Skip to main content

The problem of silent cyber risk accumulation

February 25, 2020

Silent cyber presents a number of problems for the insurance market, but arguably the most significant one is that of risk accumulation. Risk accumulation for cyber as a line of business is already an issue for insurers and reinsurers. However, it is potentially dwarfed by that of cyber as a peril across multiple lines.
Cyber Risk Management
Risk Culture

In a world that is increasingly reliant on digital technology, it is hard to think of a line of business that is not impacted in some way by cyber as a peril. To put this in context, Munich Re recently assessed that cyber as a line of business currently accounts for around $6 billion (U.S.) in premium worldwide. That is around 0.2% of worldwide non-life premium that is now approaching $3 trillion, according to Swiss Re.

Leaving aside cyber as a specific line of business, cyber as a peril in other lines is sometimes underwritten and priced by insurers, but more often it is not. This is partly because most policy forms were written in the pre-digital era and have not been updated to specifically address emerging exposures arising out of the use of digital technology. This leads to a huge grey area where cyber coverage may be available under policies that were not originally designed for this exposure – so-called “silent cyber” coverage.

For example, under property forms, does data constitute “property” and does an unattributed malware attack trigger the War Exclusion? The nine-figure Merck and Mondelez coverage disputes arising out of the 2017 NotPetya malware attack reveal how potentially costly this grey area can be.

Property Claims Services (PCS) estimates the economic loss from NotPetya at $10 billion and the insured loss at more than $3 billion.

The NotPetya attack illustrates another cyber-related problem: the potential exposure for accumulation risk. Property Claims Services (PCS) estimates the economic loss from NotPetya at $10 billion and the insured loss at more than $3 billion. NotPetya impacted a number of high-profile commercial entities because one of the attack’s initial propagation vectors was through some business financial software. It came hot on the heels of WannaCry, a broader malware attack that impacted over 250,000 end users in more than 150 countries. Neither of these attacks were considered major compared to other potential downside cyber loss events, but they emphasise two important points:

  • NotPetya shows how large individual losses can be in a cyber event.
  • WannaCry serves as an example of how extensive those individual losses can be.

Both NotPetya and WannaCry reveal that cyber does not respect geographical boundaries which makes it potentially the most threatening accumulation exposure there is. Accumulation exposure is limited by geography for natural catastrophe perils such as hurricanes or man-made catastrophe perils such as terrorist bombs. Cyber as a peril, on the other hand, has no geographical constraints – the whole world is one cyber cat zone. This makes the scale of accumulation exposure presented by silent cyber a potentially massive issue and one that is occupying multiple insurer and reinsurer stakeholders, including regulators, rating agencies, boards of directors and senior management.

Market responses to address silent cyber

The problems presented by silent cyber risk accumulation have been known for some time. As long ago as November 2016, before WannaCry and NotPetya, the Prudential Regulatory Authority (PRA), the UK regulator responsible for insurance, sent out a directive that proved prescient and warned: “It is the PRA’s view that the potential for a significant ‘silent’ cyber insurance loss is increasing with time. As both ‘silent’ cyber insurance awareness and the frequency of cyber attacks grow, so does the potential from ‘silent’ cyber exposures. Insurance firms may find it increasingly challenging to argue that all risks or other liability policies did not intend to cover this type of risk given the publicity and awareness of the issue.”

Other regulators and the rating agencies have been less vocal about the issue and, until recently, efforts to address silent cyber have been limited. Some insurers, most notably in the specialty mutual sector, updated their policies in the mid-2010s to provide clarity of coverage on cyber. But movement elsewhere has been sporadic, at least until recently. Lloyd’s, ISO and individual insurers crafted their own exclusions that have been applied for a number of years to varying degrees on individual lines of business, and cyber sub-limits have been applied as another way to limit exposure. However, in a competitive market environment, most insurers have been reluctant to be first movers for fear of losing business to competitors.

This started to change in 2019 when Allianz became the first commercial insurer to adopt a more broadscale approach to addressing silent cyber. In November 2018, its Global Corporate and Specialty unit advised that it was updating coverage in 2019 to provide clarity so that physical damage and bodily injury arising from cyber events would generally continue to be covered under corporate, commercial and specialty policies whereas cyber-related “pure financial loss” without physical damage or injury would be covered under specific cyber policies only.

Other insurers have started to follow suit. In a follow-up to its earlier directives on silent cyber, the PRA sent a January 2019 letter to insurers requiring them to develop an action plan to reduce exposure to silent cyber by mid-year with clear milestones and dates by which action would be taken. As a response, in July 2019, Lloyd’s announced that “all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.” Lloyd’s made clear that this announcement was applicable to all first-party property damage policies (including cargo, marine war and marine hull) incepting on or after 1 January 2020 and to all liability and treaty reinsurance to be phased in throughout 2020/2021.

In September 2019, AIG added its voice and stated that property and casualty policies globally should be clear about the cyber coverage they provide. “For the most part, across the industry, typical P&C policies have not been written to adequately deal with cyber exposure,” said Tracie Grella, Global Head of Cyber Insurance. As a response, the company announced a shift to affirmative cyber coverages and exclusions.

Other insurers have started to follow the lead of Allianz, AIG and Lloyd’s, indicating a growing momentum among insurers to address the issue, at least in some commercial lines of business.

