A primer on cyber insurance and the use of models
Introduction
The world’s first cybercrime allegedly happened in 1834,[1] when attackers stole financial market information by “hacking” into the telegraph system in France. The modern version of cybercrime took place in 1962 when Allen Scherr attacked the MIT computer networks via punch cards to steal passwords from databases. Since the 2010s, cyberattacks have exploded in terms of scale, scope, sophistication, and damage.After gaining prominence recently, cybercrime and cyber insecurity went down in the 2022 World Economic Forum (WEF) annual tabulation on major risks, overshadowed by fast-evolving geopolitical events and increasing anxiety about the world sleepwalking into a climate crisis. But cyber remains the 8th most prominent short-term and long-term threat.[2] For business, it was the 4th most significant short-term risk, after the cost-of-living crisis, natural disasters and extreme weather, and geo-economic confrontation.
Importantly, this does not mean cybercrime and cyber security are less of a threat – indeed, attacks have become more prevalent. It is observed that for many corporations, efforts to strengthen cyber security are part and parcel of what they do on a daily basis.
The global and Asian cybercrime and cyber-insurance market
Size and state of the global cyber market
An accurate figure on the size of the global cybersecurity market is hard to come by, either in terms of damages from cybercrime and attacks, spending on cyber security or cyber insurance. For instance, damages and losses come in many different forms, from stolen money to loss of intellectual property and reputation damage, many of which are hard to quantify. Often, companies that fell victim to cybercrime failed to report it. As such, any estimates are, at best, eyeball approximations of the scale of the problem.According to one estimate by Cybersecurity Ventures, cybercrime is predicted to inflect total economic losses[3] of USD8 trillion globally in 2023 (or USD255,000 a second, or USD21.9 billion a day). Damage costs are projected to increase to USD10.5 trillion annually by 2025, compared to USD3 trillion in 2015. Separately, an assessment by Moody’s showed that around USD22 trillion of rated debts (28% of the total) have high or very high cyber risk exposure. Utilities are generally considered to have very high exposure, but banks, hospitals, and telecommunication networks are also facing high risk[4].
As losses (and potential losses) mounted, the defence is also getting more urgent, with estimates suggesting cybersecurity spending is on track to exceed USD 1.75 trillion cumulatively between 2021-2025.[5] At the same time, insurance purchase has increased. For example, a US Government Accountability Office (GAO) study showed the share of insurance clients opting for cyber coverage has increased from 26% in 2016 to 47% in 2020.[6]
In recent years, standalone cyber insurance has been one of the fastest-growing business lines. The market size is variously estimated at USD 9-14 billion in 2022, with the US being the biggest market.[7] Lloyd’s predicts the market for cyber insurance will treble in size to GBP35 billion (USD41 billion) by 2030, from GBP12 billion (USD 14 billion) in 2022.
The state of the market keeps changing as new threats arise and countermeasures are put in place. Some of the global trends in the cyber insurance space include:
- The increasing frequency and scope of attacks have resulted in insurers reducing coverage limits for some vulnerable industry sectors in recent years.
- At the same time, more insurers are participating in the market, and products are increasingly specific to cyber risk (standalone) rather than bundled with other coverages. In light of strong demand but tight capacity, some players are making a case for cyber insurance-linked securities (ILS).[8] Early in January 2023, Beazley launched the market’s first cyber cat bond.
- The nascent cyber insurance market is still plagued by problems related to the unavailability of data and a lack of common definitions and standards.
- The COVID-19 pandemic is believed to have driven more traditional criminals online, and a broader array of actors are now active in cyberattacks.
- There is also a trend that cyber threats are bridging the gap between information technology (IT) and operational technology (OT) or that IT and OT risks are coming closer together. This means while in the past, IT cyber incidents did not involve physical losses, with automation and increasing digitalisation of operational processes, the risk of physical losses due to cyber threats is growing (see Figure 1 below).
Figure 1: OT industries targeted in 2022
 |
Source: IBM Security X-Force Threat Intelligence Index 2023. Figures refer to the proportion of IR cases by OT-related industry to which X-Force responded in 2022.
Size and state of the Asia cyber market
The increase in internet penetration in Asia has turned the region into a hotbed for cybercrimes. It was only a few years ago when the term “Cyber Five” was coined to denote the vulnerability of Singapore, Australia, Japan, New Zealand and South Korea to cyberattacks due to their heavy reliance on technology. Countries in the ASEAN region have also gained attention of late, as more attacks have been launched from these locations, and their rising internet penetration renders them vulnerable to attacks.Figure 2: Incidents by region, 2020-2022
 |
Source: IBM Security X-Force Threat Intelligence Index 2023. Figures refer to the proportion of IR cases by OT-related industry to which X-Force responded in 2022.
According to the IBM Security X-Force Threat Intelligence Index 2023, [9] APAC remains the most attacked region, with a 31% share in 2022, up five ppt from 2021 (see Figure 2). The same report also suggested that manufacturing is the most affected sector, accounting for 48% of cases, and spear phishing is the most common infection vector at 40% across the APAC region.While improvements have been observed in tackling some deficiencies in garnering a coordinated response to cybercrimes, like capacity building and instilling a strategy mindset among key stakeholders, much still needs to be done to manage the problem effectively. In addition, the increasing “informationisation” of strategic competition among nation-states further complicates the issue.
Again, there are no public and reliable figures on the size of the Asia cyber insurance market. Given the dominance of the US market and the high level of under- and un-insurance in Asia, the premium pool is likely to be less than USD 500 million. Transparency and awareness are relatively lower, partly due to cultural factors and the lack of mandatory notification requirements as in the US. Some of the trends in individual markets are summarised in Table 1.
