According to the 2019 Global Cyber Risk Perception Survey by Marsh and Microsoft, it’s estimated that internet-connected devices will number 75 billion by 2025. The report adds that ‘even traditional sectors such as manufacturing expect almost 50 per cent of the products they develop to be “smart” or “connected” in some way by 2020’.
‘New technologies are changing our way of life and integrating into everything we buy,’ says Matthew Honea, director of cybersecurity for Guidewire Cyence.
NEW CYBER RISKS EMERGE FOR INSURERSA heightened reliance on, and integration of, technology will bring new cyber exposures. Providing proper protection against these ever-evolving dangers also requires responding to silent (or non-affirmative) cyber risks.
Silent cyber exposures are cyber-related events or losses neither explicitly included nor excluded from a policy that was not originally intended to offer cyber coverage.
Paul Merriman, casualty underwriter for Munich Re Australia, says silent cyber risks can be found in almost all classes of insurance.
‘While the most significant losses have been seen in commercial property globally to date, many casualty classes and even personal lines could be affected,’ he says. ‘As long as there is ambiguity in the policy wording around cyber exposures and/or data, there could be silent cyber exposure.’
Michael Parrant, cyber insurance practice leader in Aon’s Cyber Solutions Group, says affected policies often have not taken into account the asset rotation — from tangible to intangible assets — that’s occurred in business over the past two decades.
‘What we’re seeing now … in the property, crime and the general liability insurance policies is this question over whether they are supposed to cover those sorts of exposures or not, and that really comes down to the language that they’ve used being quite broad historically.’
DANGERS FOR (RE)INSURERS AND CUSTOMERSFailure by insurance players to grapple with silent cyber could potentially be catastrophic.
‘Silent cyber can manifest itself in unforeseen losses that have neither been assessed nor priced for by the underwriter,’ says Merriman. ‘It means that (re)insurers could potentially assume exposure without proper underwriting and accumulation management. Not only for cyber, but in all classes, it is important to consider risks in the underwriting process and achieve risk-adequate prices for the associated exposures, not least to ensure sustainability and solvency in the long term.’
From the customer perspective, ambiguous wordings around cyber and data can lead to contract uncertainty and increase the likelihood of claims disputes.
Merriman also points to the broader concern for the industry around trust and reputation.
‘With increasing regulatory scrutiny and focus on fair treatment, (re)insurers need to work harder than ever to ensure their customers understand the coverage and value of the products they are purchasing.’
Globally, the largest silent cyber losses to date arose from the 2017 NotPetya malware attack, which led to claims under property policies.
‘In some cases, the silent cyber exposure stemmed from ambiguous definitions of electronic data … and in other cases, the explicit agreement to insure electronic data as property, but perhaps without a full appreciation at the time for what this meant for the cyber exposure,’ Merriman explains.
According to Property Claim Services Global Cyber, almost 90 per cent of the total industry loss from NotPetya is attributable to non-affirmative cyber.
TAKING ACTION ON CYBER RISK EXPOSUREIn January 2019, the United Kingdom’s Prudential Regulation Authority (PRA) called on the (re)insurance industry to more prudently manage cyber risk exposures, including silent cyber, requiring it to create action plans containing clear milestones and timeframes for taking action.
Responding to PRA’s direction, Lloyd’s announced that, from 1 January 2020, its underwriters must ensure all first-party property damage policies affirm or exclude cyber cover. Requirements for liability and treaty reinsurance will come into effect in two phases during 2020/21.
‘Other regulatory authorities like the European Insurance and Occupational Pensions Authority in the European Union are beginning to address the issue as well; for example, by introducing a combination of quantitative and qualitative questions on cyber risks in their insurance stress tests,’ says Merriman.
He characterises the industry response to silent cyber in Asia Pacific as ‘mixed’.
‘In some cases, insurers and reinsurers are ahead of the curve and have already completed projects to assess their own exposures and communicate to the market,’ he says. ‘In other cases, there is a lack of awareness and urgency.’
Honea stresses an insurer’s need to thoroughly understand its policies, ‘both past and present’.
‘Language has evolved over time, and we didn’t think about all the risk we have today, say, 10 years ago,’ he says.
‘It’s important to systematically understand policy text. We suggest using an approach of bucketing policies into three types: defined included risk, defined excluded risk, and unknown silent risk.’
Merriman says insurers and reinsurers can address silent cyber by working together to facilitate clarity for all involved, including the customer.
‘If we put ourselves in the customers’ position, they are probably less concerned with which of their policies responds, than having the right cover in place and being able to clearly understand the wording,’ he says. ‘As long as the cyber scenario in question is insurable — and some are not — the most appropriate policy should respond, and customers should not be left with a gap in coverage, especially one they do not understand.
‘If this approach is kept in mind, the objective of cyber exclusions, write backs, endorsements and affirmative coverages is clear. The insurance industry … [and] external cyber experts need to collaborate closely to develop a common understanding of how cyber risks should be dealt with, in order to understand the risk, assess it adequately and therefore make it insurable.’
As with affirmative cyber (where policy language covers or excludes cyber-related losses), Merriman says the challenge for (re)insurers regarding pricing is to build a framework without the benefit of ample historical data.
‘Silent cyber can be considered a risk of change, often a new proximate cause of existing perils,’ he says. ‘Underwriters will need to consider the impact of this risk of change, while maintaining a pragmatic view of the benefits of new technologies that can also lower the exposure rather than amplify it.’
One approach, suggests Merriman, to assess the exposure in the absence of credible claims data could be to explore loss scenarios and their impact on conventional policies. However, he acknowledges this is easier said than done.
‘Many insurers, particularly those that do not participate in the affirmative cyber market, are not readily equipped with the expertise to address their silent cyber exposures without support,’ he says.
Merriman says an industry-wide response to silent cyber will ultimately benefit customers, insurers and reinsurers.
‘The insurance product landscape should ideally jointly address the insureds’ need for cyber coverage and clearly define what is covered and what is not in existing policies,’ he says.