Morley Speed, Managing Director
Technological progress and the accumulation of assets have not only stimulated the development of insurance products; they have in turn been nurtured by the availability of these offerings.
It is no coincidence that the origins of insurance lie in the marine class, where the financing of ships and trade is among the earliest examples of investment in technology and assets.
Successive waves of technological progress have stimulated the development of corresponding insurance specialties - not just products, but also risk management. These new “things of value” may have provided some challenges, but ultimately the (re)insurance industry has provided for the “Insurance of Things.”
Today, the (re)insurance industry faces its greatest technological challenge yet. Can the Insurance of Things develop to insure the so-called “Industrial Internet of Things”?
We are experiencing a fourth industrial revolution, based on the “Internet of Things” combined with inter-connected machines and people. This Industrial Internet of Things is also known as “The Smart Factory,” or simply “Industry 4.0.”
According to the CRO Forum (1): “This new mode of production is characterized by the merger of the material and virtual worlds in ‘cyber-physical production systems.’”
Cyber is now a much reported topic and is usually classified between “affirmative cover” within specific cyber policies (up to now, largely concerned with data breach) and “silent” cover, which is essentially the first party losses arising from cyber perils within mainstream P&C lines, predominantly property damage and business interruption (BI).
This so-called “silent” exposure is the subject of the Lloyd’s “Business Blackout” scenario, which pointed to an ultimate potential insured loss of between USD 21.4 billion and USD 71.1 billion (2).
This article examines coverage issues arising from Industry 4.0 first party exposures. Fundamentally, it is about how the insurance industry is dealing with the merger of the material and virtual worlds. It does not address first party data breach issues.
Broadly speaking, the material world is covered by the property line and the virtual world by the cyber line. However, the demarcation is not absolutely clear, resulting in some overlaps in cover but also, more worryingly, some gaps in cover.
The matrix below shows how the four types of subject matter (columns A-D) are generally covered by direct policies, relative to the various types of cyber and property perils (rows 1-5). Where cover is predominantly provided by property or cyber, the relevant icon is shown in blue. Where there is a degree of ambiguity, or coverage is limited, the icon is shown in gray.
Clearly, this is a schematic simplification, but generally it would appear that coverage is fairly clearly assigned in columns A, B and C, as follows:
- A - Predominantly in the virtual world and covered by cyber
- B - Falls within the province of property
- C - Naturally follows B as this is for BI following B
The instances outlined in column D capture the complexities, particularly with respect to property.
Business Interruption Following Non-Physical Damage
Column D outlines the areas in which cyber insurance would be expected to operate. However, to date, the cover has focused on data breaches rather than BI arising from disruption of industrial control systems.
The reliance of the industrial and commercial sectors on cyber technology, most notably in the context of Industry 4.0, suggests this is an area of significant opportunity for (re)insurers.
Although cyber would seem to be the logical destination for this exposure, there is the severe practical difficulty of monetary capacity. There are very few cyber limits above USD 500 million, whereas this is not an exceptional figure for corporate property.
As a consequence, non-physical damage BI is finding its way into property policies, although it is recognized as generally being for sub-limits well below USD 500 million. However, even a sub-limit of USD 50 million would represent a significant cyber limit and would certainly require significantly more underwriting information, and probably premium as well.
However, property cover is usually restricted to targeted malicious cyberattacks, whereas a cyber policy would give much broader cover for disruption of control systems.
The key strategic question is: where will non-physical damage BI end up - within cyber or property?
To a large extent the answer will depend on reinsurers’ risk appetite and requirements to control cyber exposures, particularly aggregation. However, it will also involve a realization by property underwriters that original clients buying BI cover do not necessarily make the distinction between the material and the virtual worlds.
In response to this exciting challenge, Guy Carpenter has established a joint initiative with Symantec, combining relevant and credible data with both traditional modelling approaches and innovative ones, such as application of the cyber “Kill-Chain” methodology.
It remains to be seen how the (re)insurance industry will align its capacity for Industry 4.0, but it is already clear that there will be increasing and sustained demand for such capacity in the future.
1. The Smart Factory - Risk Management Perspectives - CRO Forum, November 2015.
2. Business Blackout: The Insurance Implications of a Cyber Attack on the US Power Grid. Lloyd’s Emerging Risks Report 2015.