Rethink needed as cyber risk redoubles
A rapidly changing cyber risk landscape is creating new challenges for insurers and insureds alike, says Maya Bundt, Head of Cyber and Digital Solutions at Swiss Re
Do you think that cyber risk diminished or increased during the pandemic crisis?
There are two sides to this question: on the one hand the economic downturn is depressing economic activity and companies’ revenues, which overall leads to reduced cyber risks and a decrease in IT-related business interruption claims. On the other hand, the increased push towards digitalisation and more digital business models is bringing on additional cyber risks, especially when this move towards digital is extremely fast and not accompanied by sound risk management actions.
This was the case for many companies in the first quarter of this year, especially with so many employees working from home, possibly even with personal laptops and printers. The economy will hopefully recover sooner rather than later, but I don’t believe that we will dial back much on digitalisation. This increases society's overall exposure to cyber risk.
Also, criminals are crafty and seek to cash in on any vulnerability of potential victims, or on the back of the justified fears of people. Unfortunately, they follow Churchill’s advice: never waste a good crisis.
Which specific cyber threats are most pronounced in 2020?
One of the big topics in 2020 is still ransomware. What is new this year is that we see a trend towards more targeted ransomware attacks. These attacks on specific businesses are more sophisticated than the “drive by” ransomware that is distributed widely and hits whoever it makes contact with. This threat still exists, but at the same time we have targeted ransomware attacks too, sometimes also linked to data privacy breaches or threat thereof, which generally ask for a much higher ransom amount as well. Business interruption claims and additional costs from ransomware attacks is what is currently driving claims ratios up.
Is the EU’s GDPR, and similar privacy legal regimes around the world, proving to be an issue for businesses?
It depends what you mean by “issue”. GDPR and similar regulations certainly require businesses to adjust their processes, their data handling, their overall governance and sometimes even their business models. This is usually costly and takes time and expertise to implement. Thus, this might present a real issue, especially to smaller businesses. Once compliance with regulatory requirements is achieved, it requires constant work to stay that way.
For now, most of the fines for breaching the rules seem rather on the lower side, but we will have to watch the space for further developments. There are reports of a few very large fines that have been threatened but I am actually not aware that any of those large amounts have been paid yet. One much discussed topic is the general insurability of those fines and the jury is still out on this in a lot of jurisdictions.
Where is cyber risk insurance take-up strongest and why
On the commercial side we see market growth in all regions, especially in Europe where we see increased uptake of the smaller and mid-sized companies. This positive trend is almost dwarfed though by the interest we see in cyber insurance for individuals on a global basis. In my view this is influenced by the pandemic, which has heightened the awareness of people of how digital their lives already are and has pulled into the foreground the need to protect themselves and their families. To be clear: this interest still needs to translate into true market growth and the market for personal lines cyber insurance is in its infancy.
What does the cyber risk insurance supply picture look like? And how is that reflected in pricing (in the context of January 1 renewals)?
We believe that the time of abundant capacity for any kind of cyber risk is over for the time being. With insurers managing their overall exposures, regulators asking all kind of questions with respect to silent cyber, and underlying risks growing rather than shrinking we see the first signs that capacity is more restrained than in the past. This usually comes with a hardening of the market, which is what I am expecting for the upcoming renewals.
How would you describe Swiss Re’s appetite for cyber risk?
The rapidly changing risk landscape makes understanding and managing cyber risk and its potential accumulation a challenge. We have built up our understanding of cyber exposures and have developed solutions to help individuals and businesses better manage cyber risks. Our expanding cyber expertise, research and development activities, and the usage of leading technology is increasing our confidence in underwriting cyber risks. We are deploying significant capacity to clients globally, with a strong focus on sustainable cyber solutions that include risk management aspects. Cyber is a risk we want and need to insure to fulfil our mission to help make the world more resilient.
Has the insurance industry got a handle on silent cyber risk?
As an industry we are on a journey. I believe we have made some real progress over the last couple of years to understand the complexities and potential scenarios leading to silent cyber losses. However, there is still a lot of work to do with respect to creating transparency, clarifying wordings and coverages, measuring, monitoring and costing all cyber exposures.
Do you agree with some observers that cyber represents a potential systemic risk for the re/insurance industry?
I mentioned before that accumulation of cyber risks is a challenge for the insurance industry: increasing interconnectivity is heightening the potential for loss accumulation. We also need to watch carefully for any existing or developing single or main points of failure. Mid-to-long term, the cyber insurance market will require significant additional insurance and reinsurance capacity to support market growth but also allow for the weathering of very large events. Both government backstops and capital market capacity are options that are currently being explored. I also see the need for public-private partnerships to reduce the overall threat level and agree on basic humanitarian rules in cyberspace.
