16 Nov

  • By Patrick Bousfield
  • In Cyber
  • Comments None

Executive Summary

The insurance industry needs to address non-affirmative cyber in a meaningful way. Capsicum Re uses the term non-affirmative cyber (or silent/passive cyber) to refer to instances where the cyber peril is neither explicitly included nor explicitly excluded within an insurance policy. This presents obvious problems in an increasingly interconnected and interdependent business environment. There is a growing concern for policyholders surrounding non-physical perils such as network/system failure that can cause disruption to business continuity and profitability. Affirmative cyber cover refers to insurance policies where the peril is defined and coverage’s are explicitly set out within the policy document.

This report attempts to summarise the current state of the cyber market – focusing in particular upon non-affirmative cyber exposures and where the market can address them.

In the first section, we identify four current factors which are changing the dynamics of the cyber insurance market.

1) Increasing regulatory pressure.
2) Increasing frequency of large cyber-attacks / market losses.
3) Lack of uniformity in implementation of Cyber exclusionary wording.
4) Potential macro shift in the existing soft market dynamics.

Following this, we discuss three foreseeable directions in which the cyber insurance market may move in reaction to these factors.

We will also examine solutions for insurers which have developed naturally from the need to address non-affirmative cyber exposures. Then, we go on to discuss existing reinsurance solutions to address and protect against both affirmative and non-affirmative systemic and aggregation losses in cyber/noncyber portfolios:

Non-Affirmative Cyber Products

1) Cyclone – clash of net retentions
2) Systemic aggregate tail protection

Affirmative Cyber Products

1) Aggregate Per Policy Excess of Loss
2) Aggregate Stop Loss
Potential solutions to bring ILS markets into the cyber insurance market

“To me, the elephant in the room today is what we call the ‘cyber’ issue. The growing inter-connectivity of computers, their ability to learn from each other and the fact that the world’s economy has become absolutely dependant on the internet raises huge new challenges for the insurance industry.”

Extract from Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance Business

Changing Dynamics of Cyber Insurance

We have identified the following key drivers changing the current dynamic of the cyber insurance market:

1. Increasing regulatory pressure

The UK’s Prudential Regulation Authority (PRA) recently released a consultation paper and supervisory statement on their expectations of firms regarding cyber insurance underwriting risk. In short: “the PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk(2).” The PRA statement covers both non-affirmative and affirmative cyber risk. Specifically, for non-affirmative cyber risks, expectations are placed on firms to consider:

  • adjusting premiums to reflect the additional risk and offer explicit cover;
  • introducing robust wording exclusions; and/or
  • attaching specific limits of cover.

The rating agency A.M. Best presents a similar rhetoric:

“[A.M. Best] expect companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and accumulation of their cyber liability exposure.”

2. Increasing frequency of large cyber-attacks/market losses

Another key element which is forcing (re)insurers to reevaluate their approach to cyber (re)insurance is the sheer scale and frequency of losses impacting policies. In 2017 there has been a dramatic increase in the number of ransom-ware attacks – according to Cisco, ransom-ware attacks are growing at a yearly rate of 350%(3). The way in which modern business is conducted, via interconnected global networks, only serves to spread ransom-ware around the world at exponential speeds. Ransom-wares such as WannaCry and NotPetya grabbed headlines in 2017.

The first, WannaCry, is estimated to have impacted more than 400,000 computers in 150 countries(4), with an economic loss in the region of $4-$8 billion(5). The impact for (re)insurers however, is minimal. The effects of WannaCry on insurable losses such as business interruption and physical damage were limited; many companies were able to restrict the proliferation of WannaCry within their networks and could recover encrypted data via backups.

NotPetya on the other hand, a wiper disguised as ransom-ware, has left a lasting impression on many businesses. This can be attributed to the design of NotPetya; it intended to destroy, sabotage and disrupt businesses, rather than extort for financial gain. Following the aftermath of NotPetya, many companies reported disruptions to business extending for several weeks, in additional to permanent physical damage and unrecoverable data losses(6). Several global organisations have reported staggering losses of revenue running into the 100’s of millions. However, as of yet the quantum of insured loss is still being calculated.

It is interesting to note that traditional cyber breaches (expected to be covered by affirmative policies), such as the breach reported recently by Equifax(7), can cause significant losses to cascade through to other towers, such as D&O. In this manner, non-affirmative cover is affected despite the fact there is an affirmative cover in place.

 

Kara Owens, Global Head of Cyber Risk at TransRe remarks:

“As the (re)insurance industry sees exposures grow and claims notifications into traditional insurance product lines rise from cyber related incidents, it is in the industry’s best interest to properly assess, price and track these exposures. TransRe is following events such as WannaCry, Petya and airline system outages closely. We are evaluating silent and affirmative exposures and will be pushing for proper exclusionary language and underwriting controls as it relates to cyber related exposures within traditional lines such as property and marine.”

 

3. Lack of uniformity in implementation of cyber exclusionary wording

Following the NotPetya cyber-attack, there is speculation that several of the affected publicly listed companies may seek recoveries from both cyber and property insurance towers (due to hardware physical damage and associated business interruption costs).

For example, Merck & Co., an American Pharmaceutical company, reported severe disruptions to its manufacturing capabilities(8). As a result, it is estimated that Merck’s business interruption has been heavily affected which could run into the 100’s of millions. In Merck’s second quarter report they highlighted the following issue surrounding insurance coverage on (assumed) non-affirmative cyber property policies(9):

“The Company has insurance coverage insuring against costs resulting from cyber-attacks. However, there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident.”

