Contents
- Cover
- Contents Masthead
- Stable Outlook Cyber Insurance and Market Segment Reports
- Cyber Coverage Unknowns and Global Outages Losses
- Global Outages Cyber Loss and Cyber Policy Coverage
- Systemic Cyberrisks and Sustainable Cyber Market
- Health Care Sector Hacker Targets and Regulatory Response
- Ransomware Losses and Parametric Plans
- Emerging Cyber Insurance Market and Stress Testing
- Cyber Cat Bonds and Reinsurance Special Purpose Arrangement
- Bests Rankings Total Stand-Alone Cyber and Top Cyber Writers
- Companies Writing Cyber Insurance Coverages
Swiss Re Cyber Head: Systemic Cyberrisks
Require Larger-Scale Solutions
Coverages will need to be sold more broadly as the world becomes more
digitalized, Dani Tobler, head of cyber & specialty center at Swiss Re, says.
Dani Tobler, head of cyber & specialty center at Swiss Re, said systemic risks could require
collaboration among insurers, reinsurers, capital markets and government backstops.
Tobler spoke with AM Best TV at the 2024 PLUS Cyber Symposium in New York City about
how this emerging risk—such as large cloud outages and widespread malware—will need to
be addressed more broadly, including in small and midsize businesses. Following is an edited
transcript of the interview.
The cyber class of business is fairly young in comparison to the established classes, like
property. How has it been evolving over the past several years?
We’re coming out of a phase of strong growth, which has created a lot of positive excitement around
the class. The growth came from the large corporate segment to quite some degree and it was aided
by strong rate increases, particularly in 2021 and 2022.
The risk landscape has been very dynamic. Ransomware was the emerging trend that was also
the cause of the reason why rate increases were necessary. And then during that period, it went
from a marketplace of limited size to one which is very crowded where all the major insurers and
reinsurers have established their teams and are part of the market.
Where do you see the current challenges from your perspective as a reinsurer?
It’s the same themes as I have been talking about. But the growth is much lower now. We see
signs of saturation on the large corporate segment and also rates are no longer increasing but
decreasing. So we need realistic growth plans that are based on specific initiatives to target new
business segments, particularly in the small and midsize market segments.
Secondly, on the risk landscape that remains
dynamic, we hear a lot about AI, which is currently
seen by many experts as a neutral thing, I would
say, for the risk landscape. But then we also see the
emergence of a lot more losses on the third-party
liability side of the cyber product. So, practically we
are seeing losses coming in like five, six, seven years
later. And it’s really important that we have a close eye
on that, we reflect that in our pricing and don’t have
negative surprises.
Then the third one is around the fact that it’s more
crowded, more players, it’s growing even if the growth
is a bit slower. So systemic risk is growing and we need
to find solutions to protect against that risk.
Can you elaborate a bit further on the solutions
for systemic risk?
If we think about systemic risk in the context of cyber,
the two biggest scenarios that we have in mind are
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
large cloud outage and widespread malware. As digitalization will further advance and also
the cyber product will be sold more broadly, the loss potential from these types of events will
increase much further. To provide protection against this threat, we need contributions from
the insurers, the reinsurers, capital markets and also government backstops. The solutions are
currently being worked on and all these four parties
need to do their part.
The insurers, they will tailor their product to specific
client needs and to specific exposures. The reinsurers
need to analyze and understand the correlation
across their whole portfolio, steer the portfolio
accordingly and also define the structure in a way that
is commensurate with their risk appetite. The capital
markets, so far, only carry a small fraction of this risk, so
there’s a lot of potential there to carry more of that.
The question about diversification and correlation
is also for them very important and I think there is
diversification there coming from, on the one hand
side, different structures where capital markets can
participate and then also the underlying portfolios—
they vary and they are not reacting in the same way to a
specific event.
Then last but not least, the government backstops,
they can be an add-on to insurance capacity but they
are also a means to address the remaining protection
gaps.
What are the key priorities in the coming years for
the cyber market?
