Trumpeting a message that he conceded might be different from peers, Stefan Golling, a member of Munich Re Board of Management, said that Munich Re remains bullish on the cyber insurance and reinsurance markets.
In fact, “if insurers and reinsurers shy away from the cyber market, they will not survive,” said Golling, Munich Re board member for Global Clients/North America, during a presentation the European reinsurer’s virtual Rendez-Vous presentation.
He noted media reports of a hardening cyber insurance market, reduced available capacity and narrower carrier and reinsurer appetites for cyber risk. Those shouldn’t scare insurers and reinsurers away, Golling said.
“If we want to remain relevant in this industry, relevant for our clients, then we need to find solutions for cyber. And we will,” he said. “We are here to stay in the cyber insurance market,” he said.
In 2020, Munich Re wrote $850 million in cyber premiums, with roughly half of the total in primary insurance and half in reinsurance, Golling said, and his presentation pointed out that Munich Re wrote only about $150 million in cyber insurance and reinsurance six years earlier in 2014. Golling reported that Munich Re’s cyber premium volume is set to soar past the $1 billion mark in 2021 (remaining 50 percent in primary vs. reinsurance).
“We have more than 130 colleagues at work on this. We have collected millions of data points… We have developed specific coverages for specific market segments—personal lines, small SMEs, mid-market, or larger industrial accounts. And of course we need to control our accumulation risk,” he said.
“We focus on primary insurance and reinsurance in a similar way. We want to be very close to the business,” he said, explaining why Munich Re participates in the primary cyber insurance market. “On the reinsurance side, we focused on proportional reinsurance. We need to see the trends, the data firsthand. If we would only learn every 10, every 20 years, from a cyber hurricane, then presumably that wouldn’t be good for us,” he said.
Golling and Munich Re are not blind to the emerging cyber losses that have fueled a hardening market and competitor’s increased wariness about providing coverage. In fact, Golling, citing research figures from publisher Cybersecurity Ventures, noted that global economic losses from cyber crime amounted to $6 trillion in 2021—double the $3 trillion figure registered in 2015, and projected to balloon to more than $10 trillion by 2025.
Referring to one component of the jumps—ransomware losses—Golling said that while only $20 billion of the $6 trillion is attributed to ransomware, the trend in ransomware losses from 2015 to 2021 actually increased by more than 50 times. The $20 billion of economic losses for ransomware, he said, is more than “the size of the cyber insurance market for the next couple of years.”
“The economy really needs more cyber resilience, needs more investments in cybersecurity, and more cyber insurance. We need to increase the density of cyber insurance,” he said.
The Value of Cyber Insurance
At one point during his presentation, Golling referred to the idea advanced by some critics of the cyber insurance market suggesting that the insurance industry, by insuring ransom payments, is fueling the increase in such attacks. “It is important to note that we do not only insure the ransom payments under cyber insurance [policies], but we especially also respond with our cyber insurance products to business interruption losses to recover costs [and] to potential liability questions that come with ransomware attacks.”
“I would even argue [that] cyber insurance is presumably one of the biggest levers to reduce the consequences of ransomware attacks,” he said, explaining that buyers of cyber insurance have to fulfill some basic cybersecurity requirements in order to secure coverage. “So, with the starting point of purchasing cyber insurance, usually you first become more resilient, and this should decrease the overall frequency in ransomware losses,” he said, adding that cyber insurance comes wrapped up with post-incident services that come into play in the event of attack. Such services, he said, help them reduce the severity in case of loss.
While Golling affirmed that the ransomware trend is a clear challenge for the insurance industry, he added, that such challenges have been “mastered many times in other classes of business” by insurers who refine their risk appetites, introduce deductibles and adjust limits of coverage. “So [it is] nothing that should be a major concern for us.”
“You cannot blindly underwrite a cyber risk. Then you will fail,” he said.
“The cyber insurance market will stay and we, as Munich Re, want to stay as one of the cyber market leaders, and especially as an opinion leader in this important segment for the future. We want to be the preferred partner for our reinsurance clients in this field of business,” he emphasized.
