The hype around cyber insurance and the focus on data breach has resulted in myopia: cyber risk includes much more than a company’s data as an asset. What may have been historically focused as insurance coverage to protect against risks to a company’s databases, email, customer tracking systems, etc, has spread to include risks that impact a company’s physical assets and supply chains. These cyber risks impact any physical part of a business that interacts with a company’s digital assets.
Traditional data breach-focused cyber insurance products don’t solve cyber challenges that most companies face in today’s fast-changing business environment. Instead, they are often trying to protect against a specific risk in a world in which that risk—a cyber attack—knows almost no borders within a company’s operations.
These “black swan” cyber events—which are difficult to see coming or how far and wide they will spread once they do impact a company—are becoming increasingly more likely or more severe. Companies’ digital and physical assets begin to merge in ways that were not possible even a few years ago.
Cyber events are leading to business interruption in ways that were never foreseen or appropriately accounted for in most of today’s commercial insurance products. Take the case of logistics giant, Maersk, which in June 2017 fell victim to the NotPetya cyber ransomware attack. The company subsequently reported that its Q3 results were negatively impacted by $200 to $300 million as a result of “business volumes being negatively affected for a couple of weeks in July” due to fallout from the cyber attack.
Maersk later acknowledged that its commercial insurance policies, including liability insurance for assets such as vessels and other materials, come with exclusions for cyber. In the case of Maersk, the commercial insurance products it purchased didn’t meet the full scope of its risks, including the reality that a cyber attack on the firm’s operations has a direct, real-world impact on the company’s physical assets and commercial operations.
What we formerly believed are rare events are becoming less rare and more mainstream. Because of the perceived rarity of events and the surprising origins of loss mentioned above this cyber risk may unintentionally be included—or, more accurately, often not excluded—in a range of insurance policies outside the core direct cyber market. If this is the case it is almost certainly not priced for.
The increasing normalising of cyber attacks may cause some businesses and insurers to wrongly assume that cyber is something that can be purely relegated to its own product set, rather than being integrated across the whole of a company’s product offering—from property, to D&O, to E&S, etc.
The entirety of a company’s digital and physical assets is now vulnerable to cyber attack. This necessitates a total rethink in how insurers approach cyber and the types of cyber coverage they offer to deliver more effective products to the organisations they serve.
The way forward
What can insurers do to prepare their product offerings and their clients for this new face of cyber?
First, it’s important to understand that cyber attacks often target a company’s intellectual property, such as was the case in the 2014 hack of film studio Sony Pictures. A company’s intellectual property, which for some firms is their most valuable asset, would not be considered a traditional cyber risk. However, in today’s fast-changing business environment, these intangible assets are fast becoming the target of hackers, requiring insurers to blend traditional cyber coverage with other lines of business coverage that may be tangentially impacted by an attack.
Second, the reputational risks associated with cyber attacks can be equally, if not more, damaging to a company than the damage to its digital and physical assets. In the Sony Pictures hack, potentially billions of dollars of future earnings were eroded after producers, directors, actors and others lost faith in the studio and its ability to protect their intellectual property and privacy from hackers.
Finally, insurers need to create cyber products that cover both a company’s digital assets—those which are most likely to be directly targeted by hackers—and its non-physical assets (such as intellectual property and corporate reputation). The narrowness of most cyber product offerings doesn’t allow for the proper transfer of risks between a company’s digital assets and its physical assets.
The evolution of risks from tangible to intangible assets is creating new coverage gaps that insurers must protect against if they are to fulfil the needs of their insureds.
The world is changing, and cyber risks are becoming far more prevalent across most developed economies. Digital risks for businesses are now inherent in almost every activity a company undertakes. In 2018 there will be a renewed focus from regulators, senior executives and reinsurers on the impact (or potential impact) of “silent,” or non-affirmative, cyber coverage and the correlation with affirmative cyber coverage.
It’s time insurers woke up to the changing face of cyber risk.
Dan Trueman is the global head of cyber at AXIS Insurance. He can be contacted at firstname.lastname@example.org