I believe the key priority is to build a sustainable cyber insurance and reinsurance market to
maintain that positive momentum and to build trust in all our companies to continue investing in
this line of business. So, what does that mean—a sustainable market?
I think we need adequate pricing for the systemic element. That’s like the cat element, the nat
cat element in a property policy. We need a realistic expectation for the third-party element as
this comes through on the loss side. So, that’s similar to the liability side. We don’t want negative
surprises on the runoff and we need realistic growth plans so that we can deliver on the targets
that we have in our various companies.
If we do all that and we also work on the solutions on the systemic risk, I think we’re on a really good
path as an industry to provide much more cover against cyberrisk to societies, to companies and
to individuals. For us specifically at Swiss Re, that means partnering with our existing client base
as they are working with us toward this sustainable market. It also means that we’re interested to
partner with new clients who are credible writers
for that small and midsize market segment.
Lori Chordas
AM Best TV
Senior Associate Editor
AM Best TV
Dani Tobler
Swiss Re
Scan to watch the interview with
Dani Tobler.
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
Data-Driven Health Care Sector Finds
Itself in Hacker Crosshairs
The Change Healthcare cyberattack is among the latest in a sector rich with
targets for ransomware, fraud and identity theft.
Hospital shutdowns, disrupted payment models, compromised patient data, and connected
medical devices that have been potentially tampered with are among the emerging threats
health care organizations need to address as the industry becomes increasingly interconnected,
industry watchers say.
“Health care organizations are particularly vulnerable and targeted by cyberattacks because
they possess so much information of high monetary and intelligence value to cyber thieves and
nation-state actors,” John Riggi, a senior advisor for cybersecurity and risk at the American
Hospital Association, wrote on the organization’s website. “The targeted data includes patients’
protected health information (PHI), financial information like credit card and bank account
numbers, personally identifying information (PII) such as Social Security numbers and intellectual
property related to medical research and innovation.”
Among recent breaches, Ascension Health, a leading not-for-profit Catholic health system with
140 hospitals in 19 states and the District of Columbia, had to take its electronic health record
system offline in May after a suspected ransomware
attack. Separately, UnitedHealth Group’s Change
Healthcare subsidiary, which processes 15 billion health
care transactions annually and touches a third of U.S.
patient records, has advanced health care providers
more than $9 billion in funding and interest-free loans as
of July 16 as it was confronted with a hack to its network
that was first identified Feb. 21.
UnitedHealth indicated in its second-quarter earnings
announcement that the 2024 financial impact from the
cyberattack was expected to exceed $1.90 to $2.05
per share or $1.76 billion to $1.90 billion based on 928
million fully diluted shares outstanding. According to the
company, its “privacy office and security information
teams are actively engaged and working to understand
the impact to members, patients and customers.”
UnitedHealth said it doesn’t appear Optum,
UnitedHealthcare or UnitedHealth Group systems were
affected by the attack carried out by a cybercrime threat actor self-identified as ALPHV/Blackcat,
which the FBI says has compromised more than 1,000 entities in the United States and elsewhere. The
U.S. Department of State is offering a reward of up to $15 million for information leading to the arrest
of anyone who conspired in or tried to participate in ransomware activities using the ALPHV/Blackcat
variant. Providing the information alone that identifies a key leader in the Transnational Organized
Crime group behind the ransomware-as-a-service qualifies for a reward of up to $10 million.
UnitedHealth declined to comment on reports it paid $22 million to the hackers. “We are focused
on the investigation and restoring operations at Change,” a spokesperson said.
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
Change Healthcare Not Alone
Hospitals and other health care providers have been especially vulnerable. The Office for Civil Rights
at the U.S. Department of Health and Human Services, which tracks data breaches affecting 500
or more individuals, reported 872 breaches on its website between March 21, 2022, and March 25,
2024, with the vast majority “hacking/IT incident(s)” rather than unauthorized access/disclosures.
