Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
July’s global tech outage broke all records. It grounded planes, disrupted medical appointments and took broadcasters off air. But the impact on the fledgling cyber insurance sectors was muted. The vast majority of costs — estimated to be as much as $15bn — were uninsured.
Had the chaos gone on for longer, it could have been a different story. Most policies do not kick in for eight hours or so after the incident starts. The cause of the IT outage was an error — a botched update from cyber security company CrowdStrike — that was a lot easier to fix than a cyber attack. Risk retentions and policy limits also help limit insurers’ liabilities. They are likely to pay out less than a fifth of the estimated $5.4bn losses incurred by Fortune 500 companies (excluding Microsoft), according to insurer Parametrix.
Beazley, a cyber insurance market leader, last week shrugged off the incident, leaving its profits guidance unchanged. Berenberg’s Tryfonas Spyrou estimates Beazley’s potential loss at between $80mn to $120mn, which can be comfortably absorbed.
Insurers can’t be confident they’ll come off so lightly in the future. This is one of the raciest corners of the insurance market. There is limited data on which to form judgments, although the recent outage will provide useful datapoints. There is no escaping the enormity of the potential risks. Beazley estimates that the kind of natural catastrophe that might occur once in 250 years would have a 26 per cent impact on its solvency ratio. The equivalent cyber event would be 5 percentage points more severe.
But the market is rewarding companies for taking on these risks. Beazley’s cyber business’s combined ratio — a closely watched measure of losses plus expenses as a percentage of premiums — at 69 per cent is 8 percentage points lower than the group average.
Moreover, insurers can and should mitigate the risk by careful underwriting. In 2021, Beazley shed large numbers of policyholders that lacked adequate controls. It has pioneered cyber catastrophe bonds to offload some its risk. It also imposes exclusions and limits in case of war, a malware disruption of a sovereign state or a prolonged cloud outage of 72 hours or more.
Insurance is only a partial solution to burgeoning cyber risks. Cover is expensive and limited. Yet demand for policies may well get a boost from the recent outage. Risk managers were already spooked by cyber threats according to Allianz Risk Barometer. The paralysis induced by the ‘blue screen of death’ powerfully reinforced the message.