Is the Incident Response Pool deep enough for a major cyber accumulation event and will third party providers be able to fulfill their contractual obligations?

Especially large cyber insurance carriers, reinsurers, and managing general agents (MGAs) have started to build inhouse cyber security and incident response capacities to handle some of their claims. Besides the obvious economic motivation of cutting out the proverbial middlemen, the increasing in-house capacities offer insurers and reinsurers more insights into the ever-evolving and still elusive cyber risk.

Regardless of whether in-house capacity is available, carriers are employing and looking to expand their third-party provider network that provides an ample capacity of tech-related incident response functions and other necessary services, like lawyers and PR consultants.

The providers are usually contracted, often after a short “test” case, with a framework agreement that establishes prices via a rate card for many standard services. In addition, the framework agreement guarantees the principal delivery of services within a certain time period (for example, 6-24 hours for remote jobs, 48-72 hours for on-premise services) and often in a given capacity (e.g. 5 FTE), if not unlimited.

While cyber accumulation and possible catastrophe scenarios are usually viewed from a financial portfolio view, e.g., analyzing the reserving capital necessary to fulfill regulatory requirements, an interesting angle arises when looking at the likely massive spike in demand for third-party incident response, cyber security, law and other claims services.

While the organizing of “burst capacity” is aligned with their organic motivation to build an extensive third-party network for carriers, we suspect that the same might not apply to many providers themselves. While we have, of course, not seen a “cyber hurricane” yet that has had a massive impact on cyber insurance portfolios and could give us an accurate view of how deep the incident response pool actually is, there are several factors that might prove problematic for third party providers of all disciplines:

  1. Major Incident response firms are likely to have framework agreements with many major cyber insurers. , e.g., found that five IR firms (Crypsis, Kivu, Charles River, Ankura, Kroll) in its analyzed sample of service providers are contracted by at least 14 of the top 20 cyber insurers, judging from the publicly available information the carriers themselves put out. In case of a major event, it is likely that a single provider will be contracted by several carriers.
Figure from Woods & Böhme 2021
  1. While major providers might be able to handle the increased demand in terms of raw manpower, the diverse nature of incident response services could lead to shortages in specific skills, for example, a provider might have enough technical allrounders, but there might not be enough ISO 27001 auditors, APT threat analysis, Citrix clients, or other skills required. This drawback will likely be even more severe for law firms, where a cyber incident of a subsidiary of a multinational company might require legal responses in several countries with localized law jurisdictions.
  1. The big four accounting firms and other large professional service networks that have sizeable cyber security, incidents response, and law practices might possess the necessary global capacity to respond to many claims, but their structure might in practice lead to internal resource and incentive conflicts that could prevent the effective deployment of these resources during a large scale event.

A recent paper by provides an interesting approach to answer this question. The authors analyze a global ransomware attack scenario, modeled with a network approach akin to , and its effect on cyber insurance portfolios and the necessary incident response services.

The proposed framework for estimating the impact on cyber portfolios is modular, i.e., the effect on a hypothetical cyber insurance portfolio(s) can be derived from any global risk scenario, regardless of the underlying damages caused by either non-contagious data breaches or a contagious ransomware attack.

Figure from Hillairet & Lopez 2021

In a sample parametrization, the authors found as much as 2.5% insured of a 10,000 policies portfolio might require immediate assistance in an accumulation event. Extrapolating this ratio to the currently about 3 to 4 Million cyber policies in force in the US (), the resulting 75,000 to 100,000 firms that would require claims assistance will likely possess a problem for many carriers and their third party provider network.

While the exact damages and number of policy holders requiring assistance is of course highly dependent on the exact type of attack and markup of the insurance portfolios, the results of the sample simulations yield other important insights regarding the incentives of carriers. An insufficient response time to incidents can not only increase the losses, but also further increase the absolute and peak demand for incident response services in later periods.

While we will only see how deep the pool is when a potential accumulation event comes, it would be wise for carriers, as well as their third-party providers, to carefully review their contracts and obligations.


Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.