The companies targeted include a mix of physician practices, hospitals, integrated health
systems, medical device makers, pharmacies, health care billing systems and health plans,
according to the OCR’s report, which has been nicknamed the “HIPAA Wall of Shame.” HCA
Healthcare, a leading health system, reported a breach that affected more than 11 million patient
records at the end of July 2023, the report said.
Regulatory and Legal Response
Change Healthcare filed a petition supporting a move to have the 24 legal actions filed against
the company as of April 2 to be heard in the Middle District of Tennessee, which is in Nashville.
“Key custodians, witnesses, and evidence—including many Change corporate records,
documents, and servers—are in Tennessee,” Change said in its filing, which also noted the first
and the majority of legal actions were filed in this court.
In the wake of the Change Healthcare cyberattack, U.S. Sen. Mark Warner introduced legislation
allowing for advance and accelerated payment to impacted health care providers who, along
with their vendors, meet minimum cybersecurity standards. The attack on the UnitedHealth
Group subsidiary “paralyzed billing services for providers nationwide, leaving many in danger of
becoming financially insolvent,” the Virginia senator said in a statement.
The Health Care Cybersecurity Improvement Act of 2024 introduced by Warner would modify
the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance
Payment Program.
“It was only a matter of time before we saw a major attack that disrupted the ability to care for
patients nationwide,” Warner said. “The recent hack of Change Healthcare is a reminder that
the entire health care industry is vulnerable and needs to step up its game. This legislation would
provide some important financial incentives for providers and vendors to do so.”
The effects of the attack have rippled throughout the U.S. health care system. HHS Secretary
Xavier Becerra and U.S. Department of Labor Acting Secretary Julie Su called on UnitedHealth,
other insurers, clearinghouses and health care entities to do more to mitigate harm to patients
and providers. State officials and health care organizations have done the same.
States, including Arkansas, also are taking action after the attack on Change. Arkansas Attorney
General Tim Griffin said his office will investigate Change Healthcare under the state’s Personal
Information Protection and Deceptive Trade Practices Act. Griffin said he wants to know if
confidential medical information was compromised and/or laws violated.
“Additionally, my office will look into whether Change Healthcare used reasonable security procedures
and practices to protect this information as required by Arkansas law,” Griffin said in a statement.
The Maryland Department of Health said it determined that the Change cyberattack didn’t
immediately or directly put the department at risk. ”However, we continue to monitor the impact
of this outage on providers and patients,” it said on its website.
Renée Kiriluk-Hill
Senior Associate Editor
Best’s News
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
Tokio Marine HCC Executive: Ransomware
Losses Extend Beyond the Actual Ransom
Ransomware costs can include extortion payments, lost business income,
recovery and potential litigation, the insurer says.
Ransomware losses can include extortion payments, business income loss, recovery costs,
notification, credit monitoring and potential litigation, Jacob Ingerslev, senior vice president at
Tokio Marine HCC, told AM Best TV.
Publicly reported attacks have surged, Ingerslev said, noting all indications point to ransomware
reaching record high levels. Following is an edited transcript of the interview, which took place at
the 2024 PLUS Cyber Symposium in New York City.
How are you seeing the market for 2024 when it
comes to cyber?
I think we have to look at what took place last year. By
all indications, it was a record year across pretty much
all the cyber claims, from ransomware to data breach
to business email compromise. We also saw numerous
widespread events, and as we’ve moved into 2024, that’s
really continued.
Are you seeing an uptick in ransomware?
You have to look at different signals and some of the
signals we’re looking at are a record high number of
ransom payments for any year, so far. Then we’re
seeing a big uptick in victims on leak sites. That’s where
you end up if you do not pay ransom. That’s another
strong indication. Then publicly reported attacks is up
dramatically as well. So, I think those are all indications
that ransomware is reaching record high levels.
What are typical costs associated with these types
of attacks?
When the ransomware wave began back in 2018-2019,
it was typically extortion payment. A lot of people paid
extortion, unfortunately, and then they might have business
income loss and some recovery costs. Now, every ransomware attack is almost a data breach, which
triggers additional costs, notification, credit monitoring. You will likely be sued if there’s enough data
volume that’s out there.
