Tag Archives: cyber insurance

Cloudfall

Posted on 14/02/2018 | Leave a comment

More and more business is moving to the cloud and, given the concentration of providers and their interlinkages, it’s creating security challenges. In the US, 15 cloud providers account for 70% of the market.

The National Institute of Standards and Technology (NIST) describes the cloud as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

 A cloud solution is typically architected with multiple regions, where a region is a geographical location where users can run their resources, and is typically made up of multiple zones. All major cloud providers have multiple regions, located across the globe and within the US. For example, Rackspace has the fewest number of regions at 7 whereas Microsoft Azure has the most at 36.

The industry is projected to grow at a compound annual growth rate of 36% between 2014 and 2026, as per the graph below. Software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) are the types of cloud services sold.

click to enlarge

Control of the underlying cloud infrastructure of networks, servers, operating systems, and storage is the responsibility of the cloud provider, with the user having control over the deployed applications and possibly configuration settings for the application-hosting environment.

Amazingly however, the main responsibility for protecting corporate data in the cloud lies not with the cloud provider but with the cloud customer, unless specifically agreed otherwise. Jay Heiser of Gartner commented that “we are in a cloud security transition period in which focus is shifting from the provider to the customer” and businesses “are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is secure or not has virtually no payback”.

An organisation called the Cloud Security Alliance (CSA) issued its report on the security threats to the cloud.  These include the usual threats such as data breaches, denial of service (DoS), advanced persistent threats (APTs) and malicious insiders. For the cloud, add in threats including insufficient access management, insecure user interfaces (UIs) and application programming interfaces (APIs), and shared technology vulnerabilities.

Cyber security is an important issue today and many businesses, particularly larger business are turning to insurance to mitigate the risks to their organisations, as the graph below on cyber insurance take-up rates shows.

click to enlarge

Lloyds of London recently released an interesting report called Cloud Down that estimated the e-business interruption costs in the US arising from the sustained loss of access to a cloud service provider. The report estimates, using a standard catastrophic modelling framework from AIR, a cyber incident that takes a top 3 cloud provider offline in the US for 3-6 days would result in ground-up loss central estimates between $7-15 billion and insured losses between $1.5-3 billion. By necessity, the assumptions used in the analysis are fairly crude and basic.

Given the number of bad actors in the cyber world, particularly those who may intend to cause maximum disruption, security failings around the cloud could, in my view, result in losses of many multiples of those projected by Lloyds if several cloud providers are taken down for longer periods. And that’s scary.

Leave a comment

Posted in Insurance Market, Telecom

Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

The Big Wind

Posted on 09/09/2017 | 1 comment

With four US hurricanes and one earthquake in current times, mother nature is reminding us homo-sapiens of her power and her unpredictability. As the massive Hurricane Irma is about to hit Florida, we all hope that the loss of life and damage to people’s lives will be minimal and that the coming days will prove humane. Forgive me if it comes across as insensitive to be posting now on the likely impact of such events on the insurance industry.

For the insurance sector, these events, and particularly Hurricane Irma which is now forecast to move up the west coast of Florida at strength (rather the more destruction path of up the middle of Florida given the maximum forces at the top right-hand side of a hurricane like this one), may be a test on the predictive powers of its models which are so critical to pricing, particularly in the insurance linked securities (ILS) market.

Many commentators, including me (here, here and here are recent examples), have expressed worries in recent years about current market conditions in the specialty insurance, reinsurance and ILS sectors. On Wednesday, Willis Re reported that they estimate their subset of firms analysed are only earning a 3.7% ROE if losses are normalised and reserve releases dried up. David Rule of the Prudential Regulatory Authority in the UK recently stated that London market insurers “appear to be incorporating a more benign view of future losses into their technical pricing”, terms and conditions continued to loosen, reliance on untested new coverages such as cyber insurance is increasing and that insurers “may be too sanguine about catastrophe risks, such as significant weather events”.

With the reinsurance and specialty insurance sectors struggling to meet their cost of capital and pricing terms and conditions being so weak for so long (see this post on the impact of soft pricing on risk profiles), if Hurricane Irma impacts Florida as predicted (i.e. on Saturday) it has the potential to be a capital event for the catastrophe insurance sector rather than just an earnings event. On Friday, Lex in the FT reported that the South-East US makes up 60% of the exposures of the catastrophe insurance market.

The models utilised in the sector are more variable in their output as events get bigger in their impact (e.g. the higher the return period). A 2013 post on the variation in loss estimates from a selected portfolio of standard insurance coverage by the Florida Commission on Hurricane Loss Projection Methodology (FCHLPM) illustrates the point and one of the graphs from that post is reproduced below.

click to enlarge

Based upon the most recent South-East US probable maximum losses (PML) and Atlantic hurricane scenarios from a group of 12 specialty insurers and reinsurers I selected, the graph below shows the net losses by return periods as a percentage of each firm’s net tangible assets. This graph does not consider the impact of hybrid or subordinate debt that may absorb losses before the firm’s capital. I have extrapolated many of these curves based upon industry data on US South-East exceedance curves and judgement on firm’s exposures (and for that reason I anonymised the firms).

click to enlarge

The results of my analysis confirm that specialty insurers and reinsurers, in aggregate, have reduced their South-East US exposures in recent years when I compare average figures to S&P 2014 data (by about 15% for the 1 in 100 return period). Expressed as a net loss ratio, the average for a 1 in 100  and a 1 in 250 return period respectively is 15% and 22%. These figures do look low for events with characteristics of these return periods (the average net loss ratio of the 12 firms from catastrophic events in 2005 and 2011 was 22% and 25% respectively) so it will be fascinating to see what the actual figures are, depending upon how Hurricane Irma pans out. Many firms are utilising their experience and risk management prowess to transfer risks through collaterised reinsurance and retrocession (i.e. reinsurance of reinsurers) to naïve capital market ILS investors.

