Cyber catastrophe event could top $33bn
Comparison of cyber model outputs finds one-in-200-year event loss estimate ranges from $15.6bn to $33.4bn
Analysis by Guy Carpenter of cyber catastrophe models finds a range of estimates for a one-in-200-year event, with ransomware and malware the biggest driver of losses
A major global cyber event could cause losses of more than $33bn, Guy Carpenter has estimated.
Analysis of cyber catastrophe models conducted by the international broker found a range of loss estimates for a one-in-200-year cyber event of between $15.6bn and $33.4bn.
Although this was a wide range of estimates, Guy Carpenter said the divergence between cyber catastrophe models had become narrower compared with previous years.
The variation between models increased when looking at a one-in-50-year cyber event, with competing models putting potential losses at between $5.5bn and $23.4bn.
Guy Carpenter compared cyber catastrophe models from CyberCube, Cyence and Moody’s RMS by using its own data sets, including its database of policy terms and conditions and claims data, with the tools provided by the vendors.
The reinsurance broker also based its estimates on a total industry premium of $14bn.
CyberCube consistently had the highest estimates and Moody’s RMS the lowest, the analysis found.
Across all three models, there was consensus a ransomware or malware event would be the largest driver of losses in a one-in-200-year event, with cloud outages and data theft also key scenarios that could cause losses.
Similarly, business interruption and contingent business interruption together formed the largest component of losses in all three models, albeit with significant variation between them.
Guy Carpenter said since its last analysis of cyber catastrophe models in 2019, there has been a greater recognition of the impact third-party and supply chain dependencies can have on businesses, with contingent business interruption now playing a much larger role in losses.
A lack of data to model cyber risks and exposures is seen by many as one of the key barriers to much-needed capital entering the market. Many re/insurers and capacity providers are concerned they do not fully understand their exposure to accumulation risks in the event of a major cyber incident, for example a major cloud provider outage.
Insurance-linked securities are also heavily reliant on dependable modelling to attract capital from investors who are wary of their exposure to cyber perils that have not been fully modelled or priced for. For the launch of its cyber catastrophe bond earlier this year, Beazley worked with CyberCube to model risk .
The industry is also working towards an open data standard, launched by Oasis Loss Modelling Framework in February, which it hopes will help improve modelling and bring capacity into the market.
Erica Davis, global co-head of cyber at Guy Carpenter, said improvements in the quality of data were “instrumental” in attracting capital to the cyber market.
“As the models continue to evolve, reinsurance buyers and sellers will be able to home in on what truly differentiates each portfolio and more accurately identify, price and trade key catastrophe risk,” Davis said.
While the size of these modelled losses would have an impact on the market, re/insurers had shown resilience to large catastrophe events in other lines, Anthony Cordonnier, also global co-head of cyber, said.
“In most cases these [losses] should not be insurmountable,” he added.
