The threats to business, commerce, public services and vital infrastructure from cyber attacks have grown considerably in recent years.
And the risks only look set to escalate further as technological developments such as blockchain, the Internet of Things (IoT), cloud computing, smart grids, biometrics, autonomous cars and intelligent machines bring new, unquantified and largely unknown consequences.
Uncertain, unexpected, unplanned and unprepared are words frequently used by firms to describe their vulnerability to cyber attacks.
In the midst of this rapidly evolving risk environment, insurance carriers are being asked to provide effective and innovative solutions for risks where limited data exists to help them set rates, limits and terms.
They are also facing increasing concerns over systemic cyber risks that bring the potential for huge cascading impacts across multiple classes of business.
Take-up rates for cyber insurance protection are increasing due to enhanced risk awareness and new regulations on data breach reporting requirements.
Major attacks such as NotPetya and WannaCry in 2017 demonstrated how far-reaching impacts can be.
And greater regulatory scrutiny around protecting consumer and user data, and the threat of fines for non-compliance, have led to a noticeable uptick in demand for cyber insurance outside the US.
Specifically, the advent of the General Data Protection Regulation in Europe earlier this year has been a game-changer in how businesses view the threat of data breaches.
Cyber risk has also moved beyond being seen as purely an IT problem, says Erica Davis, Senior Vice-President at JLT Re (North America): “Across the industry there is an increasing awareness of the cyber peril and how extensive it has become.
“This has forced cyber out of the information security vacuum and into the mainstream of business management.
“Previously, this led to cyber being assessed and placed as a product through a single lens. Now it has expanded so businesses take into account reputational risks, property damage and how cyber exposures are converging with other lines of business.”
Businesses are also starting to appreciate how cyber events affect all aspects of their operations, including supply chains, and are looking to the insurance industry to develop viable solutions.
Reasonable solutions for cyber cover
The capabilities of the underwriting community are being stretched now that cyber is increasingly being regarded as a broad-based peril that has the potential to touch every facet of commercial activity.
Indeed, growing demand for cyber cover across all industries and regions is exposing anomalies in terms of exclusions, limits and terms.
This poses crucial questions about where the boundaries lie between different policies and what can be reasonably insured, says Ed Hochberg, CEO of JLT Re in North America: “It is still hard to define what the exposure is. It is constantly changing and evolving.
“The insurance industry’s response is developing as it tries to address the emerging needs. Capacity is still tentative. Cover is still tentative.
“As soon as we have our arms around one thing, a new exposure is introduced. For instance, a cyber event bringing down electricity grids may not have been viewed as a realistic scenario ten years ago.”
Potential attacks on countries’ critical infrastructures illustrate the severity of challenges facing (re)insurers.
While the provider of the critical infrastructure services would be the primary target, the fallout would extend far and wide, with many companies, communities and civilians affected.
With technological interconnectivity becoming increasingly complex, the question of how an event will be covered is taking center stage.
Motivations behind events are also likely to play a role. With state-sponsored cyber warfare now being openly discussed, where are the boundaries between what is insured as a commercial cyber risk and what is a war or terrorism risk?
“The nature of warfare is changing,” says Davis. “It is no longer limited to military forces. Nation state motivated events are increasingly common and cyber warfare has become a real concern.
“This might mean attacks on hard infrastructures, such as energy supplies, but it is now also moving in on softer targets. We are seeing cyber attacks on democratic processes and the media, exposures that impact freedom of speech and the operation of democracy.”
This is an area that the market needs to tackle, says Hochberg: “There is a lack of uniformity and clarity in exclusions and policy language.
“The insurability of a large-scale event, particularly one that is thought to be state-sponsored, comes into question. The positions insurers and reinsurers take on it are not consistently understood.
“One of the problems is that cyber doesn’t conform to the normal viewpoint of war. The distinctions between terror, war and a traditional cyber event are becoming increasingly blurred. It is a recipe for a lot of arguments.”
This debate about the boundaries of cyber policies cuts right across the insurance industry’s efforts to raise awareness of the need for cover and the availability of a growing range of solutions.
Accessing better data on cyber
At the heart of this challenge for the insurance industry is the lack of data, says A.M. Best in a new report1: “Cyber risk differs from any other insurance risks owing to a lack of actuarial data, rapid evolution, broad operation scope involving people, processes and technology, and the potential for an active adversary.”
A.M. Best also warns of the impact cyber events can have on covers already in place for which cyber as a peril is not explicitly covered or excluded, also known as silent cyber risk: “The implications of cyber risk for (re)insurers extend beyond the affirmative cyber insurance market.
