Cyber risk

New approaches needed for cyber risk

Devin Page
Devin Page

This article was originally published in Reactions' 2020 summer issue

Businesses around the world face a growing and continuously evolving cyber threat. Insurers and reinsurers need to rethink how they can respond with capital efficient coverage, explains Devin Page, Head of Specialty.

Cyber risk has been pushed off the headlines by COVID-19. But has the threat diminished, or even grown over the past months?

As the pandemic has changed the way society and business works, we were anticipating a number of cyber risk trends to emerge. Homeworking has meant that more data is being distributed and more frequently, increasing the potential for phishing and skimming attacks, for example. Also, businesses have been under pressure to adapt their cyber security processes to the new remote working environment, itself creating the potential for introducing new vulnerabilities.

Another possible issue is that the transition to a new way of working has been very costly in IT terms for many businesses and the squeeze on budgets could result in under-resourced security infrastructure.

A counterpoint to the increased risks brought by homeworking is that the instances of people losing their devices outside work, leading to data loss, has reduced. Also, the lockdown meant that software providers have slowed the release of new applications and upgrades and that reduces losses from those sources.

The Hiscox Cyber Readiness Report 2020 showed that total cyber losses among affected firms were $1.8bn – up from $1.2bn the previous year. Is that a sign that firms are less well prepared?

In fact, the survey showed that businesses are taking the cyber threat seriously and are investing in resilience and security. Firms that qualified as ‘experts’ in our survey’s cyber readiness model nearly doubled this year – from 10% to 18%. The global IT security spend has increased by just under 40% year on year. Costs of cyber events may have increased, but the number of companies affected has decreased, given the growth in awareness and investment in cyber security. You can find the Hiscox Cyber Readiness Report 2020 here. 

What specific cyber related risks do businesses most urgently need to manage today?

Businesses face a number of cyber risks and they vary depending on what type of industry a firm is in, and how large their enterprise is. Ransomware is hitting companies across the board, however, and should be a focus. Our survey showed that more than 6% of the 5,569 total respondents paid a ransom. Their combined cyber event losses came to $381m. Ransomware could be a mass virus that hits many SMEs or a sophisticated, targeted attack on a single Fortune 500 company. Non-targeted attacks are more serious for a small business that doesn’t have the same resources as a big firm, for example.

Businesses have been under pressure to adapt their cyber security processes to the new remote working environment, itself creating the potential for introducing new vulnerabilities. 

More onerous privacy regulation like the EU’s GDPR directive was predicted to be a big problem for businesses around the world: has that materialised?

Businesses operating in jurisdictions like the EU and the US that have established privacy regimes have learned how to comply and put the necessary risk management processes in place. In relation to the GDPR directive, originally there were some high profile intents to fine, but the penalty deadlines for some large cases have been continually pushed back. It’s created some uncertainty about what GDPR enforcement will actually mean for big corporations in the future and how jurisdictions might react differently in terms of penalties.

Have the insurance and reinsurance markets evolved to the point where businesses can transfer the risks they need to? Is the capacity available?

From an insurance point of view, capacity is available but it depends on needs. Towers for the largest companies are increasing yearly as they seek to buy more protection. If they could buy even more “limit” economically, big corporations would do so. On the reinsurance side, cessions are growing because the primary take-up rate is growing. However, it’s more difficult to write capital efficient cyber reinsurance, compared with property reinsurance for example. Cyber reinsurance is usually worldwide all perils, encompassing everything that the underlying portfolio covers – across third and first party coverages – making it a more difficult risk for reinsurers to diversify.

At Hiscox, we have taken steps to break down worldwide all perils reinsurance coverage to create more capital efficient coverages. One answer is the use of parametric covers that pay out on specific events, such as an attack on a power grid. It enables us to write more limit and also creates more niches that are attractive to new capital, alleviating the capacity crunch.

Is the market receptive to such parametric solutions?

Yes and parametric solutions are equally applicable to insurance and reinsurance programmes. It works for both because it provides buyers with bespoke coverage and a prompt injection of cash when it is most needed. Certain buyers need very specific coverage. On the reinsurance coverage side, it might be to do with points of aggregation in relation to a cloud service downtime event. Here, the number of potential insureds that could be reliant on the same provider suffering downtime could result in widespread losses.

There’s any number of variations on the parametric product theme. Earlier this year Hiscox structured a quarterly parametric cyber instrument that focussed on assets that are exposed  to cyber related disruption impacting underlying power generation assets in the US. It was transacted electronically on the Bermuda-regulated AkinovA  exchange platform and used a third-party power generation index, combined with outage times and disruption levels, as its trigger.

Has the industry got to grips with the issue of silent cyber risk, in your view?

As mentioned earlier, reinsurance capacity is already potentially facing a crunch as take-up increases. Now, with more supervisors and credit rating agencies asking for better qualification and quantification of silent cyber risk, reinsurers have added pressure on them to consider curtailing supply.  But cyber reinsurance is evolving. Traditional reinsurance coverage is still predominantly based on the principle of ultimate net loss (UNL) and so at Hiscox we are trying to create more niche-UNL type coverages for cyber risk. Instead of insureds and insurers buying all-encompassing cyber coverage we want to make it more possible to buy specific coverage such as ransomware only, or business interruption only, to help free up more reinsurance capacity.

Find out more about cyber reinsurance here.


  • Insights and opinions