Bermuda insurers see big increases in exposures for cyber worst case scenarios

Bermuda insurance groups would see losses of $9.5 billion in a cyber worst case scenario – almost double the $4.9 billion forecast a year earlier, according to a Bermuda Monetary Authority report.

The BMA also said commercial insurers would see gross losses increase to $7.3 billion from $6.4 billion in a cyber worst case reporting scenario, according to its Cyber Underwriting Report 2022.

The BMA said the vast majority of groups and commercial insurers would meet their enhanced capital requirements in a worst case scenario, but added: “On an individual basis, however, the Authority noted a few commercial insurers who had minimal capital buffers and consequently fell below their target capital levels (120%) post-CWCS.

“These insurers have been notified by their respective supervisory teams and were required to submit a detailed mitigation plan as part of its ongoing supervisory engagement.”

The BMA also said some of its worst case scenario modelling “may not reflect the actual state of the Bermuda market, as many of the companies did not complete the BMA-prescribed stress test section for various reasons” .

The BMA said just 17% of group and Class 4 and Class 3A and 3B companies completed the survey, adding: “As this is only the first year that the BMA implemented this stress test requirement, the market was given the option to complete this section on a voluntary and best-efforts basis. Moreover, a materiality threshold has also been provided to the market to guide the companies on whether or not they are required to complete the section.”

Saying it would engage further with companies which had not completed the stress testing exercise, the BMA added: “The exercise will also become mandatory for those who have met the BMA’s materiality thresholds for next year’s filing.”

The report said Bermuda re/insurers had gross written premium of $4.73 billion in 2021, an increase of 51% on the previous year, while the number of entities including captive insurers writing the class rose from 87 to 97.

However, the number of policies written fell from 300,000 to 200,000 meaning the increase in premiums was due more to rising rates rather than increases in customers.

The majority of gross written premium in Bermuda is written by reinsurers, who accounted for almost $3 billion compared to $1.5 billion for direct insurance and around $33 million for packages.

The single largest number of policies continue to be written for US clients at 45% but worldwide policies rose from 4% in 2020 to 25% in 2021.

The BMA also noted that 80% of gross written premium was written by 13 commercial insurers, although this was twice the number in 2020, when six commercial insurers wrote 80% of GWP.

Commercial insurers’ aggregate incurred losses rose 69% to $1.2 billion, with the largest claims being ransomware, data breach and malware. The average loss ratio was 37%, but direct insurers reported loss ratios of more than 100%, which the BMA said indicated “continuous volatility of cyber lines and the apparent immaturity in loss modelling methodologies at the primary insurance layers”.

The largest individual claim was for about $15 million, but while the single largest claim for data breaches remained consistent at $15.1 million ($15.0 million in 2020), the single largest reinsurance claim for ransomware jumped from $7.2 million to $15.2 million while package policies reported the largest single claim was in malware where it increased tenfold from $1.5 million to $15.1 million.

Paid claims also rose, with the BMA noting that “just a few companies significantly contributed to the aggregate total claims paid. With the continued increase in the size of claims year on year, the Authority continues to emphasise the need for insurers to have robust and integrated risk management structures in place to be able to deal with a catastrophic event.”

Captive insurers had gross written premium in 2021 of $152 million, up from $103 million in 2020, but the BMA noted that although 28 captives wrote cyber policies, just one captive accounted for $60 million of GWP.