Despite underwriters being increasingly aware of the potential exposures presented by silent cyber risks it remains a very real and urgent threat, which analysts at Fitch Ratings say is key to understanding, and therefore the effective management of the evolving cyber risk landscape.
In a recent report, analysts at Fitch Ratings note that while property and casualty (P&C) insurers are increasingly sophisticated in the measuring of cyber risk aggregations and modelling potential losses from cyber cat events, the efficacy of this analysis is hindered by exposure to silent cyber risks.
Non-affirmative, or silent cyber risks exists when insurance policies fail to explicitly address cyber-related coverage terms or specifically exclude cyber risks.
“This ambiguity in coverage can lead to disputes and litigation following a cyber event when insureds seek funds from available policy limits for protection; it also poses risk of reputational damage to insurers,” explains the ratings agency.
Increasingly, underwriters are gaining an improved awareness of the potential exposures posed by non-affirmative cyber risks, but Fitch notes that any remedial actions are moving at a varying pace.
As noted by Fitch, efforts are being made by insurers, reinsurers and also catastrophe risk modelling firms to address the silent cyber issue.
Most recently, AIG said that will begin affirmatively covering or excluding physical and non-physical cyber exposures for the majority of its commercial P&C policies, in a move it hopes will provide greater clarity on cyber risk.
The specialist Lloyd’s of London insurance and reinsurance market announced that from January 2020 Lloyd’s underwriters will be required to clarify whether first-party property damage policies affirm or exclude cyber cover. While Allianz is stepping up efforts to provide more comprehensive cyber protection by implementing more specific and relevant wordings, and Capsicum Re and AIR Worldwide have collaborated in order to enhance the re/insurance industry’s modelling of silent cyber incidents.
The International Underwriting Association (IUA) has also taken measures to address the silent cyber challenge, announcing in June that it had published two new London Market model clauses to help underwriters manage cyber losses and address issues related to non-affirmative cover.
As all of these examples show, the risk transfer industry is clearly aware of the potential threat of silent cyber risks and is taking measures to improve the market-wide understanding of what’s a constantly evolving threat.
Regulators have a part to play and were vital in the UK to the efforts being taken at Lloyd’s, explains Fitch, adding that in jurisdictions outside of the UK it’s likely that regulators will take a more active approach towards encouraging affirmative cyber coverage going forward.
Discussing the cyber market more broadly, Fitch notes that “challenges in measuring silent cyber exposures and the unique nature of cyber events add to the difficulty of creating cyber catastrophe models with similar analytical value as well established natural catastrophe models.”
Efforts to assess the financial impact of large cyber events are now more common place and an example can be seen with the recent collaborative effort by global reinsurance brokerage Guy Carpenter and CyberCube Analytics.
The study found that a large-scale data loss from cloud services provider could have a financial impact of $22.2 billion, while a widespread theft from a major e-mail service provider was estimated to inflict up to $19.1 billion in losses.