Insurers’ cyber tail exposures are potentially very significant, exacerbating risks caused by potential silent exposures and the lack of available and standardised cyber data. It is therefore crucial for insurers to develop comprehensive cyber risk mitigation programmes with appropriate management actions. Common risk mitigation options (including for example insurance-linked securities and reinsurance) are, however, not as developed for cyber insurance as for other lines of business, such as for Natural Catastrophe risks.

What can insurers do, then, to manage exposures and demonstrate to their supervisors that they are tackling these challenges? A first step may be to perform a bottom-up review of existing reinsurance programmes to ensure these will respond appropriately and adequately to different types of cyber risks. This will likely require firms with large cyber exposures to perform extensive model back-testing and validation, to ensure among other things that they are not transferring uncorrelated risks to the reinsurer, while retaining correlated exposures. Firms should also look at the gaps in their risk mitigation programmes, and develop strategies to bridge them, either by engagement with their reinsurers or by exploring alternative risk mitigation options.

In our experience, supervisors will evaluate how well insurers are dealing with key risk issues by looking, in part, for ‘positive’ and ‘negative’ indicators of maturity. Engagement at board level is a necessary starting point. Firms could use scenario analysis and carry out, for example, stress tests that explicitly consider the potential for loss aggregation at extreme return periods. This can help insurers develop management actions for severe cyber events, while at the same time demonstrating to supervisory authorities that they are actively trying to understand and mitigate unwanted exposures.

Our recent report on Cyber insurance underwriting explores the issue of cyber tail risk exposures in more depth. It also explores silent cyber risks and the challenges around cyber modelling. We explore key risks and actions for firms, positive and negative indicators that supervisors may look for as they evaluate firms’ maturity in dealing with key cyber risk issues, challenge questions boards can put to their organisation, and a checklist of next steps for firms.