Other insurers have started to follow the lead of Allianz, AIG and Lloyd’s, indicating a growing momentum among insurers to address the issue, at least in some commercial lines of business. But there is still a long way to go. It takes a lot to achieve clarity on $3 trillion of non-life premium across multiple lines. For the time being at least, the jury is out on how effective the measures will be to clarify coverage for silent cyber.

In the meantime, cyber exposures continue to grow. Expenditure on cloud computing is projected to increase to $331 billion in 2022, up from $182 billion in 2018, according to Gartner, the research firm. The number of Internet of Things (IoT) devices doubled from 15 billion to 30 billion between 2015 and 2020 and is expected to grow to 75 billion by 2025, based on research by Statista. This explosive growth in the use of digital technology has significant exposure implications for commercial insurers as well as personal lines insurers of homes and autos. It is therefore in the interest of the insurance industry to be clear on how its policies address these exposures before a major cyber event forces its hand.

Efforts to quantify cyber exposure

Insurers and third-party modeling firms have made considerable efforts to quantify risk assessment and pricing for individual cyber risks, but they are constrained by a relative lack of claims data and changing loss patterns as technology evolves and cyber criminals and threat vectors adapt. Five years ago, the main cause of loss for cyber was widely believed to be data breach. Then business interruption became the leading concern. More recently it has been ransomware. In an October 2019 interview, Jeremy Barnett of insurer Tokio Marine HCC advised, “We have seen a 6x increase in ransomware attacks over the last four years, and that’s mostly small business, and the costs of responding to those ransomware attacks are up almost tenfold over the last two years.” Keeping models up to date to help insurers price individual cyber risks in such a rapidly evolving claims environment represents a major challenge.

The challenges increase again when it comes to accumulation modeling. To date, there have only been a handful of relatively small cyber catastrophe events.

The challenges increase again when it comes to accumulation modeling. To date, there have only been a handful of relatively small cyber catastrophe events. In the absence of data, determining the potential scale of such an event requires a large element of judgment. Counter-factual analysis (looking at actual events and projecting just how bad they might have been) and scenario testing is used by insurers, reinsurers and modeling firms to ascertain realistic worst-case cyber catastrophe events ranging from a major cloud outage or a large-scale malware attack to the impact of an embedded software vulnerability. Modelers sometimes come up with a range of outcomes for these and other cyber catastrophe scenarios to create a probability distribution of cyber events. With little claims data to go on though, such work remains rudimentary. It’s a bit like trying to predict the economic cost of a hurricane on Miami in the absence of any information about previous hurricanes and with only a few random regional tornadoes to go on.

The challenges increase still further when it comes to accumulation modeling for silent cyber. Aggregate exposures can be tracked for cyber as a line of business, but this tracking is extremely difficult to do for cyber exposure in other lines. Are all policy limits deemed to be exposed, or does this vary by line of business based on individual loss scenarios? What about policies with exclusions and sub-limits? How do you establish appropriate probable maximum losses across a whole book of business for loss events when there is no precedent? It’s also difficult for insurers to sense-check modeled results for silent cyber against actual claims experience because this is not generally recorded. Finally, the courts present a wild card. As illustrated by the Merck and Mondelez cases, ultimately the courts will determine the extent of coverage under non-affirmative wordings and the level of protection provided by policy exclusions.

Notwithstanding these challenges, insurers, reinsurers and modeling firms are making efforts to apply assumptions and to extend their cyber accumulation models and internal analyses and come up with silent cyber loss estimates under different catastrophe scenarios. These can be sense-checked against market share and other simple measures to come up with downside loss estimates that can then be evaluated against individual company risk appetites. This at least provides the basis for a risk management framework, and a number of insurers have taken advantage of risk transfer solutions where the level of assessed downside exposure exceeds their appetite for risk.

Willis Re has devised and executed a number of risk transfer solutions for silent cyber. Results of the company’s Silent Cyber Survey have also been used to parameterize a silent cyber module for its cyber accumulation model. This model incorporates both probabilistic and deterministic components and provides another reference point against which clients can calibrate an estimate for their downside exposure to both affirmative and silent cyber losses.

Looking ahead

Over time, silent cyber coverage will become affirmative and specifically priced cyber coverage, either by way of separate coverage grants or sub-limits under traditional insurance lines of business or under standalone cyber policies. The proactive approach taken by major carriers and insurance markets such as Allianz, AIG and Lloyd’s over the past year indicates there is a growing momentum to do this. However, silent cyber represents a deeply pervasive issue that will require an extensive shift in approach if clarity of coverage is to be achieved more broadly across the market.

However, silent cyber represents a deeply pervasive issue that will require an extensive shift in approach if clarity of coverage is to be achieved more broadly across the market

Given the current weight of capital in the insurance market, it may ultimately take a large-scale catastrophic cyber event impacting multiple lines of business to force a wholescale change in market thinking. Many cyber experts see such an event as not if but when. At that point, we may well see regulators, rating agencies and insurers acting in concert, as exposures are excluded from other lines and premiums for cyber as a line of business increase dramatically beyond even today’s impressive growth projections. This is also likely to require increasing capital market involvement in risk transfer solutions for cyber given the scale of exposures involved. In the interim, increasing levels of data and more sophisticated modeling will be deployed in the industry to help insurers and reinsurers better assess the opportunities presented by cyber as a line of business and the threats posed by cyber as a peril.

Related content tags, list of links Article Cyber Risk Management Risk Culture
Contact us