If the models are correct and maximum losses are around the 1 in 100 return period estimates for Hurricane Irma, well capitalized and managed catastrophe exposed insurers should trade through recent and current events. We will see if the models pass this test. For example, demand surge (whereby labour and building costs increase following a catastrophic event due to overwhelming demand and fixed supply) is a common feature of widespread windstorm damage and is a feature in models (it is one of those inputs that underwriters can play with in soft markets!). Well here’s a thought – could Trump’s immigration policy be a factor in the level of demand surge in Florida and Texas?

The ILS sector is another matter however in my view due to the rapid growth of the private and unregulated collateralised reinsurance and retrocession markets to satisfy the demand for product supply from ILS funds and yield seeking investors. The prevalence of aggregate covers and increased expected loss attachments in the private ILS market resembles features of previous soft and overheated retrocession markets (generally before a crash) in bygone years. I have expressed my concerns on this market many times (more recently here). Hurricane Irma has the potential to really test underwriting standards across the ILS sector. The graph below from Lane Financial LLC on the historical pricing of US military insurer USAA’s senior catastrophe bonds again illustrates how the market has taken on more risk for less risk adjusted premium (exposures include retired military personnel living in Florida).

click to enlarge

The events in the coming days may tell us, to paraphrase Mr Buffet, who has been swimming naked or as Lex put it on Friday, “this weekend may be a moment when the search for uncorrelated returns bumps hard into acts of God”.

Hopefully, all parts of the catastrophe insurance sector will prove their worth by speedily indemnifying peoples’ material losses (nothing can indemnify the loss of life). After all, that’s its function and economic utility to society. Longer term, recent events may also lead to more debate and real action been taken to ensure that the insurance sector, in all its guises, can have an increased economic function and relevance in an increasingly uncertain world, in insuring perils such as floods for example (and avoiding the ridiculous political interference in risk transfer markets that has made the financial impact of flooding from Hurricane Harvey in Texas so severe).

Notwithstanding the insurance sector, our thoughts must be with the people who will suffer from nature’s recent wrath and our prayers are with all of those negatively affected now and in the future.

1 Comment

Posted in Insurance Market, Insurance Models

Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Cyber Insurance Catastrophe Scenario

Posted on 23/03/2015 | 1 comment

The UK government and Marsh released an interesting report today on cyber risk and insurance. Most cyber insurance is written on a standalone basis or as an add-on to professional indemnity, D&O, general liability or business interruption and property covers. Policy wording and terms and conditions vary widely. One of the current uncertainties is what will happen when a major attack, or more likely a frequency of industry wide cyber attacks, occurs and how traditional insurance exclusions will hold up in the case of legal challenge. The recent 2014 ruling on the Sony Playstation’s 2011 data breach provided the insurance industry comfort that they will stand up but nothing is certain when new types of losses unforeseen by existing policy wordings meet the US legal system.

The report relieves some interesting facts on the market such as the quantum and variability of current pricing for cyber insurance, as the paragraph and graphic below show.

“There are several factors that influence the price of different insurance products. In the case of cyber insurance, the price may also be driven by uncertainty over the risk compared to more traditional covers. This seems to be the case, with much flatter pricing for cyber across firms than for other lines of insurance; the difference between third and first quartile pricing is 1.7x for cyber, 9.1x for general liability, and 2.6x for property. The combination of a higher absolute price and lower price differentiation suggests that cyber is early in its development and that underwriters are more conservative about the risk, creating a challenge to a core role of insurance – namely, that high pricing discourages take up, and flat pricing provides no incentive for firms to reduce their cyber risk and save on premiums.”

click to enlarge2014 Cyber Insurance Market Pricing

On the topic of a probable maximum loss (PML) for the insurance sector, the report uses a fairly unscientific 20% of the estimated 2014 aggregate limit of £100 billion, based upon industry expert judgment, as a guesstimate.

click to enlargeCyber Catastrophe Scenario

Given the need for insurers to diversify their product offerings in this soft specialty insurance market, future demand for cyber insurance products (the report says the cyber insurance market will grow threefold over the next 3 to 5 years) will mean that more accurate estimates for risk accumulations need to be developed.

At this stage in the product cycle for cyber insurance, most insurers can likely rely on their friendly and premium hungry reinsurer to take the aggregation risk from their cyber exposures (estimated by the report to be £20 billion). Given the capital markets risk appetite for low yields and insurance risks, it would not surprise me if some investment bank is currently busily working away on the first cyber bond!

1 Comment

Posted in Insurance Market

Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,