Cyber Business Interruption Remains Area of Uncertainty for Insurance
Although the insurance industry may have had plenty of time to wrap its mind around managing physical property threats, what about the newly growing area of non-physical threats?
Panelists at the 2018 PLUS Cyber Symposium, held in May in Chicago, Ill., discussed how the cyber-related business interruption space differs from traditional, property-related business interruption.
“We’ve got a lot of weather experience from hundreds of years of tracking that. The insurance industry knows where the wind is going to blow, so from an individual risk standpoint and from a risk aggregation standpoint, insurance companies can manage that,” said panelist Jason Glasgow, vice president in the E&O division at Allied World. “Nobody knows where the cyber winds are going to blow.”
Indeed, cyber attacks were cited as the top threat to businesses worldwide in the Business Continuity Institute’s 2018 Horizon Scan Report, with data breaches and unplanned telecom outages ranking second and third in the report.
Since 2011, the study has tracked challenges to business continuity globally by asking survey respondents about perceived threats, which have migrated over the years from adverse weather and political unrest to cyber attacks and data breaches.
However, as non-physical threats become more of a concern for business continuity, the insurance industry will need to address certain gray areas in its coverage of cyber-related business interruption, panelists discussed.
“In business interruption, we do see some gray areas on policies,” said panelist Catherine Rudow, senior vice president of North America Property and Casualty and senior underwriter of Casualty at PartnerRe. “I wonder if as claims start coming in, we’ll start to see the insurance industry figure out where in fact these losses do belong.”
Business interruption coverage began in property policies as an add-on with a built-in waiting period of as little as 48 hours to as long as two weeks in some cases to cover the revenue a company would have earned while being down due to physical perils such as fire, flood or power outages, Glasgow explained.
In the cyber world, business interruption coverage functions similarly, although the triggers involve events such as computer system shutdowns due to hacking or a data breach, and the waiting periods can be much shorter – typically a matter of hours, he said.
Recently, cyber-related business interruption has broadened beyond technology simply malfunctioning to include voluntary system shut-downs as preventative measures or anything cyber-related that interrupts a company’s ability to function, added Bob Parisi, managing director and cyber product leader at Marsh. As the market has expanded, coverage has begun to separate itself from traditional property policies.
“If companies think they are insuring business interruption by buying an additional property policy, they have to realize that they’re not because traditional property policies are retracting and pulling back to accommodate expanding cyber coverage,” Parisi said.
As cyber-related business interruption coverage continues to evolve, however, the insurance industry has struggled to understand the exposures, panelists said.
“I think we’re seeing a lot of confusion out there amongst not only organizations trying to quantify their exposure and get their arms around questions of ‘How much are we exposed? What would a potential BI loss look like due to a cyber peril?’ but also, on the insurance market side of things, it sounds like there’s the need for greater clarity as to where these exposures are,” said panelist Chris Mortifoglio, senior vice president of Procor Solutions & Consulting.
This is because although the property market has had plenty of time to build deep history and expertise, the cyber market is a relatively new area for insurers.
“Property has a lot more ability to support big losses than our cyber product does,” Rudow said.
She added that an hour-long loss in property looks different than an hour-long cyber loss because the property market has enough experience to know what questions to ask and more substance regarding how to measure the risk it is taking on involving business interruption.
“Whereas [with cyber], we’re sort of guessing,” Rudow said. “Where do we manage it and underwrite it? How do we eliminate or change how we trigger our deductible?…It’s still an area of uncertainty.”
Parisi believes that, except when it comes to privacy risk, one of the biggest struggles in terms of cyber is the lack of statistically significant actuarial data to model risk.
“It’s not necessarily the risk, it’s the lack of knowledge about the risk,” he said. “I think a truly effective business interruption modeling tool continues to be somewhat elusive.”
However, he stated this is something that he believes will simply take time.
“We won’t have a large body of claim data for a while – that’s just a function of you get 10 years of data for being around 10 years,” he said.
That said, one concern from the start has been a lack of clarity in the way terms are defined in cyber policies, panelists said.
“If you look at five cyber polices from five different markets, you’ll see six different wordings,” Parisi said. “There’s no consistency.”
