MMC’s Stransky: Cyber market yet to have “Hurricane Andrew moment”

Although cyber is one of the fastest-growing areas of insurance, Marsh McLennan’s Scott Stransky says the sector has not yet had its market-defining moment in the same way Hurricane Andrew was for property in terms of model development and premium growth.

Speaking to The Insurer TV, Stransky, managing director and head of Marsh McLennan’s Cyber Risk Intelligence Center, said that while there have been a “few significant events”, citing the MOVEit attack as an example, “we haven't seen the big event for cyber yet”.

“If you think about natural catastrophes, Hurricane Andrew hit South Florida in 1992, and that changed property insurance really forever. Before that people weren't quite so concerned with hurricanes. They weren't necessarily even doing modelling of hurricanes, but after Hurricane Andrew, people began to model natural disasters, and really include the modelling in their risk practices,” Stransky explained.

“Now for cyber, models do exist, but our fear is that the big one is going to happen. We don't necessarily know what the big one is going to look like yet, but our view is that companies really need to start the modelling before the big one happens.”

In terms of what this “big event” looks like, Stranksy said it could be “very scary” when it happens.

“It could be a major cloud failing for a few weeks. It could be a power grid failure. It could be critical infrastructure, like a dam gets hacked or a water supply system, or an offshore platform could get hacked,” he said.

While discussing the difference between what the industry might term a “big event” and what it might define as a “black swan event”, Stransky believes it will be when a cyber event “bleeds into the real world”.

“I think one of the biggest unknowns is in the physical world where cyber bleeds over into the real world,” he said.

“Whether smart vehicles get attacked or critical infrastructure – pipelines, oil, transportation, shipping, cargo, that type of stuff – when cyber bleeds over into the real world, I think that's when we're going to see one of these really bad black swans, unfortunately.”

Cyber premiums to reach ~$14bn per year

According to Marsh McLennan data, cyber premiums are expected to reach $14bn, with the lion’s share originating from the US at around $9bn.

The dramatic increase in data breaches and ransomware attacks presents a tough learning curve for the affected companies, but Stransky said it has also increased the amount of cyber data available. That information is vital to cyber teams and has drastically improved cyber risk models, making them much more detailed.

“One example of that is we can now specifically quantify the impact of various cyber controls,” he explained.

“Before, everybody would say multi-factor authentication. Super important. Everybody needs it. That's all they said. Now we can say, here's the impact of having multi-factor authentication. If you don't have MFA, you're this many times more likely to have a cyber incident than if you have it properly configured,” said Stransky.

Stransky’s team builds and utilises multiple in-house models. In addition to helping firms safeguard against cyber attacks, he said models can also reduce premiums.

“If they're doing the best practices, we know how much that will reduce the risk, therefore the premiums should be lower,” said Stransky.

And while models have come a long way in the past decade, Stransky stressed that they’re best used as benchmarks, taken together with expert judgement and opinion. He agreed with the assessment of British statistician George Box, often attributed with the infamous quote, “All models are wrong, but some are useful.”

“George Box is absolutely correct,” said Stransky.

“Our models are never going to be perfect. If you run a single risk through it and it says there's a 60 percent chance this company will have a cyber attack and you run it for a number of years, it’s never going to be exactly 60 percent. But that’s not the point of the models.”

The point of models, Stransky explained, is to give companies a view of potential risk. And while they are just one tool, firms not using them do so at their peril, according to Stransky.

“I think if you’re not running models, you’re actually not seeing the whole story and you’re going to miss something,” he added.