The silent cyber risk isn’t going away, as global reinsurer Willis Re reported in a recent survey that more than 60% of the close to 700 respondents said that they were likely to experience more than one cyber-related loss for every 100 non-cyber covered losses over the next year across all lines of business except for workers’ compensation.
In Canada, the Federation of Sovereign Indigenous Nations (FSIN) was the most recent target of hackers, suffering a data breach and then paying a $20,000 ransom demand to regain access to internal files and its email system. Yet as human activity and business dealings get more intertwined, with people using the cloud to store services and the Internet of Things to link up devices, the cyber threat is expected to worsen.
“Business commerce and human interaction is so much more dependent on digitization and that is only likely to increase,” said Mark Synnott, global cyber practice leader for Willis Re. “With that growing interdependence on various interconnected devices, you have a lot more exposure if there’s something that goes wrong with those devices or those devices get hacked, or you’re not able to access those devices, or your computer systems are hacked or they’re disabled.
“That potentially impacts not just cyber insurance policies, but other insurance policies because those policies are typically broadly worded and they were written in an era when cyber really wasn’t an issue,” added Synnott, characterizing the 70s, 80s, and 90s as the pre-digital era. “They therefore did not contemplate cyber as a potential exposure.”
Willis Re’s Silent Cyber Risk Outlook for 2018 aimed its sights on two additional lines of business compared to previous years – directors and officers (D&O) and errors and omissions (E&O) – and found that over 30% of respondents for D&O and E&O viewed the silent cyber risk factor as 1.10 or greater, meaning that there is an expectation of more cyber-related losses in these lines.
“A lot of professional service companies, and in particular large law firms, are repositories of commercially sensitive information so if their systems are hacked, a lot of sensitive data could be uplifted from their computer systems and utilized for financial gain by various cyber criminals or other groups,” said Synnott, explaining the threat to E&O lines specifically. “Professional service firms, including law firms, have a duty of care to protect that data. If they don’t protect that data, then they have a potentially sizeable errors and omissions loss coming their way and, typically, that would fall under the errors and omissions insurance policy. It wouldn’t fall under their cyber insurance policy because they always have a duty of care to protect commercially sensitive data,” no matter if that information is stored in physical files in the office or on servers.
On the other hand, Equifax is a good example of what can go wrong for D&O lines when a hack hits.
“The Equifax data breach had a big impact on Equifax’s stock market valuation. It fell quite considerably and that triggered a lawsuit, so that’s where you have potential D&O exposure because the directors and officers of that company have a responsibility to make sure that the entity is cyber secure,” said Synnott.
Boards and C-suite executives have to double-down on cybersecurity measures as the likelihood of a significant cyber catastrophe loss grows, along the lines of a NotPetya malware attack, but more virulent, which could impact a wide swathe of businesses worldwide.
“That could lead to a very sizeable cyber catastrophic loss – a cyber hurricane, if you like – and that cyber hurricane, unlike a natural hurricane, doesn’t have any physical boundaries,” Synnott told Insurance Business. “The whole world is one cyber hurricane cat zone, whereas in the physical world you have much more geographically-limited areas that could be impacted by a physical hurricane, so the potential for damage is vast. At some point here will be a cyber cat – the question is when, not if – and with the increasing amount of information that’s stored in the cloud [and] the increasing dependence on digitization, the exposures are only likely to grow.”