Insurers are finding themselves squeezed between regulators and reinsurers, who both want the uncertainty of so-called silent cyber risk to be resolved.
The potential cost implications of failing to address it are frightening. At present, global standalone cyber premiums are estimated to be in the region of $5.5 billion. But the connected exposures and premiums at risk from silent cyber across all Property and Casualty (P&C) lines are higher by an order of magnitude. This explains the nervousness among market regulators and reinsurers.
“Silent cyber” or “non-affirmative cyber” are terms used to describe unidentified cyber risks present within non-cyber insurance policies. (“Affirmative cyber” refers to insurance policies where the peril is defined and clearly set out within a policy document.) Traditional insurance products were developed in the pre-internet era, before cyber risk became a meaningful concern for the industry. Since conventional insurance policies were not designed to include cyber as a potential risk, they did not specifically reference digital perils. These were simply not considered at the time of underwriting.
Recently developed insurance products are more explicit as to whether cyber risk is covered.
There is danger when policies do not spell this out. Ambiguity in insurance (and reinsurance) contracts can cause direct exposures in a policy, or even potential accumulation across policies where the cyber peril is neither explicitly included nor explicitly excluded. This has the potential to create ambiguity in interpretation as to whether a given loss event (whether physical or non-physical) that was started by a cyber-related peril is covered by a standard policy.
In today’s interconnected and interdependent business environment, this can prompt concern for policyholders affected by non-physical perils, such as network/system failures, that cause disruption to business continuity and profitability.
This is an area of insurance that has largely been untested in the courts. Leaving the issues in the hands of the legal system, with little precedent, will be a challenging experience for the insurance industry, and a lucrative line of business for lawyers. It will be interesting to observe how the market reacts to future losses and court decisions.
The Potential Impact of Failing to Address the Problem
If the issue remains unresolved, it will have a detrimental impact on both the affirmative cyber market and the P&C market. Lack of clarity creates ambiguity for the insurance buyer, and unknown exposure for insurers and reinsurers.
The rapid growth of cyber insurance has created challenges for claims professionals and carriers seeking to set loss reserves and forecast their capital requirements. Insurers and reinsurers need to determine accurate cyber loss reserves. But currently, it’s proving very hard to allocate definitive loss reserves for the development profile of these incidents.
For insurers, therefore, scenario-based modelling has got to be the route forward. Models can be helpful in running “what-if” analyses on exposures to help determine whether the risk in any line of business is substantial and warrants timely action. Being able to measure this risk enables companies to manage it more effectively.
The growing pressure on insurers to identify non-affirmative cyber risk hidden within traditional non-cyber insurance products must lead to changes in the way the industry’s cyber modelling tools are constructed. Cyber models need to expand their scope in order to cover a much broader range of insurance lines if non-affirmative cyber risks are to be identified and analyzed effectively.
The lack of high-quality, detailed exposure data for established lines of business is a brake on progress. Models need to be able to handle aggregated data and, in many cases, incomplete information is being used to provide estimates. This is clearly not helpful for the industry.
One way or another, these issues need to be sorted out soon.
Ashwin Kashyap is Co-founder and Head of Product and Analytics for CyberCube.Based in San Francisco, he leads the data, analytics and product vision of the organization. An 80-strong venture capitalist-backed cyber analytics company, CyberCube was recognized as a World Economic Forum Technology Pioneer in 2019. Kashyap was formerly Director of Product Management at Symantec.
Yvette Essen is Head of Content for CyberCube. Based in London, she is responsible for writing, editing and overseeing the publication of thought leadership content. Previously she spent 10 years as Director of Research—EMEA for insurance ratings agency AM Best. Prior to that, Essen worked for seven years as the Insurance, Pensions and Stock Market Reporter for the Daily and Sunday Telegraph.