At the Rendez-Vous de Septembre (RVS) conference in Monte Carlo last month, Lockton Re launched its latest cyber report on the ‘Art and Science of Cyber Risk Scoring Technologies’, which highlighted how the increased complexity of digital networks is creating potential exposures for companies.
It’s an especially relevant piece of research considering that, by 2025, it is estimated that 50% of the world’s data will be stored in the cloud, noted Oliver Brew (pictured), cyber practice leader at Lockton Re. By evaluating a selection of the vulnerability scanning technologies used by cyber re/insurers, the report revealed how the vulnerability to attack is increasing each year for companies both internally and through their downstream suppliers.
“The report highlighted new and emerging types of technology and A. how challenging it is to use them effectively and B. how to harness them to supplement underwriting, because I know there are some fears, it might replace underwriting,” he said. “The optimum use of these technologies is as a supplement, not a replacement because when they’re used effectively, they can be an efficient way to triage and improve understanding of a risk at the outset.”
For Brew, who started his cyber insurance career before the market existed in the way that it does today, it has been interesting to see the evolution of the risk – and the insurance products and solutions created to mitigate it – first-hand. He moved to New York in 2006 where he spent a decade underwriting cyber risk, he said, when the market was really beginning to take off, so he had a front-line view of what was then a very nascent market cycle.
Moving back to the UK in 2016 where cyber was still in a relatively embryonic phase was a chance to see that cycle in action again, he said. But this time it was informed by the lessons and experience of seeing the meaningful role of cyber modelling in its development as a viable product. When he joined Lockton Re two years ago, it was his first foray into the reinsurance market, he said, and an opportunity to help build the global broking giant’s dedicated cyber practice from the ground up.
“It has been a really exciting experience,” he said. “Lockton Re is a real champion of the power of expertise. So, coming in to add a dedicated cyber re/insurance entity has felt like a natural next step.
“Cyber reinsurance is a much less mature market compared to the direct market and, as a result, I think that creates a huge amount of opportunities in terms of educating reinsurers, building a dedicated specialism, supporting the analytics function and building out the product and capacity offering for reinsurers. On the flip side, it’s about enabling clients and cedents to drive better pricing, better efficiency and more effective structures to achieve the coverage that they need.”
In the last couple of years in particular, there has been a great focus on systemic cyber risk, he said. This, in turn, has led to increased conversations about the role reinsurance brokers have to play in helping to educate the market in understanding and mitigating that aspect of cyber risk. Incidents such as the recent CrowdStrike outage have helped to broaden conversations about cyber risk.
While, fortunately, the incident was not as serious as it could have been – either in terms of damages or insured losses, it was a wake-up call to many. That’s in terms of both the potential for material economic impact, he said, and included in that the gap in protection between the economic and insured impact of such an incident, but also of the importance of the insurance industry in providing resilience and risk mitigation measures.
Overall, cyber risk remains quite a poorly understood exposure, Brew noted, not least because the nature of the exposure is always changing. Incidents such as CrowdStrike do go some way to highlighting the complexity and interconnectivity of the risk – and of the technology that sits behind the exposure. “When you have an event like that on the front page of the Financial Times, it’s amazing how it can focus the mind of the C-suite,” he said.
“And while, for most insurers, cyber is still a relatively small part of their portfolio, it has become a much more important topic. And, on the other hand, the reality is that historically it has been a very profitable line of business for the last 10 years at least, and so it's really for those markets with the resolve, experience and the expertise to take advantage of that opportunity.”
Beyond high-profile incidents or near-misses, there’s a variety of factors driving the increasing focus on cyber, not least the rapid evolution of the cyber threat landscape in terms of the tools and threat vectors being used. There has been some push from governments and regulators as well, Brew said. They’re increasingly looking to change the conversation about mitigation in recognition that cyber risk is a growing threat which is leaving many behind the curve of being able to react to a fast-changing threat landscape.
“Then, ultimately, It's the role of capital providers to come in to build that private market, which I think is the biggest drive to satisfy what is still, in many ways, an untapped demand,” he said. “[Reports] will tell you that the cyber market is expected to triple in size over the next few years and, to satisfy that requires a combination of traditional capital, alternative capital, and then creative product solutions. And the role we play in that conversation is critical in bringing those topics together to help provide the right solution.”