Cyber Catastrophe Stress Test Gauges Potential Impact on Segment Leaders in a More-Developed Future

Monday, August 20, 2018

By A.M. Best

OLDWICK, N.J., August 20, 2018-A modeled single-event cyber catastrophe would generate meaningful to significant gross losses for three of the top 20 cyber insurance providers, ranging from 15% to 119% of these companies' estimated 2022 policyholder surplus under a stress-test scenario.

Start your 15 day free trial now!


Already a subscriber? Please, login

In the new Best's Special Report, "Cyber Insurance Market: Stress Testing the Future," A.M. Best worked with Guidewire's Cyence Risk Analytics team to extrapolate and model current cyber insurance market trends to 2022. As part the approach, five typical policy profiles were created, each with certain attributes such as business revenues, specific policy limits, self-insured retentions and attachment points.

Using two scenarios as described in a Lloyd's 2017 emerging risk report - a cloud service provider interruption and mass vulnerability - A.M. Best applied Guidewire's Cyence Risk Analytics application to the top 20 carriers' modeled cyber portfolios in various scenarios to model their gross loss potential. In the first scenario, numerous cloud-based customer servers fail, leading to widespread service and business interruptions. In the second scenario, a common software application is compromised and exploited on a global scale. In addition to the two event scenarios, an assessment against both events occurring over a 12-month period found that at the 1-in-200 event level, five companies incurred gross losses ranging from 11% to 233% of their estimated 2022 policyholder surplus.

The report notes that gross losses under the 1-in-50 and 1-in-200 scenarios do not take into consideration ceded reinsurance arrangements to which these companies may be party; however, the analysis also does not take into consideration companies' silent cyber exposure (i.e., when perils are neither specifically included nor excluded), which potentially could be significant.

"For the majority of these companies, even the gross losses do not come close to the natural catastrophe probable maximum loss estimates used for stressing the balance sheet strength of the companies," said Fred Eslami, an associate director at A.M. Best. "However, under these circumstances, a handful of companies could lose a significant amount of surplus, which potentially could create ratings pressure or even trigger a downgrade."

"Cyber risk inherently will span multiple functional skill domains, requiring expertise from claims, underwriting, actuarial and enterprise risk management, and making the process truly a team effort across an insurer. Addressing the talent gap will be a critical aspect of risk management," said Sridhar Manyem, director of industry research and analytics.

Stress-testing cyber risks against a company's balance sheet to confirm that the cyber portfolio does not pose capital stresses, and an evaluation of risk mitigation strategies, such as selective underwriting, reinsurance, establishing risk preferences and risk pricing, will be key aspects of A.M. Best's review of an insurer's approach to managing cyber risk.

To access the full copy of this special report, please visit