s first dedicated and tradeable cyber cat bond. Led by ILS fund Fermat Capital Management, coverage is set to be triggered when total claims from a cyber attack exceed $300mn.
The Rule 144A bond is designed to unlock capital market investment into cyber risk and bring new and alternative capacity into the market to meet rising demand for risk transfer.
Securing cyber insurance in 2023 will continue to be contingent on risk management
Going forward, the most significant hurdles for businesses in obtaining cyber insurance will be controls and risk management process, outlined MacDonald.
While SME penetration is indicative of organic new business growth, these firms will have difficulty in securing policies as they lack the technical sophistication and budget to afford to implement processes required by the insurance industry.
“From an underwriting perspective and how a business can prepare themselves, it all comes down to vendor due diligence and contracts, having a strict vendor due diligence process in place that includes cybersecurity reviews.
“A business with a focus on mitigating cyber risk with appropriate tools and a culture of cyber risk awareness will navigate the market in 2023 much better than one that doesn't,” he commented.
Pikinska concluded: “There is still so much to discover around the cyber threat landscape, technology, and R&D that we cannot allow ourselves to slow down. I think collectively as an industry, we're at a very, very exciting stage.”
For continued access to market leading content click here to enquire about a subscription to The Insurer - your company may already have a corporate subscription in place...
Scan here to download the app