Perspective

Beware of the Risks of Silent Cyber

Cyber risk is one of the most dynamic challenges facing the insurance and reinsurance industry. “Silent cyber” is a term that is increasingly used to describe cyber-related losses stemming from insurance policies that were not specifically designed to cover cyber risk—meaning an insurer may have to pay claims for cyber losses under a policy not designed for that purpose.

The Silent Cyber Threat

As a result, regulators are now formalizing capital requirements, as well as quantitative and qualitative measurements of risk appetite. In the UK, the Prudential Regulation Authority (PRA) is asking re/insurers to develop a silent cyber action plan by the middle of 2019. PRA will conduct deep-dives on select firms in the second half of the year to assess how well they’re meeting expectations, as described in a 2017 supervisory statement. The PRA will then further assess affirmative cyber risk via an exploratory stress test later in the year. 

As large-scale events and regulatory pressures increasingly test risk management strategies, this is a critical moment in the evolution of the cyber product, particularly regarding these silent exposures.

Companies will need to enhance cyber underwriting and reinsurance strategies, leverage their innovative modeling capabilities, and develop technical and underwriting risk talent if they are to continue offering clients the best security possible.

Trying To Define Expectations

Regulators globally and other stakeholders are collaborating to define expectations for firms writing cyber policies to protect against attacks like WannaCry and NotPetya. These events demonstrated the speed at which a cyberattack can spread and the catastrophic potential of silent cyber. PCS Global Cyber attributes around 90 percent of the insurance industry’s loss from NotPetya-related cyberattacks to silent cyber.

The systemic damages also shifted the conversation from data breaches, notification costs and third-party liability to first-party liability and business interruption. In 2017, the European Insurance and Occupational Pensions Authority (EIOPA), in its first attempt to quantify silent cyber, surveyed 13 re/insurers from across Europe based on their expertise and cyber exposures.

In 2018, EIOPA surveyed insurers on IT governance, their own system landscape and measures to respond to cyberattacks. The EU-U.S. Insurance Dialogue Project, started in 2012, aims to enhance understanding between the European Union and the United States, while a study by the U.S. National Association of Insurance Commissioners and the Center for Insurance Policy and Research titled Cyber Risk Insurance Market Advances, Challenges and Regulatory Concerns is forthcoming.

Strategies Are Still Evolving

Between 2015 and 2016, the PRA asked the re/insurers it regulates to identify and assess their exposure to affirmative and silent cyber. The results showed that clear strategies, defined risk appetites and robust methods for quantifying exposures were still developing, along with a level of uncertainty regarding the response of reinsurance programs and a limited ability for risk managers to challenge business strategies.

At that time, the PRA also noted pricing had not developed sufficiently and there was insufficient investment in internal cyber expertise. In response, it issued a supervisory statement in 2017 detailing its expectations for managing non-affirmative cyber risk, setting clearly defined, board-approved cyber strategies and risk appetites and developing their expertise.

It also suggested addressing silent cyber by considering adjustments to premiums to offer explicit cover or introducing exclusions or sub-limits. In 2018, it conducted a follow-up survey that suggested progress had been made, but that more work was needed, particularly regarding silent cyber.

Highest Risk in Casualty, Financial, Motor and A&H Lines

In January, the PRA issued a letter to CEOs outlining survey findings, including the high risk of silent cyber in casualty, financial, motor and A&H lines, although views of silent exposure within property, marine, aviation and transport and miscellaneous lines varied. The survey also found that firms’ quantitative assessments of non-affirmative risk are underdeveloped, with only the most advanced companies conducting detailed analyses for all products by bringing together underwriting, risk, claims, IT and actuarial departments. This often included policy wording reviews.

The survey indicated a widening of affirmative cyber coverage for business interruption, contingent business interruption, and reputational damage, yet it also indicated a significant divergence in modeled losses among companies.

There continues to be little evidence that reinsurance programs will respond as planned to a silent cyber event.

This underlines the inherent uncertainty in available cyber models and the lack of reliable claims data. The heightened need for formalized risk appetites and board-agreed cyber strategies increases the importance of developing bespoke scenarios for particular portfolios. But there has been limited progress on modeling non-affirmative cyber risk, despite industry recognition of the need to continuously develop its cyber knowledge.