While the full ramifications – economic and legal alike – have yet to be entirely mapped out, across the reinsurance and insurance markets attention has already turned to what the recent CrowdStrike systems failure means for the future of cyber risk. During a market briefing, Erica Davis (pictured), MD and global co-head of cyber at Guy Carpenter, highlighted how, from a reinsurance perspective, the global tech outage had the potential to be, “the cyber catastrophe the industry has spent a lot of time focusing on but hadn’t yet experienced.”
“So, we braced ourselves,” she said, “for how big the loss would be, how long the downtime could last, and, from a reinsurance perspective, how many reinsurance cat covers could potentially respond. Instead, this loss was actually fairly contained. In fact, according to Guy Carpenter’s analysis, less than 1% of all companies globally were impacted.
“Now comes the billion-dollar question - how big is cyber catastrophe when events like this occur. The estimates for CrowdStrike have been fairly wide ranging. Fitch reported financial loss up to high-single billion-dollar digits across the overall market. Cyber modelers have indicated a range between $400 million and 1.5 billion. And last week, Guy Carpenter released our estimate of $300 million to $1 billion in loss, and that’s to the cyber market, which would equate to about two to six points of industry loss ratio.”
Davis noted that the universal reinsurance market consensus is that the loss is “sizeable but manageable”, given the market’s $15.5 billion size. Identifying some of the key reinsurance market concerns, she has seen triggered by the event, she pinpointed how its potential severity has reinforced the need to understand digital supply chain interconnectedness.
Secondly, the aggregation of the losses, particularly when it comes to business interruption and contingent business interruption have been notoriously challenging for the market to underwrite. “In cyber, those supply chains can appear seemingly opaque, so there’s a lot of focus in terms of understanding those impacts,” she said. “Thirdly, we need to understand the loss difference between malicious and non-malicious and how that translates to financial loss.
“One example is that the profile of an accidental outage lacks some of the loss components that we see in a malicious event, and that brings down the industry loss estimates as to how these cyber losses could potentially model.”
Addressing whether this event was included in the cyber vendor scenario catalogs, Davis noted that, “it was and it wasn’t”. Some cyber catastrophe models have included non-malicious intent, whereas others have focused more on malicious intent. That means there isn’t a scenario footprint that’s easily translatable to how this outage occurred.
However, she said, existing models can form a basis for how the market thinks about or derives an industry loss estimate. To do just that, Guy Carpenter took a number of scenarios, and applied some bespoke ‘scalers’ to mimic the July outage severity and footprint. It then also tracked some of the technological dependencies that it was able to access through various vendors, allowing it to formulate an estimate for how to think about events that aren’t directly available in the cyber cat vendor scenario catalogs, and so better understand how this event occurred.
“Lastly,” she said, “in the reinsurance landscape, all of this contributed to a shifting view of cat risk. As the cyber industry continues to mature, I think we have to reevaluate how we’re thinking about cyber catastrophe. It may not be the super single cat event that we’ve expected in the past, and instead, might be a series of ‘kitty cats’ or smaller to mid-sized catastrophe events that aggregate throughout a single policy or treaty period.
“That’s what we’ve experienced so far over the last 12 to 24 months, and will become an increasing focus for the industry. So as the industry grows, the market understanding of large market-moving systemic risk, alongside these more frequency-driven, small to mid-sized events, is going to help us evolve our understanding of cyber risk and underwriting for the future.”
Offering insights into how well appointed the insurance and, in turn, the reinsurance industry is to deal with the growing and changing face of cyber risk, Davis said she sees the market is currently well equipped. As the market has matured, cyber writers have become increasingly comfortable with this attritional risk i.e. non-catastrophic day-to-day exposures. For that reason, reinsurance buying strategies have shifted in the last 12 to 24 months.
“In parallel to that,” she said, “what we’ve seen is risk tolerances recalibrate. There’s been a lot more focus on catastrophic covers, allowing cyber writers to retain more margin and focus instead on protection for the tail. All that means there’s a growing range of reinsurance structures that are available in the non-proportional market and that are commercially viable. Some examples of those are industry loss warranties, cyber cat bonds and event covers.”
Applicable to many of the structures and especially on the event cover side, Davis emphasized the importance of the market taking a close look at cyber catastrophe event definitions. Currently, there are over 25 different event definitions existing in the market, and with each of these events - big and small - it’s important, as a market, to stress-test these definitions.
This will allow the market to understand the limitations of gaps of these definitions, allowing it to refine its approach and to create bespoke, customized wording that reflects each client’s view of risk. “That’s really important as a market, because we need to understand what sort of basis risk exists when we’re starting to craft these catastrophic covers. Overall, the market’s well prepared and we’re equipped to deal with these sorts of events. We’re learning so much through the modeling, and we’re creating more effective, suitable structures in order to protect the capital of these cyber writers.”