Typically for that piece there’s really no discount when you do pay ransom. So, if you have
recovered your network, they took some information. It’s advisable not to pay because there’s
probably going to be litigation anyway. That’s really sort of how the two, data breach and
ransomware, have merged in the last few years.
Even in 2023 we saw numerous attacks that actually only involved data exfiltration and extortion.
Not a successful business model for the cybercriminals, but they can take a lot more time
negotiating and putting a lot of pressure on victims that way.
Jacob Ingerslev
Tokio Marine
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
Are you seeing the use of artificial intelligence when it
comes to these sort of attacks?
We’re not seeing evidence of really sophisticated AI-driven
attacks yet, but what we are seeing is a change in speed and
scalability. I think threat actors have become much faster at
detecting and exploiting new vulnerabilities and impacting many
more victims in the same go-around. That’s what we’re seeing.
Perhaps there’s a couple of concerning trends, more so in the
wire transfer fraud side of the house, where you see deepfakes
and it could be deepfake videos or deepfake audios that trigger an employee into transferring
money. I think, overall, AI will just increase frequency of attacks over time. That’s what we’re
concerned about.
Let’s talk about something called website tracking litigation. What exactly is that and
what are you seeing?
That’s something that caught the industry a little bit off guard in the last 24 months. There were
early litigation around this all the way back to 2011, ’12. There’s something called zombie cookies.
As we know, technology evolves, so there are lots of available consumer behavior tracking tools
out there you can put on your website.
In the worst case, it means transferring protected health care information to companies like
Facebook, and that violates typically numerous privacy laws. We’ve seen a wave of litigation
against health care providers that’s now spread to the entertainment industry and some other
industries. These are not small dollar amounts. These can move well into the seven figures when it
comes to settlements. As per usual, the victims get $2 or $3 each and someone else gets the rest.
So not in the interest of the consumer necessarily.
John Weber
AM Best TV
Senior Associate Editor
AM Best TV
Scan to watch the interview with
Jacob Ingerslev.
Parametric Plans May Offer Quicker
Resolution After a Cyber Crisis
Victims of hackers or IT snafus may find clear triggers of parametric contracts
helpful to gain relief, insurance experts say.
Greater connectivity among smartphones, computers, transportation vehicles, fitness apps,
medical devices, business supply chains and other assorted gadgets can make data gathering easy.
The downside is that each connection point creates a new security vulnerability for networks and
data to be compromised.
Insurance experts suggest parametric contracts—which use a third party to designate what could
trigger a claim—may be an ideal coverage for cybersecurity issues, since these issues typically
demand a fast response to contain any potential damage to computer networks and to resume
business operations. The clear triggers and faster payouts can aid in the response to cyber issues.
Cloud computing outages, data breaches and ransomware are some of the issues confronting
organizations that need to protect customer information, their own intellectual property, strategic
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
plans, and other nonpublic information that can affect an
organization’s value. Also, the potential for fines tied to
privacy regulations from data breaches has elevated the
need for protection.
“This is an emerging line of business for parametric,”
said Derrick Easton, managing director, alternative risk
transfer solutions, WTW.
Cole Mayer, Aon plc’s leader of worldwide parametric
initiatives, agreed, describing it as a “new frontier” in
coverage for parametric contracts, which have largely
been used to cover natural disasters and for crops. “This
is something that’s very high on our radar [and] on our
clients’ radar as well,” Mayer said.
Recent cyber catastrophe bond offerings are showing
signs that the market is getting more comfortable
taking on cybersecurity risks, industry observers say.
However, pricing of cyberrisks is a bit more difficult,
given the lack of historical data that has been gathered,
compared to decades of weather data gathered
worldwide.
“As with any new risk, there will be challenges early on
in pricing cyber bonds, be it on a parametric or an indemnity basis. But as we saw with hurricane
modeling 30 years ago, it’s usually just a matter of time,” said Adil Imani, director of insurance-linked
securities for Extreme Event Solutions at Verisk.
