Cyber insurance underwriting Part II: Silent cyber risk still biggest concern
At a glance:
- The recent sharp increase in cyber events following COVID-19 has reinforced existing supervisory concerns around insurers’ management of silent cyber risk, particularly as the pandemic demonstrated the magnitude of potential pay-outs of silent exposures in the context of business interruption insurance.
- Insurers should prioritise executing their pre-pandemic strategies to identify silent cyber risk and quantify the individual and aggregate exposures, as well as re-visiting risk mitigation programs to ensure appropriate cover is in place, bearing in mind lessons learnt from the COVID-19 experience.
The context
Now that we have established that cyber insurance underwriting is back on the supervisory agenda, we will take a closer look at what we think the biggest supervisory concern is in this area – silent (or non-affirmative) cyber risk1.
Over the last three years, regulators and supervisors alike have been vocal about the need for the insurance industry to identify and manage these silent exposures in order to avoid unexpected and large pay-outs following a severe cyber event. Absent exclusions, cyber events could trigger claims on policies that were not designed and priced to cover cyber risks. To illustrate the problem, the NotPetya cyber-attack in 2017 caused insured losses of more than USD3 billion, and an overwhelming majority of these - roughly 90% - were driven by silent cyber claims, i.e. claims for which insurers had not accounted.
As organisations face increased cyber and operational challenges following COVID-19, there is also a bigger risk of silent cyber claims being triggered. This blog explores why we think silent cyber risk is under the supervisory microscope once again, and what practical steps insurers can take to address some of the supervisory concerns and risks in this area.
Silent cyber risk remains under the microscope
With reports of increasing data breaches, ransomware attacks, and fraudulent activities, we expect rapid growth in both the standalone cyber insurance market and in silent cyber insurance claims pay-outs as these events could, absent exclusions, trigger traditional, non-cyber insurance policies. In our view, this recent increase in cyber events will only re-affirm existing supervisory concerns around silent cyber risk, especially as many insurers were only at the start of their journey to assess their silent exposures even before the pandemic. Additionally, the pandemic has demonstrated the magnitude of potential claims pay-outs of silent exposures. The majority of business interruption insurance policies that either stayed silent, or were ambiguous, in relation to non-damage claims were triggered as a result of COVID-19 related business closures, with the total value of settled and paid final claims at nearly GBP 700 million as of August 2021.
It is therefore not surprising that the PRA recently announced that it will include a cyber insurance underwriting risk scenario in its 2022 General Insurance Stress Test (GIST); this will include standalone cyber underwriting risk, or part of a broader package, as well as non-affirmative covers where relevant. As previous stress test results have revealed material divergence in insurers’ approaches to silent cyber loss assessments and perceptions of silent cyber risk, supervisors are likely to pay particular attention to this area in the upcoming exercise. There are, for example, significant differences in firms’ assessments of which policies are likely to trigger silent cyber risks. To better understand where there are potential exposures and to be able to escalate silent cyber claims appropriately ahead of the GIST submission next year, insurers should work on improving feedback loops between their claims and reserving functions.
Internationally, a recent report by the International Association of Insurance Supervisors (IAIS) also identified silent cyber risk as one of the main challenges for insurers. While acknowledging that some major insurers have taken steps towards comprehensively writing cyber insurance only on an affirmative basis, the IAIS’ conclusion is that this process is not complete for the industry as a whole.
What do you need to do?
Bearing in mind the lessons learnt from the recent business interruption experience, insurers should continue to execute the strategies they had in place pre-pandemic to identify silent cyber risk in their policies and quantify the individual and aggregate exposures. They should also re-visit risk mitigation programs in light of silent cyber exposures to ensure appropriate coverage is in place, and clarify policy language to make clear what is included and what is not, weighing the need to limit exposures with providing useful cover to insureds. Policy language around cyber risk should be kept clear and simple in order to avoid ambiguity or misunderstanding amongst policyholders. Some insurers may also need to perform a bottom-up review of existing reinsurance programmes to ensure appropriate coverage of different types, and sizes, of cyber risks, including silent exposures.
Supervisors will look for evidence that silent cyber risk exposures have been discussed and taken into account in the Board’s risk appetite, and that the Board has developed and implemented explicit strategies to manage silent cyber exposures. A positive indicator for supervisors would be that the Board has performed a deep dive into the silent cyber exposures to validate that the pre-pandemic strategy to identify and manage them remains appropriate.
In our report, we set out further detailed, practical steps that insurers can take to help build supervisory confidence in firms’ understanding and management of cyber underwriting risks, including silent exposures.
Policy language around cyber risk should be kept clear and simple in order to avoid ambiguity or misunderstanding amongst policyholders.
Policy language around cyber risk should be kept clear and simple in order to avoid ambiguity or misunderstanding amongst policyholders.
