The coronavirus pandemic is "the best reminder for us all" about the potential for a cyberattack to cause heavy non-damage business interruption losses, according to Stefan Golling, chief underwriter of Munich Re.
Golling told journalists Sept. 7 that COVID-19 showed the possibility of "the potentially huge consequences of a cyberattack causing widespread business interruption, even without causing a high or any level of physical damage."
Business-interruption cover typically requires property damage to pay out, which has proven a big problem for businesses in the coronavirus pandemic. In a staff paper discussing potential solutions for insuring future pandemics, the European Insurance and Occupational Pensions Authority said the pandemic had shown that there was a "significant protection gap" for non-damage business interruption.
Several countries are examining public-private partnerships to cover future pandemics, given the consensus that the private insurance industry cannot shoulder the burden alone.
Golling said the pandemic has "proven" that there are also other risks too big for the industry to cover alone such as a cyber war, or cyberattacks that take out critical infrastructure, such as the internet or power grids. These "might be topics where we also need to think about new solutions with the involvement of governments as well," Golling added.
Cyberattacks have "increased sharply" since lockdown measures were implemented to curb the spread of coronavirus, Golling said, because many companies had to shift their operations online at short notice. Ransomware attacks had increased 150%, phishing by almost 600%, and cyberattacks on banks were up 150%, he added.
While the effect of this rise on cyber insurance loss ratios has been low, Golling said the increase in exposure, coupled with the uncertainty brought by the coronavirus crisis, had prompted Munich Re to focus more on addressing the "hot topics in cyber." Understanding and managing potential accumulation of cyberrisks is "a top priority," and increasing transparency in affirmative cyberrisk and so-called silent cyberrisk in Munich Re's property and casualty portfolio "is key for us."
Silent cyberrisk refers to exposures companies may have because noncyber policies do not explicitly include or exclude cyber coverage.
Golling said discussion about coronavirus-related business interruption "has shown again that avoiding wording ambiguity isn't only key from an accumulation perspective but also from a reputation risk point of view for the insurance industry." He added: "Our customers have the right to understand, to know, what is covered and what is not covered, and we need that clarity as well in order to manage our risks."
Munich Re booked €1.5 billion of coronavirus claims and reserves in the first half, of which €1.4 billion was for property and casualty reinsurance. The bulk of the bill is for contingency, which includes event cancellation.
The company's reinsurance CEO, Torsten Jeworrek, told journalists that there were still further losses to come in Munich Re's portfolio and that there is "further development, particularly on the contingency side," but "reduced momentum" in the development of coronavirus losses.
He added that it remained to be seen whether this would indicate what would happen for the full year.