So-called silent cyberrisk is "now a top concern of board-level executives" at insurers and reinsurers and the source of "the bulk" of the industry's exposures, a new report from reinsurance broker Capsicum Re said.
Silent, or nonaffirmative, cyber refers to risks that are covered under standard insurance policies because those policies do not specifically include or exclude cyberrisk.
A cyber event could impact multiple lines of business at the same time: A cyberattack on computer-controlled machinery, for instance, could trigger multiple property and liability covers.
The report said the cyber insurance market is experiencing "explosive growth, development and change" through the sale of affirmative cyber, where cyber is explicitly included and accounted for in pricing. But it added: "Despite this growth, it is not affirmative, which presents the market with the greatest concerns, nor the largest opportunities. Rather, 'nonaffirmative' or 'silent' cyber is emerging as the critical area of concern."
The report also said that "Cyber losses are materializing with increasing frequency across the property/casualty sector, demonstrating clearly that the bulk of the cyber exposure lies within noncyber covers."
The uncertainty about whether cyber losses would be covered under traditional lines of business is creating "ambiguity for the insured, and unknown exposure for the insurer," the report said. The uncertainty is exacerbated, it added, because catastrophic cyber losses can transcend the class of insurance business, geography and industry.
'One of the most salient threats'
Rob Ashton, CEO of specialist underwriting agency Radius Specialty, said in the report that silent cyber "is one of the most salient emerging threats to the London market generally and the Lloyd's Central Fund specifically." The Central Fund is the central pool of assets that pays the liabilities of Lloyd's of London syndicates if they fail. Ashton added that completion of deals to transfer silent cyberrisk were "slow and sporadic" but he added: "As management, regulators and rating agencies start to scrutinize these risks more closely, we expect this will change quite dramatically over the next 18 months."
Hiscox Re head of specialty and technical underwriting Damien Smith said that thanks to a recent spate of silent cyber claims, the noncyber market was realizing that it would have to start pricing business properly to account for the cyber risk contained within it, or exclude it and allow the specific cyber market to pick up the exposure. Smith said the industry needed to act "urgently" before it faced the cyber equivalent of the 2001 World Trade Center attack, where policies paid out for a peril in a variety of business lines when the kind of terrorist attack involved was not anticipated.
Reinsurers are grappling with how to protect insurers against silent cyber while tackling their own exposure.
The Capsicum report, titled 'Are we heading towards PC&C?' suggests that cyber could become a third sector of insurance alongside property and casualty. It said this is likely in part because a major cyber loss would transcend both property and casualty and so it does not fit neatly into either of the two existing categories. It also said accumulations of cyberrisk need to be assessed in a different manner to other risks.