Insurance professionals and their business clients have made important strides clarifying coverage for losses from hacks, according to a recent survey.
As the number of high-profile breaches mounted, uncertainty over whether those attacks would be covered by insurance became a growing risk to the industry's reputation, said Andrew Laing, PartnerRe Ltd.'s head of global cyber and emerging risks. Concerns over so-called silent cyber risks increased as clients expected to be covered by commercial policies that did not mention internet-related vulnerabilities one way or the other.
Respondents to an annual survey conducted by PartnerRe and Advisen Ltd. indicated a decreasing overlap between cyber coverage and more traditional policies and a trend of underwriters and brokers more clearly outlining protection from hack losses. But concern among insurance professionals has not dissipated, with 67% of survey respondents saying they were still worried about the presence of silent cyber expectations lurking among clients of specialty property insurance.
- Concern among insurance professionals has not dissipated, with 67% of survey respondents saying they were still worried about the presence of silent cyber expectations lurking among clients of specialty property insurance.
- Fund transfer schemes, one of the costliest types of Internet-based fraud that criminals inflict on businesses, continues to divide opinions in the insurance world on how losses should be covered.
- The survey found that social engineering was the second-most-common reason insurance customers cited for purchasing or renewing their cyber policies.
Cyber liability insurers have been taking on previously unwritten risks as companies expand coverage in the sector while keeping prices steady.
Capacity has grown sharply even as losses rose in recent years, said Joe DePaul, Willis Towers Watson PLC's head of cyber and E&O for FINEX North America. That has led to a competitive pricing environment.
Losses climbed as database breaches surged across the globe, and as managing and responding to attacks have become more expensive, Willis said in an annual report on cyber risk. However, no loss events have been catastrophic enough to frighten away new entrants or tamp down ever more generous terms and conditions, DePaul said.
- Besides coverage for network security, system failures and privacy compromises, policies have broadened recently to include business interruption resulting from hacks. Policies could even soon include coverage for infrastructure, DePaul said. The Willis report cited reputation damage as another area where cyber policies could expand.
- Direct written premiums for stand-alone cyber coverage continued to grow in 2018, up 11.8% industrywide compared to the prior year.
- Throughout Europe, the Middle East and Africa, business email has become the largest driver of cyber insurance claims, partly due to privacy rules mandated since 2018 throughout the European Union by the General Data Protection Regulation, or GDPR, according to an AIG report.
- Although coverage has broadened and losses have crept up, some underwriters have offered discounts to customers who beef up cybersecurity, according to the Willis report. Companies have managed the risk with careful, brush-stroke underwriting that employs payout limits and technology partnerships for more precise risk assessment. Insurers also use nonstandard policy applications tailored more specifically to clients' needs.
The target market for cyber liability insurance is expanding beyond the largest financial, healthcare and retail companies to local contractors that work with those big names and may represent an outsized level of risk.
Indemnification for cyber breaches is becoming part of the requirement for doing business with larger companies, said Ari Vared, vice president at broker CyberPolicy.com. More of those larger companies are requiring their third-party contractors to buy policies as part of their own cyber liability protection, Vared said in an interview.
"Anytime they have a third party that is connecting into their system, there's this massive element of risk that they have no ability to control through their own cybersecurity measures," he said.
London market insurers are working to clarify the war exclusions in cyber insurance policies amid concerns about an increase in state-sponsored cyberattacks.
While progress is being made, there is little consensus on what constitutes modern-day war, and insurers are trying to strike the difficult balance between providing sufficient cover and avoiding financial ruin.
- The push to clarify cyber war exclusions came largely from the court battles between companies and their insurers over denied claims from the 2017 NotPetya ransomware attack, which several governments have alleged was carried out by Russia. In one well-publicized case, Zurich Insurance Group AG is relying on a war exclusion to avoid paying for damage that U.S. food conglomerate Mondelez suffered because of NotPetya.
- War exclusions' general purpose is to protect the insurance industry's solvency. A big threat is aggregation — that an event triggers many claims across a wide range of policy types at the same time. Given its highly destructive and destabilizing nature, acts of war are therefore excluded from most standard policies, including cyber covers.
Cyberrisk will make its way to the insurance-linked securities market "sooner than later," according to Paul Schultz, CEO of broking group Aon PLC's investment banking division, Aon Securities.
A number of hurdles exist to the transfer of cyberrisk to the insurance-linked securities, or ILS, market, such as the relative lack of sophistication of cyberrisk models and the potential for cyber losses to be correlated with other risks in investors' portfolios. But speaking to S&P Global Market Intelligence at the reinsurance Rendez-vous in Monte Carlo, Schultz said: "I think we're closer."
- Schultz suggested that the development of cyber ILS could be similar to how property catastrophe ILS, which form the bulk of the market, evolved. In the early days of ILS, the bonds' payouts were triggered by factors such as the magnitude of the event, or an industry loss index, rather than the actual claims experience of the company protected by the bond. Schultz said that now, around 70% of property ILS are triggered by client claims experience.
- Although cyberrisk models have been described as lacking, Schultz said risk modeling firms "have made good progress" and said Aon used a few of the modeling companies to evaluate cyberrisk.
- Nevertheless, it seems there is more talk than action on cyber ILS. Jin Shah, managing director for capital markets at risk modeling firm RMS, said in an interview at Monte Carlo that the company has "supported many conversations around" cyber ILS and industry loss warranties, "but it has never got past the preliminary stages."
Shadowing the rapid growth of cyber liability insurance has been an ominous trend of more frequent cyber extortion hacks with higher monetary demands, attacks so effective that victims increasingly feel pressured to pay the hackers off quickly.
The cyber insurance market has expanded rapidly but still lacks the historical loss data on which underwriters in most lines rely to design and price coverage. Insurers have long offered extortion and kidnap coverages, but law enforcement has traditionally counseled against paying criminals' demands because doing so encourages more attacks.
- When a hacker seizes computer systems in a way that threatens a company's viability, investigators are no longer in any position to advise that type of social prudence, said John Stark, a former SEC cybercrimes investigator who now runs a ransomware response and consultancy business.
- The growth of the cyber liability industry has made more insurance money available to respond to ransomware attacks and led to the suspicion that carriers might be enticing extortion demands because of the capital from insurance backing. The scrutiny prompted Marsh executive Matthew McCabe to publish an article in response, emphasizing that carriers do not encourage ransom payments and do not take the decision out of clients' hands.
- Still, what had been a nuisance is growing into a major business risk, and carriers have needed to adjust, said Tom Srail, a cyberrisk researcher for Willis Towers Watson PLC.