Sleepwalking into unexpected cyber loss
of companies started with a very small portfolio
but now cyber risk has grown to the point it is
material to their balance sheets.
“That means it is more important than ever
for them to get a handle on their real exposures,
but some companies remain in the dark,” he said.
ThreatInformer examines cyber risk by
analysing each risk separately and combining the
analysis to show risk aggregation.
“We can discuss the types of incidents that
may lead to cumulative risk issues. We have
examples of how single incidents have effects
across a portfolio and can show how we help
reinsurers assess cedants’ portfolios. Our focus is
primarily on treaty reinsurance,” Jones said.
The areas the startup examines when assessing
cyber exposure include an analysis of the service
providers used by the end buyer of policies, the
versions of the software they use, their physical
location and the industry they operate in.
This information can be mined largely from
online information and the original policy forms
used by insurers to underwrite the risk.
“Our approach is an automated external
assessment using things such as domain names
and internet assets that gives us the information
we need to establish aggregation risk,” Jones said.
“We can build up a good picture from that.”
The information gained in the process of
assessing the aggregation of cyber risk can also
be used in reverse to help re/insurers make better
underwriting decisions and build a portfolio
that is more balanced and better understood, he
Hurricane Nate will not generate material losses, says RMS
US insured losses associated with wind and
coastal flooding from Hurricane Nate will
not exceed $500 million, according to RMS.
This season, insured losses from US
hurricanes are expected to total between $75 and
$120 billion, but the damage resulting from Nate
is not expected to constitute a material portion of
these insured losses.
“RMS’s industry loss estimate is expected
to be lower than the losses projected prior to
Nate’s landfall. Forecasts that projected the
storm to strengthen to category 2 intensity did
not materialise and Nate ultimately made two
landfalls as a category 1 hurricane,” said Tom
Sabbatelli, senior product manager of the RMS
North Atlantic Hurricane Models.
“None of the wind measurement stations
analysed by RMS recorded hurricane-force wind
speeds at any point during the storm’s passage.”
This estimate includes property damage and
business interruption from wind and coastal
flooding to residential, commercial, industrial,
and automobile lines of business. The coastal
flood losses include coverage leakage, and an
escalation in claims severity for wind-only policies
in situations where wind and water hazards
co-exist in residential lines of business.
The losses associated with inland flooding
are expected to be a minimal contribution to
the total insurance industry loss and therefore
are not included in this figure. Losses to the
National Flood Insurance Program are not
Reinsurers and large insurers are at risk
of being hit by unexpectedly large losses
stemming from a large cyber attack on a par with
substantial hurricane losses in the US—because
they do not understand their aggregations to this
That is the view of Ryan Jones, founder and
CEO of ThreatInformer, which helps insurers
and reinsurers understand their risk aggregations
to cyber risk.
He stressed that when many insurers and
reinsurers first started taking on cyber exposures
the risks were often small in comparison to their
overall portfolios. That has changed, however,
largely because of aggregation risk.
“Suddenly, some of them potentially have
very large exposures but, unlike with hurricane
risk, they are in the dark in terms of exactly
how big the risks are and where they sit in their
portfolio,” Jones said.
Jones has more than 10 years of experience
within cybersecurity, building specialist forensic
teams and helping financial organisations respond
to sophisticated cyber attacks. Before founding
ThreatInformer, he spent two years consulting
into multiple cyber underwriters, helping develop
their products and supporting operations.
Counting the cost: Cyber exposure decoded, a Lloyd’s
report co-written with risk-modelling firm
Cyence, suggested that aggregations related
to a serious cyber attack could cost the global
economy more than $120 billion—as much as
catastrophic natural disasters such as Hurricane
Katrina and Superstorm Sandy.
The July report examined potential economic
losses from the hypothetical hacking of a cloud
service provider and cyber attacks on computer
operating systems run by businesses worldwide.
It acknowledged that insurers are struggling to
estimate their potential exposure to cyber-related
losses amid mounting cyber risks and interest in
cyber insurance. A lack of historical data on which
insurers can base assumptions is a key challenge.
Jones explained that the market has moved on
since re/insurers first started taking on this risk in
small amounts to the point that cyber represents
a very real threat to the industry—but one the
true magnitude of which is hard to grasp.
“Re/insurance by definition has unknowns
but these are clearly greater with cyber risks. A lot
10 | PCI TODAY | DAY 2: Monday October 16 2017 www.intelligentinsurer.com | www.bermudareinsurancemagazine.com