Weathering Cyber Storms

Just this year, two cyber attacks caused nationwide disruptions of healthcare providers and auto dealers, and the flawed CrowdStrike software update caused a massive global IT outage. How concerned should we be about large systemic events like these going forward?

I think we do need to be concerned. Certainly, we’ve seen multiple instances this year, as you pointed out, that a single point of failure can result in cascading business interruption, or interruption events for other organizations. Whether they’re car dealerships, in the case of CDK, hospitals and doctors, in the case of Change Healthcare, or numerous enterprises, perhaps most notably airlines, in the case of CrowdStrike, many types of organizations were impacted. But, by the same token, I don’t think we need to be terrified of them.

Should we be concerned about systemic risk? Yes. Should we be unduly concerned or should the market cease to function as a result of it? I think the answer is no. The market continues to function very well despite these events all happening in the same year.

Lloyd’s has warned that a major cyber attack could cause trillions of dollars in economic losses. Is the cyber insurance sector prepared and resilient enough for this?

I do think that the cyber insurance industry is prepared for large losses, and I believe it’s resilient. The industry is resilient in some cases because of just how conservative the orientation is on the accumulation of cyber risk. Many of the largest reinsurers in the world have fairly sober-minded views of how risk could accumulate. I believe that the study Lloyd’s published is the epitome of that. As a result, many have taken steps to limit their overall exposure to the peril. As an industry, the amount of cyber losses insured is still fairly small relative to the other risks; the global aggregates that reinsurers are taking on cyber, I think, are modest. As a result, if there were a big event, it’s unlikely to materially impact the industry. So, by that measure, I’d say the industry is prepared.

With that said, I do think that the industry is a bit overly conservative when it comes to accumulation of risk. What most underestimate is really the amount of technological diversification that exists across organizations. They also underestimate the boundaries that potentially limit the possibility of systemic losses. They commonly seek to compare cyber accumulation with the accumulation of losses that are observed with natural catastrophes. And I would say that that’s flawed for a number of reasons.

Perhaps the biggest leap is the assumption that cyber accumulation has no geographical boundaries, that one event could impact every organization in the world. But there are two flaws with that premise. One is that there is actually a lot of geographical distribution in cyber, and we witnessed that this year. Two is that CDK and Change Healthcare were both almost entirely inside the United States. But even more fundamentally, those who believe that losses can accumulate into the trillions, as the Lloyd’s study portrayed, ignore the network borders that exist, across the world, across organizations geographically, and so forth. Every network is segmented, so there is actually a remarkable number of borders that prevent the spillover of a vulnerability or point of failure from cascading from one network to the next.

The other thing that people miss is that, unlike nat-cat events, word spreads very quickly. Unlike with nat-cat events, where you’re largely at the mercy of nature—you can’t airlift your Miami mansion to Kansas for the weekend and let the storm pass—there’s the ability to react to events very quickly with cyber and take measures to either contain or entirely mitigate losses. That’s what we saw with the CrowdStrike event—the community collaborating to dramatically contain the severity of the loss. You can actually react to systemic events in a way that would only be a dream in a nat-cat event.

We’ve seen growing interest in cyber catastrophe bonds over the last year and greater interest from the reinsurance industry. What is Coalition seeing and doing on that front?

We’re certainly seeing the capital markets more actively participate in this space. We’ve observed a number of catastrophe bonds issued in cyber. But it’s still very early in that the quantity of capital that’s coming to the market is still quite low. We’re also seeing a burgeoning and growing market in reinsurance for non-proportional covers and event-driven covers that are providing more sophisticated tools to potentially manage the tail exposure that exists with cyber events.

On our part, we have seen an opportunity to introduce more sophisticated forms of reinsurance, non-proportional covers, and event-driven covers, which precipitated the launch of our reinsurance intermediary Coalition Re, which is one of the only cyber-dedicated reinsurance vehicles. Coalition Re is looking to bring a more active approach to reinsurance, similar to what we did in the insurance market. With Coalition Re, we believe that we can more accurately quantify the underlying exposure of our cedents. We also believe we have a more sophisticated manner to model the possible accumulation in the market.

More importantly, we can provide more analytics and more data to cedents that help them manage their loss exposures and manage their accumulation exposures. For example, Coalition Re would provide data to cedents telling them which of the insureds in their portfolio have critical vulnerabilities that we believe are likely to lead to an insurable loss or to financial loss.

We would also help our cedents understand their exposure to various technologies, service providers, and vendors, help them manage their own books, and better prepare for potential catastrophic loss. Coalition Re has a major opportunity to innovate and help drive more sophisticated structures. This new vehicle will also provide a variety of services, including the same cyber risk management platform that our insurance customers benefit from. It’s an active cyber reinsurance product, not just a financial product. By coupling the product with technology and data, we can help manage both attritional and accumulation risks for our cedents.

