Cyber An Ever-Evolving Risk

In recent years, Cyber is the risk everyone has been talking about. Though relatively new, with Lloyds’ writing the first cyber policy in 1999, it has already undergone significant changes and transformations.

With technology and interconnectivity showing no signs of slowing down and the rising use of AI in our personal and professional lives, neither the need for Cyber insurance nor the possibility of large claims is showing any signs of diminishing. 

At Axco’s Global Programmes Conference in June, Neil Arklie, former Head of Cyber Underwriting at Lloyd’s, pointed out that some people have called cyber ‘uninsurable’, partly due to the constant evolution of cyber risks and the challenges involved with creating reliable models for cyber. Stating that even as recently as five years ago, it was not even considered possible to model reliably for Cyber. 

What compounds this problem is that there is not just an abundance of uncertainty in Cyber, the risk and claims can be extremely high. The scale of cybercrime and its effects are staggering, with some estimates putting the total damage of cybercrime at $10.5 trillion by 2025 (https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/_).

This can be felt through rising rates across the market. Axco’s London Market Insurance Market Report states, ‘The pricing of cyber insurance has increased significantly since 2020, largely in response to poor loss experience and a seemingly constant expansion in the type of event which might trigger claims. Clean policies have seen annual rate rises of 10% to 25% in the past two years, but those with a loss experience, however, have been subject to larger uplifts.’

Matt Elliott, a Cyber Underwriter for Superscript and another panellist at the Global Programmes Conference commented on what risks are most prevalent and dangerous right now. Two main types of cybercrime were focused on ransomware and social engineering. While you’ve likely heard of one or both, Matt provided some interesting, if worrying, context.

Starting with ransomware, which was described as a ‘major risk, especially for larger organisations’. These ransomware attacks are being committed by companies who are structuring more and more like traditional large companies, ‘making a hell of a lot of money’ and using these funds and structures to ‘operate large ransomware systems in big companies’.

However, he highlighted that other dangers and risks, such as social engineering, need to be focused on as well. In a world of frequent data breaches, where the ability to buy targeted data is only increasing, the threat of social engineering is only growing.

As increasingly sophisticated AI tools are being developed, which are being combined with more access to data, social engineering threats are becoming harder to spot and, as a result, more dangerous and effective.

With Cyber growing as a risk and the potential for large claims increasing, there is currently much discussion on the nature of the cyber market. Is too much of the risk maintained within the property and liability markets, or should there be a government backstop?

One theme consistent in many issues that the cyber market faces is that from loss prevention to potential government backstops and pooling reinsurance is the struggle of jurisdictions; as Neil Arklie said, ‘it’s called the world wide web for a reason.’

Loss prevention is becoming more difficult because cyber claims are so often the result of crime – how do we prosecute and deter criminals in unfriendly countries? An issue further exacerbated by the continuing deterioration of international relations and diplomacy.

The same issue is faced when we talk about government backstops and pooling reinsurance. As Neil pointed out, UK taxpayers might be okay with using taxpayer money for losses in the UK, ‘the problem with cyber for potentially bigger risks is would UK taxpayers want to pay for a loss to a US company in America?’

Clearly, we are still at the beginning of the journey regarding managing and insuring cyber risks. When the risk is ever-changing and comes with the challenges outlined above, the path forward is not always clear. However, as the name of the panel states, ‘being unprepared is not an option’.