Welcome to the sixth edition of Strategically Thinking, a periodical presentation of original research and analysis by JLT Re's global Strategic Advisory team.
The true costs of "cyber-events"
Like you, we are tired of hearing of the "opportunities of cyber" at each and every insurance industry event over the last five years. Related catchphrases that make our collective stomachs turn include "the Internet of Things (IoT)", "digitization of business", "big data" and "disruption." The ubiquity and misuse of these terms have stripped them of all meaning, if they ever had any at their coining.
While we are awash in marketing nonsense, however, the liability exposures introduced and exacerbated by our ever more inter-connected world are real. Malicious actors, including activists, hostile governments, terrorists and criminals of all stripes today have greater and easier access to valuable information than ever before. Attacks come in many forms and are constantly evolving in their sophistication to overcome often inadequate safeguards.
The annual global costs of "cyber" or computer and internet related crime is steadily approaching a trillion dollars, including estimates of economic and reputational losses that generally went uninsured. Additional costs borne by society in the form of identity theft, loss of confidence and costs of security, are difficult to quantify but are clearly high. On the company level, JLT Re's holistic measure of Franchise Value incorporates exposures to losses, probable reputational damage, and the potential loss of market or fundamental valuation among other factors to calculate the true costs of these man-made exposures. In our estimation, many (re)insureds are presently exposed to potentially crippling losses from hacks, viruses, leaks and theft of information.
Exponential growth in our use of new computer and internet-related technologies is rapidly changing the way we do business. Transactions are faster than ever, and nearly every aspect of the buyer-seller interaction produces data that is analyzed to inform marketing, pricing, distribution, and, in our industry, claims settlement. All of this activity, including the immense number of connected devices, may contribute to efficiency gains, but also opens doors to potential intruders and creates new liability exposures. Further, the inter-connectedness of these activities and devices heightens the probability of contagion and large aggregate losses when breaches, thefts and attacks occur.
Bad actors as varied as their motivations
Any organization, big or small, has "cyber" loss exposures if they or their suppliers, contractors or partners use the internet or computers. Events range in scale and complexity from amateur phishing attempts and employees misplacing devices that contain or are connected to sensitive data, to large-scale, sophisticated and targeted attacks of extortion and even acts of war or terror intended to damage infrastructure and weaken political opponents. Increasingly sophisticated criminals tend to target industries with the most valuable data, including healthcare, retail and financial services companies. Small businesses in these industries are hit more frequently as they tend to have old or inadequate security and can often provide access to larger targets. For example, criminals infamously breached Target's (no pun intended) network security in 2013 by first gaining access to the systems of a small HVAC contractor.
Source: Identify Theft Resource Center1
We have seen numerous large scale attacks in recent years from cyber terrorists against companies like Sony and Microsoft, as well as infrastructure attacks against Ukraine and North Korea. The massive ransomware attack on Atlanta at the end of March 2018 continues to resonate as city officials struggle to replace or work around lost files, while the global "WannaCry" and "NotPetya" attacks in June 2017 shut down many critical computer systems around the world with the intent of mass disruption, rather than profit. These are unprecedented events that may preface even bigger and bolder attacks.
The costs are not limited to fines and penalties
Regardless of the motivations of the attacker or the means of attack, all cyber events are expensive for the victims. Once an event occurs, the affected organization is often on the hook for a laundry list of expenses including forensic investigation, notification costs, credit & identity monitoring, public relations expenses, legal fees and fines, in addition to costs to belatedly improve security. In aggregate, these costs can be crippling, particularly for small businesses and non-profits. Notification costs alone can be around USD 50 per notice, though this may vary based on regulatory requirements. Failure to properly and promptly notify all affected parties can result in (additional) litigation for negligence. A 2017 study conducted by the IBM and the Ponemon Institute2 found the global average cost of a data breach was USD 3.62mn, and USD 7.35mn in the U.S. By industry, the highest per-capita cost was the healthcare industry at USD 380, followed by financial services at USD 245.
