Tesco Bank’s £16m fine for its cyberbreach shows how the regulators are now truly baring their teeth on punishing cybersecurity failures.

Financial and reputation damage from cyber attacks, therefore, are beginning to come with painful price tags (in fact the Tesco Bank fine could have been as high as £30m until the FCA was convinced the bank had responded swiftly to the attack).

This and other incidents, like the British Airways hack, are making the case for UK businesses to buy cyber insurance as part of wider strategy of cybersecurity prevention and damage limitation.

So, as more organisations buy cyber insurance and make major claims after breaches, what is the potential exposure for insurers?

In the depth of our long hot summer, ratings agency AM Best released some interesting research that used some of our risk forecasting technology to run cyber catastrophe stress tests on the biggest insurers who write cyber insurance policies.

The findings were fascinating.

AM Best modelled cyber catastrophes, including a cloud service provider interruption and a mass security vulnerability, to estimate the gross losses for cyber insurance providers in a future, more mature cyber insurance market in 2022. The stress tests suggested a cyber catastrophe could generate meaningful to significant gross losses for three of the top 20 cyber insurance providers in 2016, ranging from 15% to 119% of these companies’ estimated 2022 policyholder surplus at the 1 in 200s year event level.

The stress tests were focused on US insurers only so some might say it is not applicable to Europe. However, 90 percent of cyber insurance premium is written for US companies with a significant portion being written in the London market. New regulatory scrutiny in the EU, Brazil and across Asia will only assist the non-U.S. cyber market to continue to grow, and as cyberattacks do not respect national boundaries, the risks are potentially everywhere.

The AM Best modeling exercise is another contribution to the greater understanding insurers need to foster around cyber insurance risks and will certainly help as they develop their products and processes in this field.  While the report adds to the debate about how the insurance industry can grow its cyber business it does not provide conclusive answers to how the market for cyber insurance will operate in the future. That is still evolving, but it is clear that cyber risk management and protection present a major opportunity for the insurance industry.

As I have written already, cyber risks are unlike the typical catastrophic risks that insurers have dealt with before. Understanding cyber risks is about assessing and correlating a complex soup of human and technology factors.  This is difficult to do, although advances in data analytics and data science are making the task easier. What is more, rising demand for protection, tougher regulatory crack-downs, and how insurers develop analytical skills and capabilities, will drive the development of a successful cyber insurance industry.