One year after the reinsurer’s CEO said it was still bearish on reinsuring cyber risk, Swiss Re has evolved its view of it, according to the reinsurer’s group chief underwriting officer, Edi Schmid
Closing the protection gap has been a consistent call to arms for Swiss Re, but cyber risk is one emerging exposure upon which the reinsurer has previously been reluctant to commit to reinsuring. The global reinsurance firm remains under-weight on cyber risk, but its attitude is changing, according to Swiss Re’s group chief underwriting officer, Edi Schmid speaking to Global Reinsurance.
“It’s fair to say we have evolved our approach,” Schmid told GR. “We have made significant progress particularly to manage accumulation and, in the meantime, we engage capacity with many clients.”
This is not a turnaround, but more of a gradual evolution. “We still remain of the view that, of course, this is a risk that has its challenges. This emerging risk is constantly evolving,” said Schmid. “We don’t want to go into it foolishly. We want to help establish a sustainable cyber insurance market.”
Schmid acknowledged that cyber risk forms represents a societal challenge, for which the re/insurance sector should play its traditional role. “We clearly recognise this is a big issue for society, for economies and for our clients. It’s a risk we need to insure,” he said.
“That’s why we engage with our stakeholders, we develop solutions, and we make significant capacity available, particularly where cyber relates to other risks and lines of business we already know well,” Schmid continued.
Swiss Re takes a long-term view of cyber risk, he explained.
“The world is becoming more and more digitised, so clearly this is a big issue for small businesses, big firms and governments. We have progressed quite a bit over the past few years. And as we have put controls around accumulation risk, we are becoming more comfortable with it.”
Schmid said for providing reinsurance capacity, Swiss Re runs scenarios to quantify what could be the loss of a certain cyber event, such as a malware attack, that affects many companies. The scenarios Swiss Re runs encompass the so-called “silent cyber” exposure already residing within reinsurers’ traditional books, as well as standalone cyber exposures specifically taken on.
“We are providing reinsurance capacity. We work with insurance companies; we help them bring cyber cover to their clients; we may advise them on how to capture accumulation; and we bring some capacity to that. We point out we need to stay on top of accumulation control, so that we do not run an unmanaged risk,” he said.
Building up data is going to be crucial to make up for a lack of historical cyber risk data. This is still a relatively new risk changing rapidly in its scope and characteristics as technology also continues to advance.
“Clearly more data will improve the understanding of the risk. But to draw a parallel with climate risk and hurricane activity, the risk tomorrow may be different from the risk today. The reason why cyber is
more challenging is in the completely different speed at which changes take place. Perhaps new technologies will create new vulnerability, so it’s a risk where you continuously need to update your view,” Schmid said.
Schmid noted that while cyber-attacks can differ wildly in their frequency and severity, accumulation risk could represent a cyber catastrophe event or something approaching a systemic risk. It is this concern about accumulation which keeps Swiss Re’s evolving approach to cyber cautious.
“You have smaller cyber reaches and things happening with a very high frequency that you would not categorise as a catastrophe risk,” said Schmid.
“However, there’s this catastrophic element to cyber when the accumulation is so widespread and lacks geographical boundaries. The increased connectivity of IT systems to the web and moving things to the cloud creates scenarios for certain events affecting hundreds of thousands or maybe millions of computer systems of companies around the world.”