Cyber Review: Understating risk in an evolving threat landscape

26 March 2019

JESSICA TURTURRO – Assistant Vice President, JLT Re, New York, NY

Significant 2018 Events

This past November, Marriott revealed a cyber attack that potentially compromised the records of as many as 400 million customers. The breach involved a Starwood properties guest reservation database, and the possibility that the attacker(s) gained access as early as 2014. The nature of the event, leaking of credentials, had cyber security experts originally suspecting this was a result of a phishing attack or an inside job (i.e., someone with knowledge of the Marriott technology stack). However, late in 2018, multiple media outlets reported that the attack was part of a Chinese intelligence-gathering mission and was suspected of working on behalf of the country’s government sanctioned civilian spy agency. It has been reported that both health insurers and security clearance files of millions more Americans were hacked as part of this larger effort.

The Starwood breach has been designated as a ‘PCS Global Cyber event’ due to the high expectations of meaningful insurance and potential reinsurance market loss. As such, PCS will be monitoring losses, analyzing related claims, and reporting to subscribers of the firm’s massive data feed. Sources suggest that Marriott’s insurance tower of US$350 million of stand-alone cyber coverage is likely to be exhausted. Though the 2018 breach response costs have only been estimated at US$100-150 million, the balance will likely fund the results of class actions and other collateral costs.

cyber catastrophe

Figure 1: Malicious attacks have been on the rise in recent years, overtaking accidental breach as a key driver of cyber loss. (Source: GDAPHOTO via © 2018 The Associated Press)

In December 2018, Facebook revealed that private photos of up to 6.8 million users were exposed to unauthorized applications from a breach that occurred in mid-September, undiscovered until September 25 – coincidentally the same day that the company admitted that 29-50 million accounts were hacked during that same timeframe. As reported by Trans Re, the Irish Data Protection Commission is questioning possible violations of the General Data Protection Regulation (GDPR) related to this breach. The GDPR can invoke penalties of up to 4% of annual worldwide revenue for such a breach, and in the case of the social media conglomerate, it could mean up to US$1.6 billion in fines. Facebook stock dropped 7.25% on December 19 as the scale of the attacks became publicly known, for a total stock loss YTD of roughly 24%. (Source: Global Cyber Newsletter 4Q2018, Trans Re)

Figure 2: Widespread impact of WannaCry ransomware. (Source:

cyber catastrophe

At the close of 2018 we saw a continued uptick in both frequency and severity of cyber losses observed as we have year over year. The major attacks of 2017 demonstrated how scarily far-reaching impacts can be, as the malware attacks of NotPetya and WannaCry caused roughly 300,000 infections in over 150 countries. Though these events were global in nature, the insurance product adoption is roughly 35% and driven predominantly by a U.S. market. So, while little insured loss was incurred, economic loss from WannaCry ranged from US$1-8 billion – enough to garner the re/insurance industry’s attention. As a result, cyber coverage purchase continues to rise and is expected to grow aggressively over the next three years.

What drives the dichotomy between economic loss and insured loss in the major cyber attacks of 2017?

Figure 3: Frequent drivers of the difference between economic loss and insured loss as a result of cyber attacks, particularly during those of 2017. (Source: JLT Re)

cyber catastrophe

Cyber threats to business and infrastructure have also grown quite considerably in recent years. The risk continues to heighten as technological advances like blockchain, the Internet of Things (IoT), cloud computing, smart grids, biometrics, autonomous cars, and intelligent machines bring new and largely unknown consequences. Combined with a sensitive geopolitical climate, increasing global interconnectedness, and heavy dependence on technology, cyber threats create a dynamically evolving risk landscape and the re/insurance community is tasked with keeping pace and trying to understand and manage a constantly evolving, complex peril.

Evolution of cyber risk for the re/insurance industry

Since the genesis of cyber products, the insurance sector has come far in tackling many of the initial challenges faced. While the industry may be more comfortable now than it was a decade ago with respect to identifying the threats, quantifying exposure, pricing premiums, understanding policy language and seeking secure capacity, the changing risk landscape of cyber has morphed existing challenges into new obstacles in need of further consideration and more sophisticated analysis.

Figure 4: Some of the challenges faced by the cyber re/insurance market. (Source: JLT Re)

cyber catastrophe

Where is the greatest source of risk?

