Cyber represent huge opportunities for (re)insurance and reinsurance companies looking to expand into new lines of business. Total worldwide cyber premiums are at about USD 5 billion and are projected to grow to USD 20 billion by 2025. Cyber is a fast-growing business line but can also pose threats to insurance companies: from a pricing or underwriting standpoint, and more significantly, from a risk aggregation and exposure accumulation standpoint across all lines of an insurer’s P&C portfolio.

A cyber catastrophe has the potential to cause much greater losses than any natural catastrophe. Like a hurricane or earthquake, a cyber cat can impact a lot of policies at once but can also be more widespread since the exposure is not contained to a specific geographical region. Cyber events also have the potential to hit multiple line of business at once.

Insurers that are not writing cyber policies are now paying a lot more attention to the silent cyber (risk arising from policies not intended to cover cyber losses) exposure as it could be much more of an issue than affirmative cyber (risk arising from cyber specific policies) cyber. There is significant uncertainly over the potential of silent cyber exposure and huge variation of anticipated risk between business lines (more so in property and liability compared to workers’ comp and auto liability).

Cyber is still an emerging risk and so there is a lack of historical, credible and relevant data. Despite previously being reluctant to measure or model cyber risk exposure, insurers are now starting to look at this from quantitative stance (and rating agencies and regulators are now paying a lot more attention to cyber accumulation). Managing cyber exposure, both from an affirmative and silent standpoint, should now be a critical part of a company’s enterprise risk management framework.

There are many cyber modelling and analytical companies in the market with sophisticated threat assessment tools that insurance companies can partner with. Cyber modelling is still in its infancy phase, with first- or second-generation models, very similar to property cat modelling about 30 years ago. There has been lots of recent activity in cyber analytics over the past two years, and now there are a range of different models available.

At the current early stage of cyber modelling, a multi-model approach is recommended (and there are a lot of models to choose from). Both probabilistic and scenario-based models can be used to quantify cyber probable maximum loss (PML).

It is important for insurers to have a comprehensive view of a its total cyber loss potential, arising from cyber specific policies as well as accumulating across non-cyber portfolios, taking a holistic view of a cyber risk encompass three elements: affirmative, silent and extreme cat. The continued rapid expansion of digital technology means cyber exposures are only going to grow.

Cyber business warrants a group-level approach (rather than in silos) given its potential to span the spectrum of P&C lines. It requires a framework for measuring direct and indirect exposure in order to establish risk tolerance. This fundamental approach is akin to property cat modelling as an exposure-based framework required to quantify tail risk.