As businesses, both large and small, throughout all sectors of industry, become more and more reliant on technology to improve service efficiencies and functionalities, cyber risk has become one of the most pressing public topics addressed in corporate boardrooms and by governments across the globe. The corresponding awareness of a business’s susceptibility to a cyber-attack has grown along with a spate of high-profile attacks. Consequently, cyber risk is now an embedded feature of the global risk landscape, not only as a privacy/network liability, which is where much of the publicity has arisen, but also as a peril affecting traditional insurance lines. Therefore, preventative and post-event remediation are gaining importance as shareholders, regulators and rating agencies are increasingly focused on enterprise risk management activities for cyber risks.
Insurance is an important piece of the strategy for helping businesses address these risks. However, ascertaining the true level of cover for any given cyber-risk scenario can be a challenging exercise because of the differences in how insurers grant the coverage; how insureds view cyber coverage in their traditional forms and how the policy responds. For example, the security breach of personal information and resulting notification requirements are being addressed via a rapidly growing privacy and network security insurance marketplace.
Concerning traditional property and liability insurance products, which may not have contemplated covering cyber as a peril or loss cause, it is often unclear whether there is coverage. As a result, cyber losses can be explicitly excluded where coverage is not intended to be granted. Discrete coverage can then be added via endorsement or through a separate cyber policy, commercial general liability being an example.
In the property market, there is also confusion about whether a cyber-attack causing physical loss should be covered. The exposure could be significant and could expand beyond just physical damage and include business interruption or contingent business interruption if production or supply lines are disrupted as a result of a specific cyber-attack.
As greater understanding of the cyber peril is gained, a chief concern for (re)insurers is risk aggregation. Unlike traditional property insurance where aggregation is monitored by physical locations, insurers are exposed to the possibility of a single attack or a series of attacks either against multiple insureds or a single insured (such as a cloud provider) that could lead to substantial losses across multiple geographies. While a large systemic risk has not yet materialized, it does not mean the risk is not present. The challenging part is that there is limited history and lack of data for this emerging exposure, which makes it difficult for insurers to measure cyber risk and calculate capital needs.
This creates opportunity for the reinsurance marketplace. Reinsurers’ raison d’etre is to quantify and protect insurers from catastrophic exposure. The use and development of cyber models will be a crucial step for both insurers and reinsurers in the identification of cyber exposures, but several challenges exist:
- What is the potential size of a loss?
- This has been largely addressed in many property models. Instead of faulty wiring causing a fire, assume the short in the wire was caused by a cyber breach. The resulting fire is the same value regardless.
- What is the likelihood of an event occurring?
- This is the more difficult part to quantify. There is greater understanding of the number of breaches because many jurisdictions require notices, but property losses caused by a cyber-attack are not as well known.
- What is the inter-connectedness of companies in the cyber space?
- Different industries may use the same underlying technology platform, so an attack on one system may impact another system in a completely different company that was unknown previously.
In efforts to quantify these potential losses, much of the industry continues to rely on multiple models and actuarial approaches that encompass: model applications, probable maximum loss estimates, realistic disaster scenarios and experience and exposure ratings to create a broad set of scenarios and deterministic views. These methods do not utilize the probabilistic methodologies so frequently used in the property marketplace. For example, applications can identify and quantify emerging “aggregating” exposure concentrations, but do not include an element of how often those concentrations could be impacted by an event.
Guy Carpenter has developed tools and solutions to help our clients better understand, manage and quantify their cyber risks, with the goal of turning them into opportunities for growth. By understanding the potentials for loss and developing an approach to deal with the peril, insurers may be in a position to implement risk management strategies that allow for continued growth of cyber risk solutions.