As a result of the long history in the property underwriting market, there is more specificity when it comes to policies, particularly regarding standard terms such as ‘occurrence’ or ‘event,’ Mortifoglio said. In cyber, it’s less clear, panelists agreed.
Glasgow pointed to an example of a company experiencing two back-to-back outages to demonstrate the challenges around carving out language in cyber policies.
“Is [the second outage] another event? Or is it related to the first event?” he said. “It’s much more difficult than if you had a fire in a building that burns down, and that’s it – that’s the event.”
Beyond policy definitions, adding to the confusion about cyber-related business interruption is the fact that cyber differs from the traditional property market in terms of the potential for aggregation events, panelists explained.
“If you have 10 manufacturing facilities, you know very well what those vulnerabilities are. If you operate in the Gulf Coast region, you’re concerned about hurricanes. If you’re in California, you’re concerned about fires. The likelihood of all of your facilities being impacted by one single peril is minimal,” Mortifoglio said. “With a cyber peril, you now no longer have those physical constraints, and you could be impacted on a global basis across your entire organization.”
Indeed, a company could experience a total loss or a 10 percent loss, leading to uncertainty in terms of where the risk could be concentrated, Glasgow said.
The prevalence of organizations utilizing the same major technology companies also adds to the aggregation concern, Parisi said.
“There are four or five technology companies that are in every single company out there, but the market seems to kind of turn a blind eye and says, ‘We’re going to pretend we don’t know that’s the aggregation function,'” he explained. “The market says, ‘We want our insureds to be with best-in-breed technology companies.’ Well, if you encourage everyone to be with the best-in-breed technology companies, you’re funneling everyone into an aggregation position.”
Glasgow pointed to an example of the recent Amazon web service outage at the end of February.
“I can guarantee myself and every other insurance carrier held their breath when they saw that on the internet and said, ‘This is it. This is the one that’s going to be the aggregation event,'” he said. “Well, it turns out they were down for four hours. No one really had any loss.”
Although the impact was minimal, Glasgow said it did teach the industry about resiliency.
“It taught us that not only do our insureds all have resiliency, but the companies in question have resiliency in place, and they want to get up and running as quickly as possible,” he said. “So I think events like that which haven’t led to losses have informed us as well.”
In fact, Parisi said he believes the idea of a total aggregation event is a little far-reaching. This is because technology is used differently within each company, so the risk is always going to be different, he explained.
“The concept that you can just kind of ‘tip over’ is theoretically possible, but I think that’s a caution that’s a step too far,” he said.
He pointed to the Petya and NotPetya attacks of 2016 and 2017 as an example.
“That was a huge loss in the billions of dollars going through the cyber and property markets, but it was fairly constrained. The internet didn’t tip over,” he said.
With this in mind, there are still valuable lessons in some of the big data breaches of the past couple of years, even for those that weren’t impacted, panelists agreed.
“Petya and NotPetya was a very expensive proof of concept for a variety of industries that had for longest time said they would never have a problem because this wasn’t their issue; they didn’t take credit cards,” Parisi said. “But that ability for that piece of ransomware that had malware behind it to shut down multiple industries across the globe and basically break a substantial portion of their hardware is something that we need to question what we learned. It’s just as important to figure out what companies did that were in the neighborhood at the time, but didn’t get hit.”
Rudow said she believes change is already occurring as a result of claims from past breaches, and Mortifoglio agreed.
“Some of those events like WannaCry had a fairly significant impact on a relatively small number of U.S. companies,”Mortifoglio said. “As a result, we have a combination of companies and carriers becoming more aware of these exposures and more aware of the benefits of coverage related to cyber, as well as a lot more requests to buy business interruption coverage.”
Rudow added that although the industry doesn’t quite have all of the answers yet, it is working through them and will need to continue to adapt in order to find its footing in the future.
“By my calculations, we come to market between $3.5-4 billion, so we’re still very small,” Rudow said. “Even the NotPetya attacks would have destroyed the market had they been fully insured, and it was a small number of companies that were hit. I think we need to start promoting ourselves, making ourselves attractive and having some scale, so we can handle a large loss when it comes through.”