Next WannaCry attack could cost insurers $2.5B
(Bloomberg) -- Cyber crime insurers largely avoided costly claims from the recent attacks that hit businesses around the globe. The next global virus could change that.
“It’s exceptionally likely that we will see an event over the next months that will seriously affect insurers,” Graeme Newman, chief innovation officer at CFC Underwriting, said in an interview. “It would only need a combination of WannaCry’s wide reach and Petya’s destructive force to cost cyber insurers something like $2.5 billion, or a full year of gross premium income in the market.”
Reckitt Benckiser Group Plc cut its full-year sales forecast on Thursday after a global cyberattack last month disrupted manufacturing and distribution for the maker of Air Wick fresheners and Dettol cleaners. It was the first detailed indication of the financial toll by a major company. Danish shipping giant A.P. Moller-Maersk A/S, which had to shut down systems across its operations to contain the cyberattack, said it’s too early to predict the impact on its results.
Hackers may learn to develop even more dangerous tools after attacks such as the WannaCry virus in May and the Petya attack that wreaked havoc in Europe in June by freezing access to computers, allowing the attackers to demand ransom to unlock the systems. Those events didn’t result in meaningful insurance claims because they didn’t affect many companies in the U.S., where currently more than 90 percent of the cyber insurance market is located, Newman said.
CFC underwrites approximately $100 million of cyber-insurance premiums, making it one of Europe’s biggest sellers of the product, and has sold the coverage since 2000. As a Lloyd’s of London-backed managing general agent, the company underwrites on behalf of other insurers. The global market for cyber insurance grew to about $3.4 billion in premiums last year and could rise to between $8.5 billion and $10 billion by 2020, reinsurer Munich Re estimates. CFC saw its premiums in the market climb by more than 60 percent last year and Newman expects to match that this year.
“Sooner or later we, will see a billion-dollar cyber claim and the insurance market is well positioned to absorb that,” said Thomas Seidl, an analyst at Sanford C. Bernstein in London. “Everybody has exposure to cyber risks and the best precaution can’t eliminate that, so there is a strong demand for insurance making cyber coverage by far the biggest opportunity for non-life insurers for the next years.”
The largest cyber writers are American International Group Inc., XL Group Ltd., and Chubb Ltd., according to a report by Fitch Ratings. The companies had a combined market share of approximately 40 percent at the end of last year and “over 130 distinct insurance organizations reported writing cyber premiums for the year.”
Read more: A QuickTake Q&A on how ransomware works
Low claims, combined with more companies entering the market, mean that prices for cyber coverage have been falling globally. They are down about 10 percent in the U.S. and about 20 percent in the international market this year, according to CFC’s Newman.
“It’s still a market where supply by far exceeds demand,” he said. “There is no break in supply with new insurers entering the market.”
With cyber coverage growing rapidly and insurers increasingly seeing the segment as their next blockbuster, regulators are concerned that the industry could be taken by surprise.
Insurers writing cyber policies “are expected to introduce measures that reduce the unintended exposure to this risk,” the U.K.’s Prudential Regulation Authority said in a statement on Wednesday. It said insurers may face payouts from computer related claims from less specific policies such as general liability or property insurance.
“Although we have not yet seen large insurance losses, recent near misses highlight the large systemic potential of malware in a connected world,” said Marta Abramska, associate director in PricewaterhouseCoopers’s cyber insurance practice. “The regulator expects insurers to fully understand their exposure.”
In the U.S., the largest insurers offering cyber coverage are already adjusting their business by shifting away from packaged to standalone policies, which represented 70 percent of direct premiums written in the U.S. last year, according to a June 26 report by ratings firm A.M. Best.