In the mid-2000s, U.S. property insurers underwent an intensive effort to analyze their books of business for over-concentration of risks, particularly along the nation’s coastline. Insurers worried that a major hurricane or storm would wipe out years of reserves and sought to become more geographically diverse. It’s a sensible strategy – if one house gets knocked down by the wind, you’ve probably planned ahead by not also insuring the one next to it that may get dinged by the debris or taken out by the same gust.
In the case of cyber insurance, however, insurers are finding that it’s not quite as easy to diversify businesses geographically when hackers and cybercriminals are even less predictable than a windstorm. When it comes to cyber threats, it’s as though every organization has an ocean view, with a potentially dangerous breeze sweeping right through their servers.
As cyber insurance increases in popularity and necessity for organizations of all types and sizes, insurers have become more aware of the possibility that any one incident could trigger losses on the cyber policies for many insureds. And many more than one incidents are occurring on the hour, across the globe, more quickly than any physical peril. FireEye, a prominent security consulting firm, maintains a cyber threat map, which offers a real-time picture of this phenomenon.
The theoretical successful hack of a widely-used cloud computing service is the most common example of an event that could create breaches across several businesses. Simon Cooper, partner in the law firm of Ince & Co., wrote, “The potential aggregation of cyber risk should be a concern to everyone writing cyber risk, either directly or indirectly as an adjunct to more traditional classes. Cloud-computing is one example of this exposure: one single cyber event, such as a successful attack against or the failure of one of the cloud hosts, could cause loss to hundreds of thousands of parties by exposing large swathes of the data within the cloud. Alternatively, multiple hacking attacks might be instigated by one organization against numerous targets simultaneously as part of an organized campaign.”
Lloyd’s of London, as one of the most significant markets for cyber coverage, has already begun to sound the alarm, warning brokers and managing general agents to be aware of how much cyber risk they’re writing, as well as ensuring that if a policy is meant to have a cyber exclusion, the language had better reflect one.
In a market bulletin to managing agents, Lloyd’s director of performance management Tom Bolt, explained, “As the internet, IT and operational technology have developed over the last 20 years, individuals and businesses have become connected to each other more frequently and in more advanced ways than ever before. This development has impacted how we all do business for the better. At the same time, this has had the consequence of increasing all industries’ cyber exposure, leading to a dramatic escalation in levels of risk.”
Bolt went on to say, “For the insurance industry, this is an area of new and rapidly growing risk where the Lloyd’s market is showing innovation and bringing its specialist insurance expertise to bear. We are keen for Lloyd’s underwriters to continue to take that lead. However, while the underwriting of cyber risks provides opportunities for Lloyd’s syndicates, Lloyd’s is concerned that without proper controls there exists a material risk of a dangerous aggregation of exposure in the market. Lloyd’s is also concerned that cyber risk may not be being properly priced for nor the exposures adequately quantified by managing agents.”
In conversations with numerous cyber insurance professionals, it’s clear that the industry thinks over-aggregation of risk could become a major problem, both in terms of losses for insurers and ability to encourage more reinsurance backing for the still-evolving cyber risk insurance field. A recent A.M. Best report revealed that the majority of property-casualty aren’t yet offering cyber risk insurance, largely because they are unsure how to price or underwrite it. The companies that do sell cyber insurance generally do so with relatively low limits and firm deductibles for their insureds.
A Department of Homeland Security (DHS) report released in July 2014 examined ways to nurture the cyber insurance industry and found aggregation concerns to be one of the issues slowing its growth, among other factors. Insurers gave federal researchers some indication of what might need to be done in order to reverse the reticence in writing, including introducing some protection for businesses that share threat information and assistance in analysis of threats.
“In the absence of more cyber risk actuarial data, carriers have struggled to estimate the probable first, second, and third-order effects of a cyber attack on critical infrastructure – key information they need in order to better determine the extent of first-party coverage they should offer and how to price it,” noted the DHS in its report. “Several participants suggested that developing and exercising new cyber incident models and simulations, with insurance industry input, would help carriers better understand the value of critical infrastructure and who might pay a premium to restore it. Specifically, they stated that such tools would help them understand: what cyber risks will implicate which infrastructure components; which components present the greatest concern from a business interruption perspective; what economic and other consequences might ensue without appropriate cyber risk controls in place; and which controls would likely have the greatest mitigation effect.”
And finally, the insurance industry urged all organizations to embrace enterprise risk management as the primary defense to cyber attacks. As insurers, security consultants, government officials, and the scores of consumers and financial institutions filing class-action lawsuits promptly upon the reveal of any given data breach will observe, risk transfer enhances a good risk management program, but can’t replace it.
Aggregation of cyber risks for the insurance industry is the latest challenge in an already difficult new market. While attention is being paid to the problem, it appears, to most industry participants, that the cyber insurance market must be bolstered by the same type of cooperative risk management structure that supports other commercial lines.
In a recent Ernst & Young report, the firm noted, “Companies can identify risks and adopt risk management leading practices to ease the process of finding the right cover at the right price — with the correct reinsurance optimization. The insurance industry should insist upon this enterprise level of risk mitigation before it issues cover for large risks and data breaches.”