“Cyber events can also cause silent cyber losses where policies written to protect against other types of losses such as property, D&O and E&O find coverage from an event caused by a cyber peril [not referenced in the policy wordings].”
Accessing better data is a key challenge for insurers, especially when trying to assess how their exposures are aggregating across different classes, agrees Hochberg: “We are continuing to evolve our understanding of aggregation risk.
“We are engaging with clients to get a better view of their aggregations by partnering with modeling firms that have expertise in assessing cyber catastrophe scenarios.
“There isn’t a great deal of robust data so we are using a range of models to get a consolidated view. Obviously, we have to make some assumptions but we can only base it [our modeling] on things we have observed.”
Although the paucity of credible data should not be a surprise as the risks are new and fluid, the need to address this vacuum is urgent as it impacts the crucial decisions insurers make about pricing, capacity deployment and reserving.
Finding better data is therefore a top priority for insurers looking to respond to clients’ demands for comprehensive cyber cover, says Jamie Pocock, Head of Cyber Analytics with JLT Re in London: “It is very hard for carriers to collect all of the data they need.
“The bargaining power is currently with the buyer and their broker rather than with the underwriter. The cyber product is still relatively new. While the underwriting process is being refined, the expectations on data capture are being calibrated.
As an industry, identifying the proper information to differentiate risks also remains a problem.”
There is also an urgent need to promote a better understanding of cyber risks among clients so that the risks presented to the market are appropriate and insurable, says Hochberg: “Firms will have to come to grips with the risks and risk mitigation. The sooner this happens, the more comfortable the market will be with these exposures.”
The focus on mitigation is vital, agrees Davis: “Robust risk management is a key part of the puzzle so the emphasis becomes risk mitigation rather than risk transfer. A fair amount of this exposure is not yet transferable. Businesses can avoid being a soft target by bringing resiliency and response into focus.”
As well as working with insurers to gather better data, create useful models and bring greater clarity to wordings, JLT Re is also looking further ahead to identify where the additional capacity needed to support insurers underwriting more extensive cyber risks will be found.
The ILS market
Creating models that give reinsurers confidence in the business that is being taken on is one crucial element; working to educate the insurance-linked securities (ILS) market about cyber risks is another.
“This sits comfortably with what the ILS market does well,” says Hochberg. “We will start to develop trigger mechanisms that will enable the ILS market to respond when there are major losses.”
So far, the major ILS providers appear to be playing a waiting game, nervous about the lack of data and claims experience.
Nervousness is to be found elsewhere in the market too.
As more businesses look to the insurance market to protect them, the market is starting to raise warning flags over issues around aggregation and systemic risk.
Anna Maria D’Hulster, Secretary General of The Geneva Association, highlighted some of the key challenges when the association recently launched a major report on the development of cyber insurance2: “Expanding the boundaries of insurability is not new for insurers.
“However, cyber risks are taking us into uncharted territory. Both exposures and threats have distinct characteristics, bringing unprecedented challenges.”
Her colleague and report author Daniel Hofmann, Senior Advisor Insurance Economics at The Geneva Association, added: “Exposure bases are hard to define and measure. Historical claims data are scarce and not good predictors. Threats are constantly evolving, can spread widely and rapidly, and a series of consecutive large events is plausible.”
It is not hard to see how this fear of interconnectivity could become a costly, disruptive reality for the insurance sector: the potential to spread malware throughout extensive supply chains, the threat to newer applications of technology such as 3D printing and artificial intelligence, and the use of cloud storage for massive clusters of sensitive data, to name a few.
Much like the cyber insurance market, the risks are growing. They are not tomorrow’s challenges; they are today’s. The insurance industry’s relevance and sustainability are at stake as it strives to find solutions that support global business while not undermining their own carefully crafted business models.
Facing up to the aggregation risk
The Geneva Association report2 highlights four cyber accumulation risk challenges:
• A single large event or a series of consecutive events may make affirmative cyber insurance unprofitable
• Insurers and reinsurers could underestimate cyber exposures resulting in unplanned shocks from a major event
• Data of insufficient quality for more advanced modeling techniques
• Governments predominantly fail to provide frameworks for the sharing of cyber terrorism-induced losses.
The report is clear on what it sees as the threat posed to the insurance market if it does not take these challenges seriously: “A single major event, or a series of consecutive events, could generate losses large enough to render the market unprofitable, inducing (re)insurers to withdraw.
“It could alternatively induce them to introduce tighter policy terms and in doing so increase the number of exclusions and/or make buy-backs prohibitively expensive. Likewise, underestimation of exposure, especially nonaffirmative, could result in significant, unanticipated losses.”
+1 215 309 4520
+1 212 510 1867
+44 (0)207 466 1328