The evolving nature of cyber crime means insurers must be wary
Like a shark cutting through the waters yards from a teeming beach, cyber risk is a mercurial threat.
Just like the tanned lifeguard who thinks he has seen a fin: we know the hackers are out there; we just don’t know if they’re going to attack, where they’re going to attack or who their target is. Our nervous lifeguard is also facing litigation from the people on the beach if he calls it wrong – although that depends on what country they’re from – and fines for compliance failure if he fails to hang the shark net correctly – although the rules covering this are changing all the time.
In some ways cyber coverage is the ultimate expression of how complex multinational insurance and reinsurance can be. The rapid growth of the market is matched by the swift evolution of the risk and increasingly different legislative responses around the globe as politicians react and draft laws reflecting widely varied concepts of privacy and liability.
Not only does it range across risks from theft of personal information to cyber attack by a foreign government, there is still ambiguity around where some claims fall. This is further complicated by differences between countries.
For example, in the United States there is debate about what type of cyber attack would constitute an act of terrorism.
“If a cyber attack involves terrorists, for example, which portion of the loss would fall under the terrorism risk insurance act?” asks JLT global head of strategic advisory David Flandro. “Clarity is needed around definitions.”
Some guidance may be emerging from Lloyd’s, which has established a specific cyber risk code ‘CY’, and recent guidance suggests that if the policy form provides coverage for specified cyber exposures, a percentage of premium must be allocated to the risk code.
“We anticipate that this will lead to improved transparency of cyber exposures and the development of more comprehensive Realistic Disaster Scenarios (RDS), particularly if it includes physical damage caused by cyber-attack,” says Aon Benfield Global ReSpecialty Composite team cyber expert Tom Wakefield.
“It is likely that reinsurance contracts will follow a similar form in due course, which will assist in aggregation and assessment of systemic risk.”
Nevertheless, global compliance remains a massive challenge for everyone in this fast-developing field.
“You need to have the experts in place who can see the exposure as it evolves and are able to assume these,” says Munich Re senior underwriter Andreas Schlayer.
“You have to be able to address these within your present risk management framework.
“This is a big advantage for large reinsurers because we do work globally. We are well-connected and tend to have staff with the local expertise to provide the right intelligence. It’s much harder for local providers to get the level of expertise. They struggle to address these complex exposures.”
In this situation, knowledge is power. “What we are looking for when we provide cyber reinsurance is a specialist underwriting team,” says Schlayer. “We look for someone who has a good understanding of what good IT risk assessment is, who can discover exposures and quantify them.”
A good cyber underwriter needs a rare combination of skills. They need to have a detailed understanding of both property and casualty, as well as how technology works in different industries – and there far too few of these people around.
Schlayer cites the example of the US market. “There are insurers with teams of underwriters able to understand the exposures, and there are others, mostly those who have entered the market more recently, who just don’t have that knowledge,” he says.
“The market is generally very soft, and so there are plenty of providers looking for opportunities, including those who don’t necessarily have the best knowledge.”
In such an environment detail is critical, and firm contract clarity is essential.
“In terms of wording, we must answer the questions of what specifically constitutes a cyber attack,” says Flandro. What different types of attack exist: is it terror, is it an act of war? Is it a speciality risk that is underwritten normally from corporates to insurers and then from insurers to reinsurers as part of a speciality treaty? Is it part of the aggregate cover? Is it its own line of business?
“It all depends on how the risk is defined and modelled.”
But cyber is a notoriously difficult class of business to model – with systemic risk being the greatest unknown – although solutions are not impossible to find.
“Aggregation across and within industry segments can be managed through a deep dive at original policy level,” advises Wakefield. “A high level approach will include simple underwriting of elements of risk such as robustness of firewalls.
“Depending on the policy type, this can develop into much more detailed assessments, for example reviewing individual component manufacturers of key operating systems.
“Cedants are generally willing to share data if the policy offering includes breach response and breach mitigation, for example, the AEGIS Critical Infrastructure offering.
“In addition, there are certain regulatory requirements in the US that make reporting of data breach mandatory and hence creating a pool of data.”
Slowly, the murky waters are clearing and we can all see the risk more clearly. But insuring cyber risk continues to be a tough business. The danger remains that, just as the insurance market believes it understands the risk, it will just flip its tail and disappear into the depths.