Thomas Herde, Head of Casualty Specialty, Asia Pacific
Regardless of whether an insurer offers “affirmative” cyber cover, it will likely be exposed to “silent” cyber
Most insurers evaluate their silent cyber exposure by way of scenario
We are actively assisting our clients in managing their cyber accumulation (affirmative and silent)
The script of the global cyber insurance market is still mainly being written in the United States. Approximately 85 percent of global cyber insurance premiums of between USD 2.5 and 3.5 billion are generated in the United States. The take-up rate for this line of business in Asia is still relatively low, but the Japan market has been experiencing steady growth in the last 24 months, according to Thomas Herde, Head of Casualty Specialty, Asia Pacific, Guy Carpenter.
At this point, many Asian commercial insurance buyers do not seem to be aware of the immediate benefit of purchasing cyber insurance.
Developments in two areas may change those perceptions: one is anticipation of increased exposure to legal developments at home and abroad; for example, the European General Data Protection Regulation, in force since May 2018, applies to non-European Union (EU) companies that store and/or process personal data of EU citizens; and the second is cognizance of the fact that a country border will not stop a cyber virus from traveling through networks,” Herde says. These changes will undoubtedly move the topic up on the priority list in board meetings.
“Not every insurer in Asia wants to allocate resources and expertise to the development of its own cyber product,” he added. “Instead, it may be able to enter into a co-operative agreement with a so-called ’White Label’ or ’Turnkey’ cyber carrier who will provide product, rating and claim handling expertise/services along with access to the carrier’s world-wide emergency incident response service. Other insurers may prefer to develop their own products and will seek the proper sales channels and strategy to increase client awareness of their offering.”
As with any new insurance product, insurers can market cyber as part of an “offensive” or “defensive” strategy, Herde explained. “The offensive strategy is achieved by combining an effort to grow a new line of business with gaining a foothold over an incumbent competitor’s service and product. The defensive strategy protects existing business relationships by offering cyber coverages without seeking a dominant role in that line of business in the short term. Companies pursuing the latter strategy often prefer the ‘White Label’ solution.”
He continued: “Regardless of whether an insurer offers ‘affirmative’ cyber cover, it will likely be exposed to ‘silent’ cyber, also known as ’unintended’ or ’non-affirmative’ cyber (instances in which a property and casualty policy is triggered where (a) cyber perils are not explicitly included or excluded; (b) ambiguous exclusionary language is included; or (c) insuring agreements are satisfied, however, the insurer did not price for or contemplate loss scenarios emanating from a cyber peril/threat). For instance, every directors and officers or professional indemnity policy will carry cyber-related exposure based on the policy’s coverage for management’s decisions and professional standard of care.”
NotPetya, the large-scale cyber-attack, demonstrated that business interruption resulting in a significant loss-of-profit does not necessarily have to be the outcome of a natural catastrophe event or a fire in a factory compound.
Accumulation risk arises when a number of individual risks are correlated; for example, geographically, and as a result, a single event may affect many
or all of the risks simultaneously. The question of how insurers can control their cyber accumulation risk needs to be addressed.
“The capabilities to model silent cyber have been very limited,” he says. “Some cyber models have no or only a small number of silent scenarios incorporated. Others are also limited in terms of scope of coverage – they do not capture the business interruption element that is arguably a critical component. Therefore, most insurers evaluate their silent cyber exposure by way of scenario; for example, Lloyd’s Business Blackout Scenario. The situation on the affirmative side is more positive; various tools exist and insurers use these models for their portfolio steering and accumulation control.”
“At Guy Carpenter,” he concludes, “we are actively assisting our clients in managing their cyber accumulation (affirmative and silent) and in defining and securing the best risk transfer solution. Guy Carpenter’s strategic relationship with CyberCube Analytics has produced the industry’s first cyber risk modeling platform with an inside-out view of cyber risk exposure. Guy Carpenter is committed to delivering innovative cyber reinsurance solutions to its clients.”