The business community is evaluating risk through a transformed lens, in light of COVID-19. The (re)insurance sector is also identifying the lessons learned about unforeseen aggregated exposure. The systemic nature of both affirmative and silent cyber risk has long been one of its most defining, and challenging, characteristics, according to Guy Carpenter colleagues Will Garland, President, Centers of Excellence, and Erica Davis, North America Cyber Center of Excellence Leader, Guy Carpenter.
When the impacts of COVID-19 were evidenced in 2020, we identified parallels to cyber exposure unfold through this other newly emerging industry risk:
- Potential for an aggregated global event with no regional boundaries
- Cascading effects on direct and indirect supply chains
- Multi-prong industry impact manifesting across property, casualty and specialty lines of business
- Policy language that may not explicitly address underwriting intent, or may be triggered inadvertently
- Sweeping financial consequences that could ultimately be an existential threat.
The far-reaching impacts of this event have yielded valuable insights on the criticality of business continuity planning, supply chain resiliency and policy language clarity. Awareness around these issues caste an even brighter spotlight on the (re)insurance industry’s response to cyber risk.
How the Market Continues to Address Silent Cyber
The sector’s understanding of silent cyber has meaningfully developed in recent years following the NotPetya and WannaCry attacks, which highlighted the potentially catastrophic impact of silent cyber within non-cyber lines of business. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the (re)insurance industry.
The UK Prudential Regulatory Authority (PRA) stated on January 30, 2019: “Firms reported challenging market conditions, broker pressure, and lack of historical data, models and expertise as the main impediments for the prudential management of cyber underwriting risk. We appreciate these challenges but do not believe they are insurmountable.” In addition, in January 2019 the PRA issued a “Dear CEO” letter indicating that all (re)insurers should develop Silent Cyber Action Plans to evaluate, model and quantify risks.
The Lloyd’s Market Bulletin that became effective in January 2020 requires all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty. This approach, which will be phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it.
Globally, we have seen regulators issue similar statements on managing silent cyber risks, including the European Insurance and Occupational Pensions Authority and in the United States, the National Association of Insurance Commissioners, issuing their guidelines to help firms manage this risk.
Insurers and reinsurers have now developed underwriting strategies, portfolio roadmaps and clarifying language to address this growing concern. Though formal timeframes have not been established in the United States, it is clear that the changing market conditions of 2020 have created an opportune time for eradication efforts to accelerate around silent cyber.
This industry-wide initiative is a massive undertaking for risk bearers and requires a multi-stakeholder approach with cyber strategies being revisited across all lines of business as new events transpire, incident data becomes more robust and legal precedent develops.