Beyond the economic costs, an affected organization may suffer significant reputational damage, particularly if there is a perception that the incident was handled poorly. This reputational damage may be directly reflected in the market valuation of publicly-traded companies, but may be less obvious for privately-held firms and public entities. The impact of these "hidden" costs on affected organizations often outstrips the reported loss by mid to high single-digit multiples. Using publicly-traded companies to illustrate, we can see that, for example, FedEx suffered an estimated franchise value loss of USD 2.4bn as a direct result of the company's reported net losses from the 2017 "NotPetya" attack of USD 300mn. This franchise value impact was eight times the reported loss.
Similarly, Equifax announced expected costs of USD 439mn related to their 2017 data breach. While this alone is a staggering amount, the long-term impact to franchise value was over USD 3.0bn after the share price plummeted as a result of the announcement (about 7x the reported loss). This loss of franchise value negatively impacts companies' costs of capital, creditworthiness and market position, and these economics hold generally true in other recent examples, including Merck, Target, Sony, Yahoo, and Ebay.
Value of Cover
Given the amplification of franchise value impact relative to incurred loss from internet security breaches, insurance for these exposures looks to be a highly-efficient form of risk-financing and an invaluable part of a company's capital structure. Happily, many (Re)insurers are, at this point, ready and willing to lend their balance sheet for this task.
Per the Insurance Information Institute, annual premiums for cyber liability coverage has grown from about USD 1bn to USD 3.25bn over the past five years, including a sharp 35% increase in 20163. Over 130 carriers are now writing the coverage worldwide, hoping to take advantage of relatively low accident year loss ratios (46.9% in 2016 per A.M. Best). While take-up rates have been increasing, overall market penetration is still very low, especially outside the U.S.
For (re)insurers, the market opportunity looks promising, but opportunity is what you make of it. The swiftly-evolving nature of cyber liability exposures means that underwriting quality is a critical element of success in this line.
We have here touched on stand-alone cyber liability coverage that can be provided by (re)insurers, but perhaps the greater exposure to (re)insureds comes in the form of "silent" coverage. As the nature of "events" and exposures have evolved rapidly, and malicious attacks in particular have increased considerably in frequency and severity, policy forms have generally not kept up. Many forms written only a few years ago do not explicitly exclude or cover losses from cyber events, leaving coverage issues potentially up to the courts. As it is not uncommon for legacy forms to be reused year after year, we expect many insurers to continue providing silent (and largely uncompensated) coverage for many years-until they see losses emerging under their Property, K&R and Management Liability policies. Courts have often ruled in favor of the insured in these cases, resulting in unanticipated losses. In an ongoing example, drug manufacturer Merck was one of the hardest hit from the 2017 "NotPetya" attack. The company's cyber insurance program responded first, but was inadequate relative to the severity of the loss. Merck's management therefore, as good stewards of their shareholders' capital, are looking to recover part of their business interruption losses under their property insurance policies. The final outcome remains in the balance, but it's probable that Merck's insurers will pay much more than they bargained for, even if only in the form of extensive loss-adjustment expenses.
Proper coverage with strong (re)insurance partners can protect your organization from impending legal fees, business interruption losses, fines & penalties, forensic investigation and PR expenses, notification costs, third party liability claims, and potential franchise value impairment. Cyber liability (re)insurance is available at relatively low price points, although price per million (re)insured varies significantly based on industry class and exposure. It is also important to note that standard cyber liability policies do not exist, and not every carrier willing to lend its balance sheet has the necessary levels of expertise to help you manage large scale loss events.
If you are in doubt about your coverage and need a partner to help you manage your risks, JLT Re has dedicated, global teams of cyber liability risk professionals waiting to help.
1. Identity Theft Resource Center, Annual Data Breach Reports (2005-2017) https://www.idtheftcenter.org/Data-Breaches/
2. 2017 Cost of Data Breach Study. IBM. Ponemon Institute LLC. June 2017.
3. 2017 Insurance Fact Book. New York, NY. Insurance Information Institute. 2017. https://www.iii.org/sites/default/files/docs/pdf/insurance_factbook_2017.pdf