Just five years ago, the potential alone for a large data breach was of paramount concern given the relative newness of the product and little loss experience. The U.S. cyber market has now grown to about US$5 billion, with a roughly 25% increase annually. Now that the industry has reached a large enough scale to absorb an individual, isolated shock loss like that of Marriott, the real danger comes in the aggregation of risk as threats evolve. A malware attack or cloud outage can disrupt a business’ operations – but more concerning is that a single attack, if large enough, can affect many systems across multiple lines and sectors, incapacitating more than just one victim. A major systemic event, with the size and scope of an attack like WannaCry in 2017, has the potential for thousands or more of simultaneous claims – creating shock losses to a point at which solvency issues can become a reality for insurers and reinsurers.

The hurdle of individual risk selection becomes almost meaningless when faced with the possibility of a collection of unrelated exposures being vulnerable to a single incident. Anticipating the systemic cyber risk present in a seemingly uncorrelated book of business becomes a new challenge to face – calling for even better data quality and more advanced modeling techniques – when such risk is already so hard to quantify.

Has isolation risk gone away? Not entirely…

While the newer development of aggregation risk is emerging as a primary concern for both insurance and reinsurance underwriters alike, we cannot ignore existing individual cyber risks. With the cyber insurance industry’s consistent growth, the breadth and scope of the product also continues to evolve. Factor in the dynamic threat environment, and it’s easy to see why insurers are constantly looking for new avenues to underwrite, assess and benchmark cyber risk.

That said, the growing awareness of systemic exposure means the re/insurance industry is focusing much more on how particular subsets of their portfolio may be impacted by a large scale event.

While the exposure to an isolated event or cyber attack has not dissipated, the most pressing concern for those bearing risk is exposure to loss aggregation.

What are the ramifications to the re/insurance industry?

Many cyber coverage options began largely as endorsements. The popularity of standalone policies continues to grow as the products become more mainstream and expanded coverage is desired. Policy wording consistency has dramatically improved over time but as new cyber threats are discovered, the industry uncovers new loss mechanisms and policy language must keep pace. As the market signals concern over issues like systemic risk and accumulation, we may see a need for improved contract clarity and an evolving underwriting process.

In recent years, traditional policy language has been tested by unforeseen ‘silent’ cyber losses. What is defined and covered in a typical policy may be unclear – ‘affirmative’ versus ‘silent’ cyber. Affirmative cyber policies explicitly protects against loss due to a direct cyber breach as stated in the contract, whereas non-affirmative, or silent, cyber can threaten policies written to protect against other types of losses such as property, D&O and E&O, finding coverage from an event whose underlying cause is a cyber peril while not referenced in the policy wording. Coverage for silent cyber exposure may also be found in ‘all risks’ policies, when a policy is without an explicit exclusion, or gaps in current exclusion wording can allow liability-driven cyber losses to be covered.

Figure 5: Key cyber terms defined. (Source: JLT Re)

cyber catastrophe

By and large, the ramifications on the industry are still developing. Take-up rates for cyber insurance protection are increasing due to enhanced risk awareness. A recent study by Partner Re and Advisen surveyed 340 re/insurance professionals globally who placed the popularity of cyber events in the news as the number one reason why cyber insurance products are being bought. Notably, recent regulations for data breach reporting requirements and greater regulatory scrutiny around protecting consumer and user data, was another key driver of cyber product sales identified in the Partner Re/Advisen report (Figure 6). Additionally, the threat of fines for non­compliance – like what Facebook may see following their recently announced breaches – has led to a noticeable uptick in demand for cyber insurance products outside the U.S., as reported in JLT Re’s Autumn 2018 Risk Perspective.

cyber catastrophe

Figure 6: Key drivers of cyber product sales according to a study by Partner Re/Advisen, surveying 340 re/ insurance professionals globally. (Source: PartnerRe and Advisen, 2018 Survey of Cyber Insurance Market Trends)

Re/insurance carriers are being tasked to provide effective and innovative answers to cyber exposure management where limited data exists to help set rates, limits and terms as risks escalate and new and unprecedented challenges arise. Sustainability is paramount for solvency, and the industry’s response is developing as it addresses the emerging needs of the rapidly evolving cyber risk. JLT Re is committed to providing insight and crafting innovative solutions to support global business in this currently fluid risk landscape.