Insurers' Aggregation Risk On Cyber Claims In Check Featured

Insurers' Aggregation Risk On Cyber Claims In Check

A culmination of high claim activity (or aggregation risk) for property/casualty insurers is a rising risk as insurers increase coverage to protect against cyber threats, says Fitch Ratings.

However, the potential for any future credit impact to major providers is kept in check by the still relatively small size of the cyber-related insurance market. As insurers continue to improve and refine their understanding of cyber risks, Fitch expects the industry to broaden coverage and accept larger and potentially more threatening exposures.

Although growing rapidly, global cyber insurance premiums are between USD1.5 billion to USD2 billion, according to ACE Ltd., which believes it holds about 8%-9% of the market. As such, a significant increase in cyber events is not likely to generate insured losses that would represent a substantial threat to the capital position of individual insurers or the industry. Moreover, we believe that most cyber writers have prudently managed cyber risk exposure limits, in part due to limited experience and expertise in underwriting and pricing these risks.

Thus, even under an extreme scenario today, we believe that losses would be relatively manageable for providers directly covering cyber threats, such as ACE (Insurer Financial Strength [IFS]: AA/Stable) and AIG (IFS on P/C: A/Positive) in the US and Lloyd's of London (IFS: AA-/Stable) in the UK. What is less clear is how loss aggregation could play out under a severe cyber attack that leads to insurable events covered by noncyber-related catastrophe policies, including standard commercial liability, business interruption and professional liability.

Increasingly, major corporations are able to point to the immediate and lingering costs of data breaches. In one of the most high-profile cases, US retailer Target Corp. incurred $252 million of expenses relating to its 2012 data breach, which was partially offset by $90 million of expected insurance recoveries. Malware on Target's point-of-sale system led to the theft of approximately 40 million credit and debit card accounts and the contact information on 70 million customers.

US retailer Home Depot recorded $63 million of pretax expenses in fiscal 2014 related to a malware breach on self-checkout systems in the US and Canada. The company still expects to incur "significant" future legal and other expenses due to the data breach.

High-profile incidents such as those above elevate cyber security issues to the legislative and regulatory levels, which could lead to better data protection legislation being adopted in the US. Already, under formulated EU directives being contemplated, a failure to report a breach in time could lead to fines of up to 5% of total turnover, or EUR100 million, whichever is greater. Fitch believes that such directives could increase demand for cyber insurance.

Moreover, in April 2015, Swiss Re announced that it will partner with IBM to offer cyber risk protection products and services to companies. Fitch believes that such partnerships between tech firms and insurers will become increasingly common over the next years. 

back to top