Buried risks: Gauging the true scale of cyber exposure

Cyber cover is a huge opportunity for UK insurers[1], but could expose the market to sizeable and uncertain losses - how ready they are insurers for the new reporting demands.

A 2015 UK government report estimated that the insurance industry’s global cyber-risk exposure has reached around £100 billion[2] and will continue to rise as the scale of the threat and the level of losses covered by insurance increase. As one of the world’s leading cyber underwriters[3], a lot of the liabilities are held within Lloyd’s.

Around half of the insurers in our survey offer significant amounts of explicit cyber cover or see this as a growing area. Beyond specific cyber cover, almost all recognise that they have incidental exposure to cyber risk ‘buried’ in other areas of their portfolios. Property, professional indemnity and aviation contracts are seen as the most affected, though all business lines are exposed in some way. As the survey highlighted, a lot of contracts are ‘silent’ on cyber, making it difficult to discern whether the insurer is liable or not.


Gauging potential cyber losses is difficult as there’s minimal historical data to draw on and the threats are constantly morphing. Given this uncertainty, Lloyd’s is keen to get a clearer idea of the risk concentrations and aggregations within the market. Having introduced market-wide reporting in 2014[4], Lloyd’s now wants syndicates to assess the impact of a series of new cyberattack scenarios, each centred on one of the market’s ten main classes of business. Lloyd’s believes the analysis will enable the market “to gain a consistent view of accumulation risk – including silent cyber”[5].

Testing approaches

So how are insurers responding to the increased evaluation and reporting demands? If we look beyond specific cyber contracts at the incidental liabilities, our survey found that participants see data breach and power blackouts as likely to generate the biggest aggregate exposures. The size of loss relative to the largest RDS depends on the nature and size of the book, and often the entity in question. For instance, a total loss resulting from a cyber scenario is more plausible in case of an interconnected marine/cargo book than a diversified property treaty portfolio.

Estimated losses

How high is your calculated loss / expected loss from your risk appetite from your largest cyber scenario compared to your largest RDS?

Graph: How high is your calculated loss / expected loss from your risk appetite from your largest cyber scenario compared to your largest RDS?

Source: PwC cyber risk management survey

The most common testing methods rely on identifying contracts potentially affected by a scenario and applying a number of assumption factors. Approaches vary from a simple maximum line or factor-based methodology to detailed bottom-up analysis looking at the coverages triggered and the severity of impact. This inconsistency of approach is reflected in the wide range of views on the scale of the impact of different scenarios.

Ready or not?

While most participants have a loss methodology in place to meet the updated Lloyd’s requirements, albeit often quite simple, many feel that a more standardised approach to loss estimation would help to reduce duplication of effort. If their methodology was refined, most also believe that they’d be able to apply less conservative assumptions. Most are planning to make such refinements, with the level of investment especially high among businesses planning to expand their cyber book.

Better risk evaluation, bigger opportunity

So how can your business get a real idea of your true cyber liabilities? The immediate priority is evaluating and managing the ‘buried’ exposures, which will mean going through each contract in turn. This kind of detailed bottom-up analysis is important in giving your board the assurance it needs to sign off the loss estimates before reporting to Lloyd’s.

Looking at explicit cyber cover, there is the challenge of how to quantify the risks in capital models. Given the speed at which threats evolve, this is always going to be difficult – all your parameterisation might be completely out of date in a matter of months. With this tough ask largely falling on actuarial teams, it’s important to develop a credible basis for expert judgements and ensure these are regularly reviewed and updated for modelling.

Help is at hand. More sophisticated scenario-based methodologies are now emerging to gauge both explicit and incidental losses, which can provide a more informed basis for risk and capital evaluation and reduce reliance on excessively conservative assumptions. Aids include third party analytical tools. But in many ways the real step change in cyber underwriting will come from getting closer to clients, developing more bespoke evaluations of their vulnerabilities and advising on how these could be mitigated. This more informed and risk-preventative approach would enable your business to offer keener prices and more effective risk control, without simply relying on restrictive limits.

We estimate that annual gross written premiums will grow from around $2.5 billion today to reach $7.5 billion by the end of the decade. Source: ‘Insurance 2020 & beyond: Reaping the dividends of cyber resilience’, PwC, 2015

[2] UK Cybersecurity: The role of insurance in managing and mitigating the risk, UK Government, March 2015

[3] In 2015, the Lloyd’s market wrote £322 million-worth of cyber policies, up from £206 million in 2014. In 2016, this is expected to rise to £500 million. In 2013, the number of Lloyd’s syndicates writing cyber was 22. In 2016, it is 63. Source: Lloyd’s Cyber-Attack Strategy 2016

[4] Lloyd’s Market Bulletin, 25 November 2014

[5] Lloyd’s Cyber-Attack Strategy 2016

Contact us

Marta Abramska

Tel: +44 (0)20 7212 6341

Follow us