Why systemic cyber remains an industry risk

Cloud computing and global cyberattack concept

Systemic cyber risk remains a concern for capital providers and reinsurers, particularly as more and more businesses look at outsourced cloud-based IT operating models, a cyber underwriter told Canadian Underwriter recently. 

“A lot of capital providers and reinsurers, they need comfort around some of the systemic risk modelling,” John Sinclair, senior underwriter with CFC Underwriting, said in an interview. “A potential long-term break on cyber capacity will be around systemic risk and that very much is a pressing concern for capital providers. 

“No one wants to wake up and find that 10, 20% of their portfolios effectively had a loss from a single incident.”

Systemic cyber risk is essentially a single cyber event that triggers multiple failures. One recent example that affected Canada was the global data breach of file transfer software MOVEIt. The breach of the third-party system in June 2023 affected the personal information of at least 100,000 people in Nova Scotia, government officials said at the time 

The provincial government used the software to transfer employee payroll information. The hack affected current and former employees of the public service, including current and former teachers, students, inmates and even some newborn babies. 

“That’s very systemic by its nature because a single attack…was able to lead to hundreds of businesses having an incident,” Sinclair said, adding that the attack also indirectly affected service providers, like accounting or legal firms using the software. 

‘Cascades downstream’ 

“So, you can see how it really just cascades downstream from effectively a single attack,” Sinclair said. “The concentration of risk is only increasing, which does lead to more systemic exposure across the market. 

See also  Railroad Crossing Safety Basics

“All roads lead back to systemic.”

Lloyd’s has also raised concerns about systemic risk, saying that a global systemic cyberattack could result in widespread disruption to global businesses and trillions of dollars in economic losses. The “hypothetical but plausible cyberattack on a major financial services payments system” would cost $3.5 trillion in economic losses over five years, Lloyd’s said in a report last October. 

Lloyd’s has been concerned as well that war exclusions traditionally used in cyber insurance policies do not adequately address the inherent systemic loss risk associated with cyber threats. A single cyberattack that has a widespread impact across multiple organizations could, Lloyd’s says, affect the insurance market’s ability to pay any covered losses. 

While there has been some innovation in the cyber space, “a lot of it does come back to the systemic nature of cyber,” Sinclair said.

“And that’s obviously a concern if you’re providing a product which is basically linked to the failure of major cloud providers. How much systemic exposure does that potentially bring?” he asked. 

Marc Lipman, president and attorney-in-fact at Lloyd’s Canada, said last October systemic cyber risk needs to be tackled with more capacity and ways of dealings with the attritional cyber market. 

“Just like there developed a traditional, attritional property market and a separate Cat property market, we need to develop the same sort of bifurcation for cyber in order to properly price the attritional cyber market and encourage sufficient, reliable capacity,” Lipman said during Insurance Bureau of Canada’s Commercial Insurance Symposium. 

“Carriers can then sell as a standalone product, with a separate pricing structure, supplemental coverage addressing the risks associated with a systemic cyber event like a state-backed cyberattack.” 

See also  A Spotter's Guide to the Rarest and Most Exotic Hypercars

For its part, CFC has established a U.K. cyber monitoring centre that defines and categorizes cyber events. Sinclair said.

The independent body uses a single catastrophe exclusion (rather than an infrastructure or war exclusion), which allows clients to potentially “buy back that exclusion… [and] get reinsurance capacity to sit behind that cyber Cat exposure in exactly the same way in that a specialist property Cat market has developed because of the categorization of those incidents.” 


Feature image by iStock.com/LaymanZoom