Pervasive nature of cyber risk worries insurers
Aggregation of exposures could cause problems as claims mount
Insurers are keeping an eye on their risk aggregations when it comes to cyber coverage. Experts say underwriters are concerned about cyber risks that are embedded in lines aside from stand-alone cyber coverage, such as property, as well as the risk of a service provider breach that could affect numerous policyholders.
Policies written by some insurers that don't specifically exclude cyber risks may face cyber-related claims even though the cyber exposures have not be underwritten nor priced, said Bob Wice, an underwriter with the Beazley P.L.C. Group in Farmington, Connecticut.
Another major issue involves business interruption, in which multiple policyholders rely on one business that suffers a network security breach, and the potential aggregation of risk, Mr. Wice said.
Along with the lack of actuarial data, risk aggregation is the biggest challenge facing the insurance industry right now, said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C.
“We've never seen a risk as interconnected as cyber,” Mr. Beeson said.
“It's challenging enough to be able to understand how our exposure's coming from explicitly cyber coverage, but when you throw in the addition of (directors and officers) policies, management (liability), crime, even property policies — that's where it becomes even more challenging,” said Eric Cernak, Hartford, Connecticut-based cyber risk and privacy practice leader at Munich Reinsurance America Inc.
“Property is going to become much more ... on the forefront of this discussion” because cyber events can cause not only property damage but business interruption losses, and the losses can occur anywhere, he said.
Even if there were three years of actuarial experience, the exposure “is changing with the speed of technology and the common attack vectors being exploited today might not be relevant in the next three years,” Mr. Cernak said.
While some insurers have studied the issue for five or six years, “others are starting to ask questions and going through the process of evaluating their overall exposure,” said Shannon Groeber, Philadelphia-based senior vice president of the cyber/E&O practice at JLT Specialty USA.
“They're all talking about it, but I haven't seen them change their actions as a result,” said Lauri L. Floresca, senior vice president and partner at Woodruff-Sawyer & Co. in San Francisco.
“They're still willing to write multiple lines for a company without extra exclusions,” although “we've pretty clearly seen the move” to exclude cyber claims from general liability coverage, Ms. Floresca said.
As insurers' books of cyber business grow “and they become better able to model their risk, they are looking to understand aggregation,” such as whether they are heavy in one industry class, revenue band or outside providers, said Robert Parisi, managing director and national cyber risk product leader at Marsh L.L.C. in New York.
Several firms have devised or are devising models to get a better handle on cyber risk (see related story).
“Insurers and reinsurers are both taking the issue of risk aggregation into careful consideration,” said Catherine A. Mulligan, New York-based senior vice president of specialty products at Zurich North America. “Reinsurers have certainly been working with their existing models to assist with the appropriate measure of this,” but the issue is “something that the industry will continue to have to address,” she said.
In late January, Lloyd's of London said it and others had developed common data requirements to allow tracking of exposures and help underwriting the risks.
Beazley has “various scenarios to determine what our ultimate downside would be, and we manage our book to that,” Mr. Wice said. “We have studied the issue and are working to manage our limits.”
American International Group Inc. also is concerned about risk aggregation, where, for instance, a hardware provider suffers a security breach that spreads to many policyholders, said Tracie Grella, New York-based global head of cyber.
“That is where we're looking to manage our aggregation,” Ms. Grella said.