Guy Carpenter recently published its Cyber Year in Brief and 2020 Outlook, which takes a look back at the prevailing cyber-related trends of 2019.
1. Silent cyber (or “non-affirmative cyber”) risks carry the potential to inject an additional degree of uncertainty into non-cyber policy underwriting. Despite ongoing intent clarification across the industry, an increase in kidnap & ransom, general liability, crime and property loss notifications related to cyber events occurred in 2019.
2. There was a reassessment of whether cyber war exclusions were fit for purpose. The uncertainty of the cyber risk landscape for other lines of business increased when (re)insurers invoked the War Exclusion clause following cyber-related events. Companies writing cyber insurance policies received unfair press coverage and certain policy holders claimed that insurance companies denied coverage on cyber events, when the events in question actually fell under non-cyber insurance policies.
3. When a large cyber breach occurs, it is not unusual to see a corresponding directors and officers (D&O) claim, as was the case for Marriott International Corporation following the breach of Starwood Hotel’s guest reservation system. The breach allowed hackers to steal the personal data of 383 million guests. In another example, FedEx was hit with a securities suit after shareholders alleged that the company did not fully disclose the extent of NotPetya-related disruptions in 2017. Insurers and reinsurers are managing their aggregate exposures to multiple policies from one event, and the underwriting of cyber and D&O is becoming more aligned.
4. The cyber vendor landscape has continued to evolve throughout 2019. All of the major model vendors have released model updates that incorporate a variety of new data sources. In response to feedback from their customers, the vendors included changes in model features. These developments highlight how industry participants, as they grow, are melding their understanding of cyber risk and the rationale for how it should be quantified. Data vendors also continue to play a role throughout the (re)insurance process by helping to streamline underwriting and modeling efforts across the board. There has also been a shifting focus towards identifying and quantifying cyber risk in non-cyber lines of business as vendors iterate on existing scenarios and create working groups to find solutions to this problem in 2020 and beyond.