Cyber risk ranks as the most significant concern among businesses globally, according to the Allianz Risk Barometer. How has Coalition’s approach changed the way this risk is addressed since the company’s founding in 2017?

Their barometer is measuring a well-understood phenomenon, which is that we’re in the early stages of really the next industrial revolution: digital transformation. Every organization, from for-profit and not-for-profit, to even religious ones, is becoming a digital business. As a result, it’s no surprise that digital risk is becoming one of the most pervasive risks facing most organizations.

This is precisely why Coalition was founded in 2017 and why we’ve pioneered this active approach to cyber insurance. It’s from a deeply rooted belief that cybersecurity is really a risk management problem. And like any risk, you can accept it, you can mitigate it, and you can transfer it. And, of course, whatever you haven’t transferred or mitigated, you’ve accepted.

The state of affairs today is that most organizations are accepting far more cyber risk than they realize and certainly more than they’re equipped to manage on their own balance sheets. That’s why we believe that there was a need for an insurance product that not only helped them transfer risk in an effective manner but also included capabilities to help them mitigate that risk in the first place.

Unlike a traditional cyber insurance product, Coalition is actually reducing the frequency of cyber attacks for policyholders. When a cyber incident does happen, we’re actually sending in people who can reduce the severity of the loss. And if we can reduce the frequency and severity for our clients, we can reduce the financial losses and the exposures that they have. And that’s something that’s meaningfully differentiated from the rest of the insurance market.

This approach, which we call active cyber insurance, is what’s made Coalition into an insurance powerhouse. And we can measure the efficacy of that approach. If we look at our claims frequency relative to the U.S. market average as reported to the NAIC [National Association of Insurance Commissioners], our claims frequency is 64% lower than the market average. I believe that if you were to rank us against other domestic U.S. insurance companies on the same basis that is published by AM Best, we would have been the largest writer of cyber insurance in North America in 2023.

Could you talk a little bit about Coalition’s expansion outside the United States, and what’s driving that and any future plans?

Digital transformation is a global phenomenon. All businesses are embracing technology to deliver more value. And so, since the risk is global, the solution needs to be global.

We’ve always believed that cyber insurance is a global opportunity. Insofar as there is a significant commonality of the risk that’s shared by organizations, there’s also a significant commonality in how organizations globally should manage the risk. Thus far, we’ve expanded from the United States into Canada, the United Kingdom, Australia, and most recently, Germany.

Expect for us to continue to expand globally to bring this active cyber insurance solution to more countries and more geographies. It’s already resonated in a significant way. We’ve quickly taken market share in every geography in which we’ve launched, in large part because of the need for not just a risk transfer solution, but also a risk management solution that’s highly effective and cost-effective. That kind of solution is needed by everyone. Small businesses especially are struggling just to get by, never mind having to manage something as complex as cybersecurity. That’s why we want to be a partner to help them become more resilient.

What trends in cyber insurance and cyber crime do you see going into 2025?

As much as people like to talk about cyber being a very dynamic space where things are changing all the time, I would expect 2025 to be more of the same. And that’s namely that cyber crime is becoming an increasingly lucrative form of crime for multiple reasons. One, the return relative to the resources that need to be invested is very high. By some estimates, cyber crime is more profitable than international drug trafficking. And two, the likelihood of being brought to justice or suffering consequences of committing the crime is typically much lower than many other forms of crime.

I would expect that ransomware will continue to be the primary means of crime for many actors, together with social engineering and funds transfer fraud. Those are the most dominant claims that the cyber insurance [sector] sees and I believe that will continue.

I would argue that the single greatest innovation in the history of cyber crime isn’t really a technical one—the way in which malware works and the way in which these attacks occur are largely the same. The biggest innovation is actually a business model innovation. And that was the business model of ransomware, where criminals realized that either by exfiltrating data or by encrypting it, they could effectively hold an organization hostage. And that as the value of data grows to an organization, therefore, the value of the ransom that could be demanded can increase. And so, I think we’re going to see more of the same in 2025.

I would say privacy is another theme that has just been growing slowly. And I don’t see that stopping. We’re going to see more pressure from regulators and from the general populace on the protection of data and how organizations collect data. But maybe one of the biggest trends I see is plaintiffs’ lawyers entering the fray. If you were to ask me, in 2025, who am I the most afraid of, hackers or plaintiffs’ attorneys? I’m going to tell you plaintiffs’ attorneys, which is actually not all that dissimilar from the rest of the insurance industry, particularly in the United States. It’s only a matter of time before we see plaintiffs’ attorneys have a more meaningful impact on the results of cyber insurers.