Insurers’ Worst Fear: Cyber Hurricane or Silent Cyber?
Insurers in the cyber insurance segment have enjoyed exponential growth in the market over the last 10 years, and that is expected to continue as the world becomes even more connected via the internet. But while the growth in business is welcome, the exposure the industry itself faces to losses in the event of a large data breach, or even worse — a so-called “cyber hurricane” — is something industry experts say cannot be ignored.
The term “cyber hurricane” describes the takedown of the entire U.S. economy’s cloud network, according to Scott Stransky, assistant vice president and principal scientist for AIR Worldwide.
Stransky, a co-author of the AIR and Lloyd’s report “Cloud Down: Impacts on the U.S. economy” released earlier this year, said the report was developed after discussions with Lloyd’s over what would be the worst-case scenario for a cyber loss — a cyber hurricane — from a cyber incident causing disruptions to businesses that depend on cloud computing.
Stransky, one of the panelists at the Advisen Cyber Risk Insights Conference in San Francisco in February, noted that clouds can fail or be brought down in many ways. Likely causes of interrupted cloud service include malicious cyber-attacks by external agents, errors by internal workers, as well as hardware and software failures.
With more and more businesses connected to cloud servers and just a handful of service providers dominating 70 to 80 percent of the market, a very extreme event, defined by AIR as one that results in cloud downtime of five and a half to 11 days, could affect up to 12.4 million businesses of all shapes and sizes in all parts of the U.S. economy.
“We came to the conclusion that a cloud going down would actually be a big hurricane for cyber,” Stranksy said.
Losses for an incident that takes one of the top three cloud service providers offline for three to six days would be between $5.3 billion and $19 billion, with insured losses totaling between $1.1 billion and $3.5 billion, the AIR report said.
A cyber incident that knocks out one of the 10th- to 15th-largest U.S. cloud providers for three to six days would cause $300 million and $1.5 billion in losses and between $40 million and $300 million in insured losses, the report said.
Stransky said while the potential losses from events like cloud failures are startling, insurers should look at the low take-up rates of cyber policies, particularly among small businesses, as an opportunity.
But even the largest businesses have significant room for growth, Stranksy said, highlighting the healthcare industry where there is only a 50 percent take up rate for cyber insurance.
He said the hope is the AIR-Lloyd’s report will help insurers become more comfortable writing the risk if they understand the potential ramifications of being in the market and the potential losses if the worst-case scenario does happen.
“There’s a huge opportunity to grow into cyber insurance,” Stransky told the audience, noting that companies really need the protection and insurers should want them to understand why they need it.
‘Silent Cyber’
As if a cyber hurricane is not scary enough, insurers are also worried about what is called “silent cyber.” This is the cyber exposure insurers face with all-risk policies and other liability insurance policies that have not excluded cyber risk.
Kara Owens, global head of Cyber Risk, TransRe, who also participated in the Advisen cyber panel, said this is a universal exposure across the board of every product line. In other words, though insurers are writing standalone cyber policies, there is plenty of indirect exposure to cyber losses through other coverages.
“It’s very hard to come up with a [product] line that wouldn’t be exposed to it. It’s definitely a massive issue,” Owens said.
Owens cited the Uber and Yahoo breaches as examples of how silent cyber comes into play. Both companies had cyber policies and also directors and officers (D&O) policies so their breaches impacted several lines of business for their insurers.
“There are a lot of examples where you can have multiple policies exposed from the same breach,” Owens said. “And we’ve been seeing a lot more of that correlation especially with D&O.”
The challenge for an insurer is gauging the true aggregation in its books of a major breach.
TransRe has been working on addressing this issue through the building of an internal aggregation system that inputs its clients’ quarterly policy information.
“That way, if there’s a big breach, then we’re able to pull that out and say, ‘Okay, this is where we’re exposed,'” she said.
The reinsurer also does a more detailed “manual effort” where it manually tracks its larger towers — around $100 million or $200 million and up — to gather a better understanding of its overall exposure and which other carriers are on those excess towers. She said the company will also include D&O exposures in these instances.
QBE has also focused on gathering information to answer the questions about what the company’s true cyber exposure is, and the industry as a whole is waking up to this as well.
“Two years ago, we weren’t really talking about these issues of aggregation. We weren’t even talking about what silent cyber was,” said panelist Steve Anderson, vice president, product executive – Privacy & Network Security Specialty Insurance, QBE.
He said with other lines of business, data modelers and companies use historical data and are “looking backward,” but cyber companies must look forward, which is a hard adjustment for the industry.
“I still think we’re looking backwards instead of trying to look forward in what we’re going to see,” he said.
Owens agreed the newness of cyber risk makes it a challenge to adequately model and understand an insurer’s true exposure, especially because many losses that may have been cyber-related were not previously identified as such.
“We have a lot of data that we’re sitting on as a reinsurer, but it’s hard because we weren’t coding cyber properly before. So, a lot of the claims information we have was coded as miscellaneous E&O,” Owens said. “We have to manually go through all claims and we can’t change it in the system because then that’s going to mess everything up from an actuarial standpoint … and pricing.”
Regulating Cyber Insurance
Various state, national and international regulations are recommending or requiring insurers to address their silent cyber exposures. This is prompting many carriers to look at each product line to identify cyber exposures and whether they are pricing risk accordingly, or if the exposures are being adequately excluded.
“Sometimes a lot of the exclusionary language that we see out there is not by any means perfect because it was written a long time ago when it really varied by product line,” Owens said.
Some carriers opt to put an affirmative limit on a product line so “that way you know when you’re able to track your aggregation instead of just having an all-risk policy that doesn’t even mention cyber.”
She welcomed a statement from the Prudential Regulator Authority (PRA) in the UK that calls on insurers and reinsurers to identify their affirmative cyber and non-affirmative silent-cyber component. She urged U.S. regulators to come up with something similar.
“I think the PRA statement has been very helpful to have companies really start to take a look and address it in a formal manner,” she said.
QBE’s Anderson said the cloud down scenarios are definitely scary as an underwriter, but cloud networks are the current model being used. He said it’s up to carriers and brokers to understand the cloud and how secure are the clouds their clients are using. “That falls to us. [Because] the reality is that is the model. So get comfortable with it,” he said.