In recent years, companies have become more vulnerable to cyber attacks. These can cause significant damage and threaten the financial sector. To exchange and discuss cyber risks as a possible systemic risk, the ILB’s interdisciplinary research programme FaIR (Finance and Insurance Reloaded), together with several partners (ACPR, AEFR, Institute of Actuaries), organised a webinar, which took place on 7 December.

With the digitalisation of the economy, cyber attacks are becoming more frequent and costly. By 2020, losses from cybercrime have been estimated at $1 trillion, or more than 1% of global GDP. The European Systemic Risk Board recently characterised cyber security as a systemic risk to Europe’s financial system. But despite these growing concerns, cyber risks have limited coverage by the insurance sector and there is a need to develop micro and macro prudential regulations. The challenges are very significant. The first is related to the lack of data on the occurrence of cyber attacks, which limits the possibilities of accurately quantifying the risks and developing probabilistic pricing. A second challenge concerns the insurability of cyber risks by the insurance industry,” said Marie Brière, Head of the Investor Research Centre at Amundi and Scientific Director of the interdisciplinary Finance and Insurance Reloaded programme, by way of introduction.

 

Cyber risks affect stock market performance

Following this background, Hélène Rey, Professor at the London Business School, presented her latest research paper on the subject, entitled “The Anatomy of Cyber Risk”. This work – co-authored with two other researchers, Rustam Jamilov and Ahmed Tahoun – was motivated by several factors: the constant and growing exposure of companies to cyber risks, the attention and concern of macroprudential authorities on this issue, the lack of knowledge on these risks due to the absence of obligation to report them, and the underestimation of cyber risks.

The researchers analysed the content of the exchanges made during the quarterly results presentations of 12,000 listed companies in 80 countries over a 20-year period. Using textual analysis with algorithms containing certain keywords, they categorised and contextualised each type of discussion on cyber risks to determine whether it was positive or negative. And the results of this work are clear: “Exposure to cyber risks is growing fast. During quarterly results presentations, discussions on this subject have increased fivefold in 15 years,” Hélène Rey pointed out.

Moreover, in the sample studied, the targets most at risk are “large companies with liquid securities and a large proportion of intangible assets“, the researcher said. The sectors most affected are industry and services, but the financial sector, especially insurers, is increasingly affected by cyber attacks. What about the effect on stock market performance? “Companies affected by cyber attacks suffer a drop in their share price, which is passed on to companies in the same sector,” observed Hélène Rey, who has not found any stock market contagion to other sectors. More generally, this scientific work – which will continue – concludes that the total systemic impact induced by cyber risks is underestimated.

 

 

Cyber risks can accumulate

After Hélène Rey’s presentation, the webinar continued with presentations by Caroline Hillairet, professor at ENSAE Paris, and Olivier Lopez, professor at Sorbonne University, who are also scientific leaders of the Cyber Insurance risk: actuarial modeling research programme. “Cyber attacks can take different forms and generate huge losses on various targets (countries, companies, individuals). Cyber risk is increasing sharply in France: reports of ransomware to ANSSI (the French national agency for information systems security) have tripled between 2019 and 2020,” said Caroline Hillairet, who warned of the dangers of cyber risks for the mutualisation principle of the insurance sector. To make matters worse, the Association pour le Management des Risques et des Assurances de l’Entreprise (AMRAE) published a report in May 2021 entitled “LUmière sur la CYberassurance – LUCY“, which confirms the increase in cyber claims suffered by French companies covered by cyber insurance between 2019 and 2020. Over this period, the volume of premiums jumped by 49% and the loss ratio reached 167% in 2020, compared to 84% the previous year. These are high figures, which affect the profitability of insurers. The two researchers then presented part of their work on the risk of cyber claims accumulation for the insurance sector. Without going into too much technical detail, they developed contagion models, based on the Hawkes process, including network effects to quantify the risk of cyber loss accumulation, which could weaken insurance players. “With these models, we can classify and identify the riskiest sectors, quantify the peak of claims to determine the number of policyholders requiring technical assistance, diversify the risks contained in insurers’ portfolios and identify the benefits of protection,” explained Olivier Lopez.

Finally, the webinar ended with a roundtable discussion entitled “The Challenges of Measuring, Insuring and Regulating Cyber-risks“, moderated by Aimé Lachapelle (Managing Partner, Emerton Data) with the following speakers: Philippe Cotelle (Head of Cyber-Insurance Management, AMRAE), Caroline Hillairet (ENSAE-CREST), Olivier Lopez (Sorbonne University), Olivier Meilland (Deputy Director, Cross-functional and specialised supervision, ACPR), Luc Vignancour (International Underwriter Cyber and Executive Risks, BEAZLEY Group).

 

To watch the replay of this event, click here.