Beyond Ransomware: Uninsurable Cyber Wars
Golling clearly differentiated between insurable ransomware risks, systemic cyber risks and cyber wars, noting that the private insurance market cannot tackle the last two categories alone.
“Everybody accepts that the risk like war cannot be covered by the private market, and can only be possibly covered by state-backed pool solutions,” Golling said.
He argued the same is true for cyber attacks on critical infrastructure.
“The failure of the Internet, the failure of telecommunication networks, the failure of power grids after cyber attacks…cannot be insured by the private insurance market because the accumulation will be by far too big,” he said, noting that this idea is also widely accepted. “But the topic of cyber war is presumably not addressed enough yet.”
Golling added: “Is there a common understanding—is there an industry alignment about what constitutes actually a cyber war? How would our policies respond to a cyber war event, or an event that someone call cyber war some would maybe argue it’s not?”
Drawing from lessons of the global pandemic, Golling warned that the industry needs to be crystal clear about what is covered and what is not. “Wording ambiguity is what we have to avoid by all means. We cannot risk again, like maybe last year that we have a situation where our customers have the belief that they are covered, and the insurance industry, we have the firm belief that such systemic risk was excluded.”
He concluded: “Let me emphasize, we need to have clear wordings in place, and we need to develop government-backed pool solutions, private-public partnerships for systemic risks also in cyber—and not just after the first big event, but beforehand.”
Unique Coverage: Insuring AI
Systemic risks aside, Munich Re is willing to offer unique coverage in the world of cybersecurity, as evidenced by a policy written for a company called Deep Instinct, which describes itself as a leader in deep learning-based cybersecurity that detects cyber attacks in milliseconds, preventing them from causing harm.
In March, Deep Instinct announced that it would back its service with a performance guarantee that ensures an incredibly low false positive rate, alongside a ransomware warranty that it said was “three times higher than any other cybersecurity company—up to $3 million per company for a single breach.” (“With dramatically lower levels of false positive alerts, security teams can be much more efficient,” Deep Instinct said, explaining the performance guarantee component of the coverage.”)
The Deep Instinct guarantee and warranty are backed by an insurance policy purchased from the Munich Re Group, which carried out extensive due diligence on Deep Instinct’s technology. The policy is an example of a product line that Munich Re refers to as aiSure for startups using artificial intelligence.
Fabian Winter, Head of Data and Analytics-Munich Re, spoke about the entire class of aiSure products, without specifically referring to the Deep Insight example, during a presentation following Golling at the Rendez-Vous event last week.
“Munich Re has started to protect AI startups from an underperformance of the promised solution. To do this, Munich Re has to understand all relevant data and AI risk within the solution being offered. This builds trust, lowers POC [proof-of-concept] times and enables startups to grow faster,” he said, highlighting expertise that Munich Re has built in data and analytics
According to Munich Re’s media statement, in addition to writing the aiSure policies to guarantee the performance of algorithms, Munich Re provides advice to AI providers in designing their performance guarantees, relieves them of significant balance-sheet risks and thus makes them more attractive to investors and clients relying on the performance of algorithms.
Winter also spoke about other data and analytics initiatives, including Munich Re’s work on an Insurance Analytics Platform that enables insurers to collate their own data with sector-specific external data provided by Munich Re. “Using far greater and more relevant data volumes provides the basis for enhanced portfolio management and smarter decision-making—from distribution and pricing to claims handling,” he said.
In addition, he mentioned work that Munich Re is doing with leading academic research institutions such as the German Research Centre for Artificial Intelligence, and the reinsurer’s participation in a recently established Quantum Technology & Application Consortium (QUTAC), together with nine leading German corporations, which aims to identify future applications of quantum computing. Quantum computing, he said, will enable Munich Re and other companies to execute new AI use cases, he said, adding that it will also come with new risks. (Editor’s Note: Some reports about quantum computing in recent years have raised concerns about potential cybersecurity threats.)