Table 1: Cyber insurance market trends in selected Asian markets
  |
Asia’s vulnerability to cyber risks
Many factors have contributed to the high vulnerability of Asian markets to cyberattacks and cybercrimes. For instance, Asia is going through a fast pace of digitalisation. The share of the population in China with internet access stood at 1.78% in 2000 but rose to 73.05% in 2021.[10] At the same time, high adoption of e-commerce, online shopping and online banking. A survey conducted by McKinsey suggested that 88% of Asian respondents are active digital-banking users.[11]The outbreak of the COVID-19 pandemic further accelerated the region’s digitalisation trend, as more workers opted for remote working and public services were migrated online. Along with this, changes to the global supply chains with increasing diversification of production across multiple Southeast Asia and South Asia countries. Table 2 below illustrates some major cyber events reported in 2022.
Table 2: Recent major cyber events in Asia, 2022
 |
Source
Financial Institutions Data Breaches on Deep Web, SOCRadar
IOTW: Everything we know about the Medibank data leak, Cyber Security Hub
IOTW: Toyota admits to a data breach after access key is posted on GitHub, Cyber Security Hub
Optus: How a massive data breach has exposed Australia, BBC
Top 5 data breach incidents in Southeast Asia in 2022, Techwire
Fahmi Confirms Data Leak Involving 5 Million AirAsia Passengers Result Of Cyberattack, Business Today
Cyber models to help manage cyber risk
Development of cyber models
While there are many factors that will drive and define the future of the cyber insurance market, including standardisation of products, improving legal certainty of cyber exposure, growth of cyber-MGAs, etc, the development of a cyber insurance model is arguably one of the most important tasks for the industry better to understand the complexity of cyber risk and its ramification.However, compared to many of the other insurance business lines, developing analytic models on cyber risks has proven to be challenging due to the following:
a. There is only a short history of cyber incidents and damage, which are often scarce and incomplete, particularly in the Asia-Pacific region.
b. The threat vectors, agents and actors (state, state-sponsored, private, hacktivist etc.), and channels are fast-evolving. In the words of a report by the US Federal Reserve Bank of Chicago, “yesterday’s attacks do not necessarily inform us about tomorrow’s risks”[12].
c. The scalability of cyberattacks means there could be significant interrelated losses across geography and business lines for insurers and reinsurers. Modelling the infection of computer viruses or the cascading effect down supply chains will be important in understanding the full ramification of cyber incidences.
d. Furthermore, the damage of cyberattacks could arise from secondary impacts, including non-tangible losses like loss of talent and reputational damage.
These considerations could render traditional assumptions regarding the frequency-severity of loss events insufficient, particularly for systemic cyber risks.CyberCube and Peak Re
Using the probabilistic model is important in assessing probably loss scenarios, including accumulations, as cyber risks could be systematic and systemic. Moreover, different players in the insurance value chains (primary insurers, brokers, reinsurers etc.) will need different functionalities from models. And many models nowadays are supplemented by AI and machine learning.In March 2023, Peak Re selected cyber risk analytics specialist CyberCube to help quantify client cyber exposure. CyberCube’s model helps underwriters to know about their cyber risk accumulation and develop insights for their senior leaders and teams. The important function also allows stress testing of cyber insurance risk portfolios so that loss drivers and potential accumulation events can be identified.
The partnership with CyberCube’s platform will help to enhance Peak Re’s presence in the cyber market with greater confidence. In addition, data-driven analytics will give Peak Re a deeper understanding of accumulation risk and help better serve customers in the expectation of the growing demand for cyber reinsurance globally.
Conclusion
One thing is certain: Cyber threats will continue to evolve and remain a top concern for all stakeholders. As a result, insurance/reinsurance will need to deepen their understanding of the risk landscape further, leveraging models, scenarios, analytics and data. Nonetheless, in order to manage cyber risks, more actions from other stakeholders (in particular governments) will be needed, including government support in cyber incidences data collection, standardisation of policies and improving legal clarity on exposure and coverage.[13][1] See A Brief History of Cybercrime, Arctic Wolf, 16 November 2022, and The History of Cybercrime: A Comprehensive Guide (2021), unext, 13 February 2021.
[2] Global Risks Report 2023, World Economic Forum.
[3] Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. See 2022 Official Cybercrime Report, eSentire and Cybersecurity Ventures.
[4] Source: Cyber Heat Map, 28 September 2022, Moody’s Investors Service
[5] https://cybersecurityventures.com/top-5-cybersecurity-facts-figures-predictions-and-statistics-for-2021-to-2025/
[6] Figures refer to the take-up rate of Marsh McLennan clients. Source: Cyber Insurance, US Government Accountability Office
[7] The lower bound was quoted in Global Cyber Insurance Market Update, 21 August 2022, Fitch Ratings. The upper bound was quoted in Lloyd’s Cyber Summit Executive Summary, 1 November 2022, Lloyd’s.
[8] Now is the time for cyber insurance-linked securities, report claims, 21 February 2023, Insurance Business Asia.
[9] Source: X-Force Threat Intelligence Index 2023, IBM
[10] Source: World Development Indicators, The World Bank
[11] Source: Future of Asia: The future of financial services, 11 October 2021, McKinsey & Company
[12] A Granato, A Polacek, “The Growth and Challenges of Cyber Insurance”, Chicago Fed Letter, No. 426, 2019
[13] For instance, with an increasing amount of stolen personal data in circulation, it is increasingly difficult for an affected consumer to prove a specific data leak incident resulted in a specific financial loss. Some jurisdictions also contend that massive data leaks do not automatically lead to mental distress that warrants compensation.
