The following is an opinion article written by Mark Synnott (pictured), global cyber practice leader at Willis Re. The views expressed within the article are not necessarily reflective of those of Insurance Business.
Cyber threat is casting a shadow over the insurance industry. As the world becomes increasingly connected and reliant on digital technology, all lines of insurance become more exposed to potentially damaging cyberattacks.
Willis Re’s recent silent cyber survey revealed that over 60% of insurance experts expect higher cyber-related losses over the next 12 months, it’s an issue that can no longer be ignored.
The WannaCry and NotPetya ransomware attacks in 2017, while hugely destructive, were an important wake-up call for the insurance industry.
Cyberattacks are on the minds of multiple stakeholders, including regulators and board directors, like never before and there is an immediate need to quantify risk. To get a handle on cyber exposure, there are three things insurers must master: risk measurement, management and mitigation.
Risk measurement
While still young, cyber insurance is not new and considerable efforts are being devoted by insurers and modelling firms towards quantifying cyber risk, meaning we are becoming better equipped to assess cyber exposure and price risk on an affirmative basis.
The issue becomes a lot more complicated when it comes to assessing ‘silent cyber’, or cyber-related losses under policies where cyber risk isn’t specifically included or excluded. Here, modelling is in a much earlier stage of development. Unlike natural catastrophe models, there is no inventory of past hurricanes or earthquakes to help parameterise model dynamics.
While some developments are being made in modelling silent cyber, most insurers are applying deterministic scenarios to help gauge their downside exposure from all lines to cyber as a peril. While imperfect, doing nothing is not an option.
Risk management and mitigation
Covering against silent cyber can be difficult, there are important steps insurers can take, particularly through risk management and mitigation – knowing your weaknesses and planning how to address them.
How should insurers ensure their risk management strategy is water tight? Put in the shoes of a chief risk officer tasked with tackling cyber exposure, I would put together an Enterprise Risk Management team to carry out an internal cyber audit. They would assess policy forms, poll business units and employ a range of techniques, including the use of models, realistic disaster scenarios and market share analyses across all insurance lines to find where exposures lie - quantifying downside potential risk and giving a range of worst-case cyber scenarios and costs. This would then inform measures that might be taken to mitigate any risk that exceeds my company’s risk appetite.
It’s vitally important that the insurance industry and its clients learn how to effectively cover against attacks and breaches. Like rewarding customers with lower premiums for using alarms in home insurance, insurers should adopt similar measures to encourage their customers to get into good habits.
Mitigation measures are important but don’t happen overnight, so how should insurers manage sudden crises? Our recent silent cyber survey showed that over 60% of respondents believe that an attack on the scale of WannaCry or NotPetya is likely to occur at least once every five years. It is therefore also important for insurers to examine the need for cyber catastrophe (cat) reinsurance.
Many would question the effectiveness of cyber cat reinsurance, given the challenges in quantifying cyber risk and defining the boundaries of what qualifies as a cyber cat ‘event’. Stop loss coverage can address this issue but there have been some important steps on the ‘event’ definition front – Property Claims Service (PCS), the organisation that traditionally measures property cat losses (from Hurricane Michael, for example), has turned its hand to cyber. PCS now has an ‘event’ definition it uses to quantify cyber cat losses (it quantified the insurance loss from NotPetya at a little over $3 billion, for example).
The culmination of better modelling, more sophisticated cyber cat reinsurance and a broader reinsurance market means that insurers that have a handle on their risk management and exposure should have a growing range of options to protect against cyber losses. Coupled with proactive risk mitigation measures, insurers should feel better equipped to deal with cyber threat.
A natural progression
Adapting to new challenges is not a new phenomenon for the insurance industry. At the start of the industrial revolution, fire was a critical risk for businesses. Over the following century the insurance industry was heavily involved in developing insurance and physical fire prevention measures to reduce this risk. Fast-forward to the modern day, fire is a much less significant risk for many.
Cyber could be the modern incarnation of fire risk. While there is still a way to go, we are making progress. With more attention and resourced being devoted to the issue, we are working towards a future where cyber is a manageable risk that is well understood and we are equipped to deal with the day-to-day threat.
