Panellists Win-Li Toh, Dr Michael Neary and Ross Simmonds explored the future possibilities, challenges and opportunities for insurers of cyber risk in the Concurrent session ‘Evolution of Cyber Risks and Insurance’.
A few days before the 2021 All-Actuaries Virtual Summit, a cyber-criminal gang shut down a major US fuel pipeline. It was a timely reminder of the real-world urgency to address cyber vulnerability – and just how complex it is to protect against it. Cyber is now topping the lists of risk for executives in many surveys, while the New York regulator recently issued advice on underwriting cyber risk, and it is now a policy priority for APRA.
Ideal conditions for threat
Cyber risk appears to be increasing at an almost alarming rate, as more and more data is being captured and held in the cloud, and connectivity between systems increases at pace. In 2020, the situation only intensified, as the pandemic confined us to our homes, with many working from insufficiently protected devices. All these scenarios create ideal conditions for potential breaches.
To further complicate matters, ‘silent cyber’ – the grey area in an insurance policy, where cyber risk is nether explicitly covered nor excluded – is being removed from policies. Lloyds, for example, phased out silent cyber in all Property & Casualty lines in 2020 and is phasing it out of all Directors & Officers’ lines this year by making it an exclusion or priced for explicitly.
Looking back for a way forward
Win-Li observed there are many similarities between how the first insurers three centuries ago handled traditional liability lines such as fire and shipping and how insurers are now handling cyber risk as a relatively new line of business. This is because at the core of all of these lines, across the centuries, the insurance industry has been uniquely placed to:
- help set standards to protect the community through underwriting and claims assessment processes;
- adeptly manage incidents in the immediate situation and in recovery; and
- expertly share the risk when it is concentrated.
Particular challenges with cyber risk are that insurers now need new ways of assessing exposure risk and sharing it.
Exposure and the power of attack surfaces
Ross encouraged actuaries and insurers to consider exposure by finding ways that are easy to measure, stable and correlated to the risk. He suggests looking at the ‘attack surfaces’ – the scale and vulnerability of external and internal points, the types of technology used by a firm, and the stance towards cyber risk of any software provider or vendor the firm is reliant upon. Another important consideration, he says, is the firm’s information security management system (for example, is it ISO 27001 certified?).
Equally, insurers should provide feedback to insureds so they can improve their risk and the insurer can improve its service (e.g. through pricing and/or claims fulfilment).
Diversification is another challenge with cyber risk. In usual lability lines, diversification of risk can be achieved through diversifying geographic exposures. This is not possible with cyber as threats transcend geographical borders and can spread globally in an instant. Instead, diversification can be achieved by considering exposure to the different attack surfaces across all policyholders.
Who’s the winner in an act of war?
Another aspect of particular importance in managing and insuring against cyber risk is knowing the origin of the attack. Michael pointed out that if the attack originates from a state‑based actor, the courts have considered if this might be excluded as an act of war. This is the basis of a claim by Merck & Co, ultimately for $US1.3 billion, from its insurers for a cyberattack in 2017, which is still before the courts.
One of the big questions this raises for policyholders is what can insureds do in these kinds of circumstances to recover from an attack? The important question for public policymakers is what protections can be offered to assist in recovery from state-based actors, including who can insure for that and at what premium?
The path ahead: agile solutions and an ear to listen
Michael noted, “There will be things the insurance industry will not cover, so we need to include all stakeholders in the conversation.” This will help us find agile solutions that enable people and businesses to thrive in an ever-changing environment.
In concluding, Win-Li challenged those working in insurance to change their mindset from “How can we modify traditional policies to cover cyber?” to “What are consumers telling us they need, and how can we listen effectively to ensure we tailor policies to meet those needs?”
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.