Silent cyber risks: An underestimated threat

In 2017, three global malware cyber-attacks—Petya, NotPetya and WannaCry—served as a wake-up call for companies worldwide. The attacks infected computer systems in more than 150 countries. They are estimated to have caused insured losses to the tune of US$3.3 billion, according to Property Claims Services (PCS), which established a cyber loss-aggregation service in 2017.

Cyber risks continue to worry insurers, customers, policymakers and regulators—and for good reasons. The uninsured losses are estimated to be in the range of US$55 billion. Not surprisingly, in a 2018 World Economic Forum Annual Executive Opinion Survey of 12,500 participating executives, cyber-attacks topped the list of prime risks in doing business across advanced economies.

The cyber line is seen as one of the fastest-growing insurance segments. According to Orbis research, the size of the cyber insurance market was approximately US$4.5 billion in 2017.Over the next five years, Orbis expects the line to grow by a combined annual growth rate (CAGR) of 25.4 percent, expanding to US$17.55 billion by 2023. As reported by the European insurance regulator EIOPA, about 85–90 percent of premiums are written in the US and about 5–9 percent, or roughly US$150 million to $400 million, in Europe. However, it is Asia-Pacific that is expected to experience the fastest growth.

Policymakers are also taking great interest in data protection and cyber risks. In May 2018, the European Union introduced the General Data Protection Regulations (GDPR), aimed at empowering European citizens with greater control over their personal data. According to the European Commission, as well as many market pundits, GDPRs are the strongest and “most modern data protection rules in the world” and are set to rapidly evolve into a global standard.

In addition, regulators like the UK Prudential Regulatory Authority (PRA) are stepping up their game by increasing the pressure on insurers to assess and manage their cyber risk exposures diligently. Similarly, EIOPA conducted a survey of 13 leading (re)insurance groups to investigate the function, growth potential, challenges and risks of cyber insurance in Europe. It was subsequently included in EIOPA’s 2018 Insurance Stress Test. In Asia, countries such as China, Japan and Korea have relevant cyber security laws in place to regulate cybercrime, privacy and data protection, and electronic transactions.

90 percent of claims may relate to silent cyber risks

One of the major recurring concerns of insurers and regulators is the number of non-affirmative or silent cyber risks, hidden or embedded in traditional property and casualty policies. These risks have neither been explicitly excluded from the policy nor have the insurers properly priced for them. Although silent cyber risks have probably existed for as long as cyber risks have, they came under growing scrutiny from regulators and rating agencies since the high-profile cases from 2017’s Petya and Non-Petya highlighted that about 90 percent of claims were related to silent cyber risk losses.

Lloyd’s of London has recently announced its intent to clamp down on cyber risk, demanding from its syndicates that all policies should provide clarity on cyber coverage by either specifying exclusions or giving explicit (re)insurance protection. Currently, the corporation is concerned that silent cyber risks could subject carriers to unexpected levels of exposure.

Measuring silent cyber risks is virtually impossible

For instance, a cyber-attack on a power plant’s control system could lead to an explosion that causes massive property damage. The business interruption triggered by such property damage could be even more severe. Or imagine a marine loss caused by the manipulation of a container-tracking system or by computer hijacking. These scenarios have already become real. Due to the growing use of technology such as artificial intelligence, the Internet of Things and robotics, silent cyber risks will not remain limited to property claims but may even evolve to become a main exposure for product liability coverages.

Silent cyber is not only a risk inappropriately identified or priced, but also poses a threat to insurers.

In the case of a loss event, its undisclosed or unexpected nature may trigger shareholders’ claims and class-action suits. Furthermore, since non-affirmative cyber risks are very difficult to track or to identify, insurers struggle to convert them into affirmed risks.

While insurers are now introducing language to frame the risk and specify the conditions under which cyber risk is included or excluded from a policy, the process is far from simple, as new exclusions are welcomed neither by policyholders nor by brokers. Even with clearly defined cyber exclusions, the cause of a loss cannot be established beyond doubt.

These challenges are obviously not limited to cyber risks in Europe or the US but are commonplace for insurers in Asia-Pacific, too. The industry may have to live with silent cyber exposure for quite some time. Peak Re supports its clients in facing the silent cyber reality and works with them to monitor and mitigate their silent cyber exposure.

Accumulation risk remains difficult to pin down

Besides silent cyber and the risk of change, the accumulation risk of cyber is another major challenge. While the phenomenon is not new to insurers, the interconnectedness of industries through the exchange and flow of data along the respective value chains makes it difficult to limit the risk. Single attacks can quickly take on global dimensions.

In 2016, the Dyn cyber-attack was triggered by a series of distributed denial-of-service (DDoS) attacks. Consequently, large swathes of users in Europe and North America had no access to major internet platforms and services for several hours.

The traditional ways of insurance exposure accumulation control according to territory no longer work for cyber aggregation. However, modelling companies like AIR, RMS and professional cyber service companies like Cyence and Cyber Cute have developed models for cyber risk accumulation. Although the reliability of such models has not been and may never be fully tested, the industry is at least making some progress in this regard. Peak Re shares different scenarios with our clients to assess their cyber accumulation risks to support their understanding of cyber aggregation exposure.

Cyber risk exhibits large territorial differences

The large share of premiums of the US market in the cyber line is, to a large extent, a reflection of the litigiousness of the US legal environment and its strict notification law. As senior management realises its exposure to cyber risks and potential shareholder claims, they want to limit their liability. According to Peak Re sources, around 50 percent of cyber losses relate to data and privacy breaches – a risk that board executives typically want to protect against. In Asia-Pacific, business interruption as a first-party loss is so far the major concern in most industries, reflecting the region’s tightly interwoven production processes.

Also, in Japan, by far the largest cyber market in Asia-Pacific, business interruption is the key concern for the country’s prime insurance buyers, the automotive industry and IT companies. While Japan does not have the strict notification laws of the US, in the case of a loss event Japanese companies are exposed to significant reputational damage for which they will compensate with so-called “sorry money” – an expression of their regret to their customers.

As a global reinsurer based in Hong Kong, Peak Re’s support of its cedants reflects local market regulation. Peak Re considers the specific needs of each client when developing cyber risk cover, rather than simply copying a model from the US.