The UK’s insurance regulator has warned insurance companies that they need to do more to reduce and manage their exposure to ‘silent’ – or non-affirmative cyber risk.
Non-affirmative cyber risk occurs when insurance policies are ‘silent’ on the matter, in that they don’t explicitly either include or exclude it.
The shot across the bows from the Prudential Regulation Authority (PRA) follows its survey of insurance firms of various sizes, which found that although some work has been done to address the issue, more effort is needed in relation to businesses’ non-affirmative cyber risk management, risk appetite and strategy.
Firms taking part in the survey generally agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk, with casualty, financial and motor lines among those noted to have the largest exposure. They did, however, differ in their opinions on the exposure to non-affirmative cyber risk within lines including property, marine, aviation and transportation. It’s this uncertainty within the industry about coverage for ‘silent’ or non-affirmative cyber risk that should put all risk managers on alert.
Why is this an issue now?
Insurance Business UK says silent cyber is a major topic of concern for insurers and risk managers, but that it remains clouded in ambiguity and uncertainty. It reports that insurance businesses are starting to see losses – for example following the NotPetya malware attack in 2017: “Most victims were based in Ukraine, but several global corporations were also infected – including shipping giant Maersk, advertising firm WPP, pharmaceutical outfit Merck, and FedEx’s TNT Express division. NotPetya resulted in silent cyber losses on non-cyber lines of business for various insurers.”
With cyber risk on the rise as businesses increase their use of technology and the internet of things continues to grow, insurance firms and clients relying on traditional policies that don’t specifically address cyber risk face coverage ambiguity. Where it’s unclear what is and isn’t covered, insurers may face paying out on claims for cyber losses based on policies not designed for that purpose.
What insurers need to do
According to the PRA’s recent survey, “firms’ stress test results suggest that a cyber event could have widespread impact on a number of different lines of business. Some firms assessed the potential risk of loss from cyber events as being comparable with major natural catastrophes in the US.”
The PRA says that statements such as these reinforce its concerns about the large exposure potential and the need for firms to take action to manage the unintended exposure to non-affirmative cyber risk. In its January 2019 letter in response to the survey, it spells out to the chief executives of specialist general insurance firms a number of expectations it has for them to start better underwriting cyber risk, including setting clearly defined cyber strategies and risk appetites that are agreed by the board; and building and continuously developing their cyber expertise.
It said that the difference in opinions seen in some assessments of risk exposure suggests that some firms should give further thought to the potential for cyber exposure within their specific portfolios, and that firms’ quantitative assessments of non-affirmative risk are generally not well-developed, with most relying on stress scenarios and expert elicitation. The range of practices it observed suggests that some firms should do more to carry out detailed assessments of their books of business and to develop means of more accurately assessing non-affirmative exposure.
What about affirmative cyber risk?
Affirmative cyber risk can be underwritten in either stand-alone policies specifically designed for cyber risk, or under policies that also cover risks such as business interruption, contingent business interruption, and reputational damage.
The PRA says that its survey results and further market intelligence point to a widening of coverage for such cyber insurance products, which has clear benefits for policyholders and the wider economy, but also comes with obvious risks for insurers if it is not accompanied by appropriate pricing adjustments and adequate risk management.
It also points to the relative lack of available data and immaturity of the cyber market compared to more established risk areas, and said that firms recognised the need to develop their knowledge further.
Why this matters for policyholders, not just insurers
Insurance carriers have a number of options for addressing silent cyber – affirmatively provide cyber coverage in non-cyber lines of business, provide stand-alone cyber coverage and a clear cyber exclusion in their traditional property and liability policies, or stay silent.
How insurers choose to deal with cyber risk could affect how and how much customers pay for coverage, as they face the potential for increased premiums as the greater need for cyber coverage is acknowledged – making levels of coverage and cost of insurance something that should be on all risk management radars.
As cyber risk evolves and grows, the insurance industry and its risk managers around the world need to get rid of the coverage ambiguity around silent cyber. Johnny Fraser from Capsicum Re, a cyber reinsurance broker, pointed out in Insurance Business UK that “the insurers that have the best understanding of non-affirmative cyber exposures will be best positioned to offer more coverage clarity, and therefore better products for their insureds.”