Part 4 of ‘One Byte at a time: a series on Cyber insurance‘ provides a definition of silent cyber and which insurance policies could be triggered by silent cyber risks.
Back in the 1990s, data was commonly stored in standalone secure business systems. In the 2000s, Internet access and highly connected systems emerged. Nowadays, data can be accessed anywhere and anytime – through your phone or even your watch. The escalating interconnectivity and digitalization also means we are facing an increasing array of cyber threats: hackers, malware, cybercrime, data breach, identity theft, insecure codes, cyber terrorism, human error, critical infrastructure attacks…
Cyber attacks like NotPetya have shown that cyber risks have the potential to result in significant costs affecting various lines of business.
Silent cyber refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. However, coverage in case of a cyber incident might be ambiguous and unclear due to inexplicit policy wording. Unassessed or unmeasured cyber exposure under conventional policies may result from the policy being silent on cyber, the policy contains a cyber exclusion which does not comprehensively define cyber (whether intended or not) or the policy contains a cyber inclusion which is ambiguous, unclear or incomplete.
Some possible scenarios
Imagine a cyber attack on a digital controlling system of a factory. The computer malfunction triggers a fire which damages the insured’s property or causing machinery breakdown. This is typically covered under the Fire / ISR insurance of the insured and Contingent Business sections of its customers. This is an example how a ‘silent cyber’ risk can activate a traditional property policy. There has been an actual case of such an event at a German steel mill, where the property damage losses were paid out under a property policy.
Silent cyber risks can also affect liability lines too. Imagine the same scenario above, but the fire was so severe that it causes an explosion in the industrial plant and flying sparks cause inadequately secured hazardous goods on neighboring sites to explode and potentially causing human casualties.
How about a patent law firm which has lost its clients’ intellectual property due to a cyber hack? This breach of confidentiality of client’s intellectual property can trigger a Professional Indemnity claim for negligence in protection of the client’s data.
Cyber risks such as data breach are already affecting the Directors & Officers class of business. In December 2016, Yahoo announced that 1bn users’ information had been stolen in August 2013. In July 2017, Yahoo announced that it would selling its core business to Verizon Communications. The data breach disclosure had a material and readily identifiable financial impact on Yahoo, as it resulted in the $350 reduction of the amount that Verizon was to pay for the Yahoo acquisition. This triggered a shareholders securities class action which was settled for USD $80m in early 2018.
What are insurers doing about this?
Insurers such as Allianz were one of first movers in the market to review their policy wordings for commercial lines to exclude cyber risks more explicitly and market standalone cyber insurance policies to provide such coverage for their customers. More recently, AIG also announced the same approach to turn silent cyber into affirmative cyber coverage.
Whilst some insurers have yet to embark on that path, some brokers have offered reinsurance facilities which can address silent cyber risk affecting multiple lines of business as a solution.
How does this affect actuarial work?
Since silent cyber risk can affect all lines of business, how would it affect claims experience data? Should actuaries expect to see an increase in frequency and severity of losses?
The recommendation here is for actuaries to actually step away from the data and statistics and put on a more holistic thinking cap on.
Is cyber risk really a new exposure that is not covered in traditional policies? For example, malware-driven cyber attack causing fire to industrial plants. Actually, fire is not a new peril, it has always been and will still be covered under any fire/ISR policy. So, the loss on a per policy basis will not vary just because it is caused by a cyber risk. However, what actuaries need to consider though is the scenario of a malware which targets a number of industrial plants causing multiple losses. How should the accumulation impact be quantified?
Actuaries also need to bear in mind that technological advancement and greater interconnectivity doesn’t necessarily mean a one-way deterioration in claims experience due to cyber exposures. Greater connectivity can also improve claims experience, for example use of sensors and development of IoT means that monitors anomalies can trigger notification and automated corrective action in a more timely manner.
Lastly, actuaries should always keep an eye on emerging trends. Noting the Yahoo case previously mentioned as well as the Equifax case – will it open the floodgates for more securities class action? Potentially. Again, one needs to balance the impact of changing legislations related to data breaches versus the fact that technology on IT security is also advancing to protect companies against data breaches.
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.