William Borden
Managing Editor
Best’s Review
Adil Imani
Verisk
AM Best: Emerging Cyber Insurance
Market May Need Stress Testing
Cyber security insurance may need deeper modeling to properly underwrite
the risks, according to a Best’s Market Segment Report. The limited track
record of significant losses creates uncertainty about how models will stand
up to real events.
Editor’s Note:
The following is an excerpt from a February 2024 Best’s Market Segment
Report,
Cyber: Growth Potential and Pricing Environment Support Appetite Across Some European
(Re)insurers
. Visit
www.ambest.com
to access the full report.
Managing Cyber Underwriting
Insurers writing cyber often license major third-party vendors’ models for stress testing
and exposure management. However, AM Best views positively that even when using third-
party models, carriers often have internally developed models to assess realistic disaster
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
scenarios. Internal tools allow carriers to sense check the external models’ outcomes and
make adjustments where appropriate. While more development is required, cyber models
have become more flexible in allowing for more adjustments so that they are more suited
to an insurer’s cyber exposure profile supporting underwriting, actuarial and pricing teams.
Adjustments have included a broad range of parameters, such as the types of events
modeled, changes to the distribution used, and the number of simulations that are carried
out. These allow insurers to benefit from tailored models which are expected to result in more
refined modeling.
As carriers have sought to develop their understanding of the totality of the cyberrisk
market, they have striven to separate attritional cyber losses from systemic or aggregate
cyber, and have tried to differentiate pricing and limits for these two distinctive types
of exposure.
There have been reports of some insurers introducing specific “cat loads” in cyber pricing, in a
similar manner to the property catastrophe space. Probable maximum loss (PML) outcomes can
sometimes be based on “probabilistic including attritional” losses or “probabilistic catastrophe
only.” It is important to see the outcomes of both.
While there might be some level of skepticism about cyber models, it is also recognized
that they have evolved significantly over recent years and are no longer considered a “black
box” exercise. Insurance companies are investing significant time and resources to manage
exposure and price products appropriately. However, cyber remains a relatively new risk
with a limited (albeit growing) history of data and claims experience, in a rapidly changing
digital world. Although these elements are seen to be limitations to the existing models,
insurance companies generally manage their exposures through policy limits and exclusions
where possible.
Carriers and modeling firms are more advanced in quantifying the cyber loss potential and
while there has been some convergence more recently, the outcomes still vary greatly from
one model to another and between different versions of the same model (tied to factors
such as different data and methodologies). In AM Best’s opinion, this highlights the need
for a (re)insurer’s management to have an
independent view of the loss potential and
overlay third-party models with their own
analysis.
AM Best also notes that larger European
(re)insurers with an appetite for cyberrisk
tend to take a more sophisticated approach
compared to smaller market participants
as they tend to have significant in-house
expertise and greater financial resources, in
addition to access to third-party models.
Managing cyber exposures across an
organization may also include stress testing,
both regularly and on an ad hoc basis.
Appropriately conducted stress tests
that consider a company’s risk transfer
mechanisms and exposure management
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
Cyber Cat Bonds Pave Approach to Tech Risks
Investors buy nearly $500 million of cyber-linked ILS. Insurers must keep evolving
as a market to ensure the industry can provide cover for catastrophic events, said
Beazley’s Paul Bantick.
Investors have been taking on tens of millions of dollars of risks tied to computer hackers
targeting big companies, marking a significant investment milestone for this specific class of
insurance-linked securities that is expected to grow rapidly.
“The cyber market is predicted to treble in size over the next four years,” according to a recent
statement by Paul Bantick, Beazley’s global head of cyberrisks who has since been named chief
underwriting officer. “To get there we must keep evolving as a market to ensure we can provide
cover for catastrophic events as demand and risk grows. Catastrophe bonds and the ILS market
are vital to this.”
