INSURANCE | 02.12.2024
What impact can a cyberattack have?
The risks facing businesses, institutions, and individuals are escalating in the digital realm due to the growing exposure to organized cybercrime. While significant cyberattacks have occurred, experts anticipate an even more catastrophic event that could surpass current losses by a considerable margin. This poses significant challenges for the insurance industry.
One of the most concerning aspects of cyber risks is their potential to inflict widespread damage, impacting numerous targets simultaneously across various regions. While cyberattacks often result in limited effects, there are times where they can completely cripple the operations of entire organizations and subsequently affect third parties. For instance, this scenario may unfold following an attack on a financial institution or a government agency.
It’s the cascading effects that could lead to catastrophic losses, severely impacting the insurance industry, currently experiencing a pronounced uptrend in cyber risk protection. While interest in these coverages grows annually, there is lingering uncertainty about their true scope.
Several massive attacks have already occurred, highlighting their potential consequences. The largest to date, caused by the WannaCry virus in 2017, resulted in estimated losses of around $4 billion, infecting entities like the Spanish multinational Telefónica and the British National Health Service (NHS). Others have surpassed the $1 billion mark in damages, a figure experts fear could escalate.
Lloyd’s, the world’s largest insurance market of British origin, has attempted to quantify the economic impact of a major cyberattack on a key payment network, foreseeing potential losses of up to $3.5 trillion. This “hypothetical but plausible” scenario, as described by Lloyd’s, underscores the urgent need for heightened vigilance.
Opportunity and challenge within the insurance industry
These potential losses present a significant challenge for the insurance industry and its long-term viability in providing protection against cyber risks, an area extensively examined by the Geneva Association, the leading global consortium of insurers, in its report “Cyber Risk Accumulation: Fully tackling the insurability challenge”. Echoing sentiments from Lloyd’s, the study suggests that “a truly catastrophic event has yet to materialize” in cybersecurity.
Oscar Taboada, head of the Cyber division at MAPFRE RE, acknowledges this perception within the industry, emphasizing that while such a major event “is unpredictable, it remains one of the focal points in the market.” “We’ve made considerable strides in developing accumulation models in recent years to estimate the maximum potential loss in an event of this nature, but discrepancies still exist among them. Continued progress is essential,” notes the head of cyber risks in MAPFRE’s reinsurance division.
Cyberattacks evolve as hackers gain access to new tools, technologies, and funding, exploiting both old and emerging vulnerabilities. While many of these attacks are financially motivated, advancements in cybercrime techniques make them increasingly widespread. However, there is also a growing risk of attacks aimed at destabilizing the systems and economies of specific countries, as evidenced by the conflict between Russia and Ukraine, underscoring the heightened complexity of the geopolitical landscape.
The global cost of cybercrime already ranges between one trillion and eight trillion dollars annually, according to various estimates. Conversely, while specialized cyber insurance has seen consistent growth, global premiums amount to $12 billion to $14 billion annually, a fraction of the total cost of cyberattacks. This highlights a significant portion of their potential impact remains unaddressed, as emphasized by experts from the Geneva Association.
A shared effort
However, the loss volumes emerging from predictive models could not be fully absorbed by the insurance industry. Various national and international organizations in the industry are already collaborating to formulate a joint response and explore ways to enhance protection through public-private partnerships.
At the Geneva Association’s 50th-anniversary summit, MAPFRE CEO Antonio Huertas underscored the industry’s potential role in addressing cyber risks, identifying them as one of the paramount challenges of our era: “As insurers, our responsibility extends beyond financial compensation; we must assist our customers in navigating the intricate landscape of cyber threats.”
Huertas emphasized the imperative of sharing emerging risks among insurers, governments, and administrations to bridge cyber protection gaps and safeguard the societal benefits of cyberspace.
There are many needs in cyber risks, and this represents a “great opportunity” for insurance, says the head of Cyber at MAPFRE RE. But if the aim is to increase the supply of capacity and products in the market, “potential customers must continue to mature in aspects of cybersecurity and protection, with much greater awareness and investment, and the insurance industry must continue to advance in a better understanding of the risk that allows it to further improve underwriting.”
Additionally, Oscar Taboada pointed out that systemic risks like catastrophic events, critical infrastructure threats, and cyberwars are inherently uninsurable due to their scale and unpredictability. Thus, solutions such as backstops—a maximum limit the sector can bear before state intervention—or pools will be necessary, akin to those already in place for natural disasters or terrorist attacks.