Markel’s Castriotta: Cyber war incidents causing physical events top concern for industry

Cyber war incidents amounting to a physical event are among the key risks the industry is “very concerned” about, alongside “collateral damage and the potential uninsurability” of war related to cyber, Markel’s Kelly Castriotta told The Insurer TV.

During a recent interview at Markel’s headquarters in Richmond, Virginia, the global executive underwriting officer for cyber said the industry has had to learn some difficult lessons from what has been unfolding since Russia’s war on Ukraine began in February 2022.

“We are living in an environment right now where we're seeing a real-life war unfold and we are in the position to learn from what has happened, which included some cyber specific attacks by Russia or nation-state actors against Ukraine or its affiliates,” she said.

“The industry very much took notice of how those acts were perpetrated and certain characteristics and attributes of those types of cyber attacks.

“Now, when it comes to coverage for those types of attacks, the industry is very concerned about cyber war leading to a physical event. They're also concerned about collateral damage coming from a cyber event in the course of war and they're concerned about the potential uninsurability of war itself,” she added.

These kinds of concerns ultimately lead back to the quantification question, said Castriotta.

“If the industry can't quantify it, we technically can't insure it,” she said. “This is about really trying to put parameters around the definition of what is considered cyber war, what is considered a collateral attack, what is considered a cyber incident that would have a physical impact upon critical infrastructure of a country. And that's the debate the industry is having right now and trying to work out.”

Uptick in demand

Although cyber risk has been around for several decades now, some markets still lack cyber awareness, and there’s room for further growth.

“There's still an opportunity for a lot more companies to obtain cyber insurance and the product they need,” Castriotta said.

As global cyber threats sharpen, the industry continues to better quantify cyber risk. According to a new report by S&P Global Ratings, annual cyber premiums are set to grow by 25 to 30 percent per year and reach $23bn by 2025.

But the report noted that while the global cyber insurance market has recently returned to profitability following a spate of cyber claims, much of the recent increase in premiums is attributable to substantial rate increases, rather than underlying growth in the size or volume of contracts.

However, Castriotta is confident growth will come from more than just rate.

“Particularly in the US, companies, especially in the past 24 months, have really taken up cyber insurance as a serious risk transfer product and [are] seeing a lot of value in that,” said Castriotta. “And that comes from a lot of things, including the awareness of ransomware, including the geopolitical environment that we currently exist in.”

As part of quantifying risk, Castriotta’s team reviews geographic location, business size, industry class and a firm’s technology stack, including software and cloud providers. A cyber incident’s potential reach and impact on operations is also factored in.

But determining silent or non-affirmative cyber is “trickier”, said Castriotta. It involves overlaying insurance coverages that are not necessarily intended to pick up cyber losses.

“What you would have to do is make a prediction based on coverage that's not intended for that operational incident and try to guess whether there would be recovery under that policy or not,” said Castriotta.

Models can help. But Castriotta considers them just a tool, one that’s fallible.

“There's a tendency to think about models as being right or wrong. And fortunately, or unfortunately, all models are wrong. But there are different stages of maturity, and they give us and our partners insights into potential loss,” she said.

However, as demand for cyber coverage increases, the industry must manage and mitigate another issue: the risk of accumulation.

“When we're looking at modelling and quantifying cyber risk, we're taking into account different accumulation paths of how a cyber incident may matriculate,” she said.

“Managing accumulation of risk has to be a priority for insurance carriers and reinsurance carriers.

“What we look at is different ways cyber incidents can accumulate to lots of losses at the same time. The more diversity you have in your software system and your tech stack system, the less vulnerable you're going to be to an accumulated cyber event,” said Castriotta when it comes to advising clients.

“We rely a lot upon technical experts and how they see accumulation paths forming, how those things are changing. Very similar to weather kinds of models, but these are things that are not necessarily observational from that nat cat point of view, but more from reliance upon typical human behaviour and real or reasonably imagined type of events,” she added.