Cyber risk & aggregation - ‘the elephant in the room’ by Sarah Stephens, Head of Cyber, Technology and Media E&O, JLT Specialty
We have reached a point where individuals and institutions are consistently reminded of the threats posed by cybercrime. The high profile breaches suffered by the likes of Target, Home Depot, JPMorgan, Citibank, and Premera Blue Cross lead one to the obvious conclusion that, regardless of size or sector, no company is safe.
Cybersecurity professionals in any given organisation assess cyber vulnerabilities one organisation or one country at a time, without necessarily looking at the cumulative risk to the overall system. Individual cyber insurance underwriters can fall into the same way of thinking, and the potential for aggregation of cyber risk is the current ‘elephant in the room’ for the insurance industry. The burgeoning cyber insurance market is grappling with aggregation of risk in two main forms.
Aggregation of cyber risk across business lines
It is important for clients and insurers to understand where stand-alone cyber insurance fits with other business lines. The issue of aggregation is a potential problem where cyber is currently included in a significant amount of standard insurance policies by virtue of not being excluded. In the current extended soft market cycle, many insurers outside the US market have not been commercially able to introduce clear exclusions into non-cyber insurance policies - though some do exist - as they are seen to be uncompetitive in the pursuit of business. The issue for insureds when faced with a claim against a non-cyber insurance policy is that insurers have frequently attempted to deny coverage based on ambiguities in the wordings with the intent never to cover cyber claims. There have been a number of cited cases whereby courts have ordered pay-outs where losses were not clearly excluded, as was the case when AIG was being ordered to pay $6.8m under a crime policy issued to DSW in 2005 for a data breach which exposed 1.4 million credit card accounts.
Even if they do pay, it is likely that exclusions could be introduced at the next renewal. In many cases where cyber is included by default, no underwriting of those exposures has occurred and no modelling of the potential losses have been undertaken, leaving insurers in a vulnerable position of not fully understanding the scale of the potential loss. The industry is now facing the challenge of identifying where insurers may have incidental exposure to cyber risk with the potential to aggregate across a large book of business.
The evolving approach to cyber risk
Indeed, property and political risk policies which traditionally contain Clause CL380 in which it states the insurers ‘do not cover the insured in the event of physical loss or damage in consequence of a cyber-incident’, is now being deleted in some cases or insurers are offering to write or buy-back the exclusion. Lloyds has itself recently introduced a risk code for cyber security property damage as well as updating additional cyber risk codes to allow the market to monitor the business that syndicates are underwriting. The cyber insurance market is growing steadily, however when compared to property or casualty markets, it is still in its infancy. The lack of historic profile and actuarial data available, including claims and case law, makes it difficult to undertake advanced modelling or base underwriting decisions on meaningful-evidence based analysis.
Aggregation in cyber coverage related to vendor risk
A critical element of cover in cyber policies is now the fact that the policy responds even if a vendor causes the issue. In an age of IT outsourcing and the global dominance of a few providers, cloud computing is one example of this exposure. One successful attack or the failure of one of the cloud hosts, could cause losses to hundreds of thousands of parties who hold their data within the cloud, putting insurers at risk for huge claims. The problem for the underwriting community is gathering the data to map aggregation, when it’s not always realistic or possible for insureds to provide comprehensive lists of their vendors. In the case of US retailer Target, which was subject to one of the most expensive data breaches in the industry’s history, it was a third party contractor who was the source of the breach, allowing hackers to gain the credentials needed to access the network. As a result of this, scrutiny of third party contractors’ internal cyber security systems will increase and it is likely that the required levels of protection needed to work with a company will be included within contracts.
One of two things will occur as the industry matures – either insureds will have to accept a cyber exclusion in their traditional insurances and look to a cyber policy to fill the gap, or pay an additional premium and provide cyber-related underwriting information. It will remain to be seen how quickly this dynamic will play out in different sectors and different lines of business, and it may not be clear for several years.
The risks posed by cyber will continue to develop and become more advanced as our everyday use of data and technology increases. From banking applications to shopping via social media, individuals and organisations are becoming ever more exposed to cyber-crime. As the cyber insurance market capacity grows, more meaningful limits will develop as loss data accumulates and allows more advanced risk modelling. In the meantime, insurers must work together to negate the material risk of a dangerous aggregation of exposure in the market.