As of late March, investors purchased nearly $500
million of cyberrisk ILS through four cat bonds via private
placement (144A) and three private placements during a
15-month period, according to a Best’s Market Segment
Report entitled
allow a company to ascertain its balance sheet resilience to cyber events, leading to a
more refined approach to terms and conditions and exclusions. For more extreme stress
testing, a company may combine, for example, a cyber loss with other insurance and
economic-related events. As the companies grow their appetite in cyber, they may also
In addition, there is still only a limited track record of sizable cyber losses or cyber
data. Nonetheless, European (re)insurers can gain comfort from managing cyber through a
Disciplined Deployment of Capital Pays Off
in Record-Breaking Year for ILS
.
Events most likely to threaten the coverage layer can be
generally categorized as cloud network outage, malware
and data theft. Event definitions were designed to be
flexible enough to allow claims caused by other events
such as denial of service attacks, a data breach or cyber
extortion that can disrupt operations or put customer
relationships at risk.
“The successful launch of cyber cat bond means that
investors were comfortable enough with the modeling
to deploy capital,” the AM Best report said. “Assessing
modeling uncertainty remains a challenge. Those
using modeling output to make decisions may benefit
from comparing the output of different models and
understanding the underlying parameters driving the
difference among them.”
consider cyber scenarios in their approach to reverse stress testing.
“catastrophes,” which means that any model outcome is challenging to validate against actual
combination of internal and third-party validations.
Paul Bantick
Beazley
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.
In late 2023, Axis Capital Holdings Ltd. sponsored Long Walk Reinsurance Ltd. at $75 million that
provides several of the company’s subsidiaries with fully collateralized indemnity reinsurance
protection for systemic cyber events on a per-occurrence basis, Axis said in a statement. Issued
by Long Walk Reinsurance Ltd. to investors to support the reinsurance agreement with Axis, the
Series 2024-1 Class A notes mature in January 2026.
Beazley separately completed a $140 million 144A offering, named PoleStar Re Ltd. The Series
2024-1 Class A notes are designed to cover remote probability catastrophic and systemic
events. Structured on an indemnity trigger and per-occurrence basis, the bond runs for a
two-year term through the end of 2025. Beazley also sponsored three private placements
totaling $81.5 million in 2023.
Chubb sponsored East Lane Re VII Ltd. (series 2024-1) at $150 million and Swiss Re sponsored
Matterhorn Re Ltd. (series 2023-1) at $50 million.
“Investor interest in our issuance has been strong and their support is testament to the confidence
they have in our ability to effectively manage cyberrisk,” Bantick said. “Building on the success
of the market’s first cyber catastrophe bond program in 2023, we expect to continue scaling our
presence in the cyber insurance-linked securities market, encouraging others to do the same.”
Investor Confidence
Insurance-linked securities investors showed “tremendous confidence in and acceptance of
Long Walk, the first 144A cyber catastrophe bond, and our cyber underwriting capabilities,”
Peter Vogt, chief financial officer, Axis, said in a statement.
Axis expects Long Walk to provide meaningful support for the growth of the company’s cyber
insurance portfolio, Vogt said. “More broadly, we expect this transaction will serve as a template
that the catastrophe bond market will use to support the availability of cyber insurance capacity
in the years to come,” he said.
The Long Walk transaction was structured and distributed to investors by Aon Securities with risk
analysis provided by CyberCube’s portfolio manager platform.
“This is a notable catastrophe bond transaction, not just for the insurance-linked securities
market, but also for the global cyber insurance market,” Richard Pennay, chief executive officer,
insurance-linked securities, Aon Securities, said in a statement. “It received broad investor
support, and illustrated the catastrophe bond investors’ ability to work with Axis to pioneer a
product that provides meaningful catastrophe-based cyber protection.”
David Pilla
News Editor
Best’s News
Envelop Risk Launches Lloyd’s Cyber
Special-Purpose Arrangement With Apollo
The company said the arrangement is a step toward realizing Envelop’s ambition
to establish a full Lloyd’s syndicate.
Envelop Risk, a U.K.-based insurtech, has launched a Lloyd’s cyber reinsurance special-purpose
arrangement with Apollo Syndicate Management in a step toward fulfilling Envelop’s ambition to
establish a full Lloyd’s syndicate.
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.