This lack of clarity creates ambiguity for the insured, unknown exposure for the insurer, and exponential aggregation for reinsurers. This prompts discussion surrounding the current cyber exclusions used in (re)insurance contracts, some examples include Lloyd’s CL380 and NMA2914. Leaving the courts to decide whether damage arising from a cyber event is covered in a property policy is a failure of the industry to address evolving exposures. It will be interesting to see how the overall market reacts to these losses and future court decisions. We may also see organisations themselves seek large limit standalone cyber cover to protect against ‘catastrophe’ style cyber losses like NotPetya.

4. Potential macro shift in the existing soft market dynamics

“As market conditions change following Harvey, Irma and Maria, nonaffirmative cyber will need to be addressed now.”

– Paul Merrey, Insurance Partner, KPMG

With the ongoing active wind season in the Atlantic and large cyber events in 2017, (re)insurers are experiencing significant losses. While it is unknown if the loss events in 2017 will lead to a hardening of the soft market or any pricing changes, there is speculation that reinsurers may look to push back on the inclusion of non-affirmative cyber in property and other classes of business (see TransRe remark above). The potential mounting losses from around the world might be the driver that forces insurers to adequately calculate and affirmatively accept cyber exposures, which their policyholders are taking on in their everyday businesses (e.g. increasing automation, robotics, lights out manufacturing).

In reaction to the factors discussed previously that are driving change in cyber insurance market, we have identified three foreseeable directions in which the market may move in the coming years.

1) Remain unchanged

First is the possibility that the cyber insurance market will remain largely unchanged; insurers will continue to underwrite (or in the case of non-affirmative, not underwrite) cyber business in the current manner. In this scenario, the majority of insurers will continue to include (or not exclude) cyber on more traditional polices such as property, casualty, D&O and E&O, while a minority of ‘specialist’ insurers write standalone cyber cover. This presents many challenges which are identical to those identified by the PRA.

Cyber risk is, by nature, an extremely complicated risk to evaluate, and thus it is difficult to correctly calculate premium on non-specialist cyber policies. Furthermore, from a portfolio standpoint, determining exposure and aggregation to a specific cyber incident is a complex task. This in turn makes it difficult for insurers to be confident they have adequate reserves to handle a large number of claims at one time occurring from a catastrophic global cyber-attack(10).

Continuing in this direction will expose the industry to:

  • A continued lack of understanding / knowledge to correctly price / assess non-affirmative cyber exposure.
  • A potential increase in non-affirmative cyber exposures, which though recoverable by way of insurance are not appropriately being assessed.

Ben Love, Head of Business Development at Hiscox Re comments:

“Hiscox Re are actively pressing for changes and clarity that will better serve all stakeholders, by offering specialist cyber products, and pushing exclusions elsewhere.”

2) Underwriters gain necessary knowledge for cyber

A second possible direction is for underwriters currently exposed to non-affirmative cyber to gain the specialist knowledge necessary to properly understand the risk and exposure that non affirmative cyber cover brings. Underwriters may then begin properly adjusting premiums for cyber, or possibly including specified sub limits to restrict the exposure to cyber risk.

This process however, is likely to take several years to implement and propagate adequately throughout the industry. At a time when combined ratios are near 100%, additional investment in specialised knowledge and training is difficult to justify.

Dan Trueman, Chief Innovation Officer at Novae comments:

“Cyber underwriting is a specialist class. The nuances in pricing and aggregation across and between cyber risks requires expertise. We consider it both surprising and unsustainable that cyber risk could be included within so many policies with effectively no information being requested and no regards to the measurement or level of systemic exposure being taken on.”

3) Consolidation of affirmative cyber covers; standalone policy offerings

A third potential direction is an industry shift toward affirmative cyber policies designed to cover non-affirmative cyber exposures. We are already seeing this happen to some extent within the market, where affirmative cyber products are evolving from what was historically a non-affirmative product (we discuss this further in the following section). This alleviates the burden on underwriters who have limited knowledge/ resources to evaluate and underwrite cyber risk, onto specialist underwriters who only write cyber risks.

Having specialist cyber underwriters write cyber risks provides many advantages over traditional underwriters (who write non-affirmative cyber back into policies which have not been designed to accommodate the risk); not least the ability to price risk and manage the aggregation within portfolios.

This is echoed by A.M Best:

“[A.M Best] believes a transition to standalone cyber policies may contribute to better pricing and reserving methods, which ultimately may lead to refinements in modelling tools and contribute to more accurate understanding of risk aggregation(11)

In reality, it is likely that the future shape of the cyber insurance market will be some hybrid of the above mentioned directions. The catalyst for change may then be a catastrophic loss in the cyber or general insurance market, which forces insurers to evaluate their approach to underwriting non-affirmative cyber.

“(The Lloyd’s) report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurer’s claims costs.12”

– Inga Beale, CEO of Lloyds

Exposure to cyber risk is an obvious and dangerous peril if left unmitigated or reviewed. The challenge facing insurers is how to assess, quantify and charge appropriately for this risk.

Unlike elemental perils which are restricted by geography, truly systemic cyber risk is not limited by boundaries and could be a global threat, across multiple sectors of business, as NotPetya has shown. In addition to this, the threat environment within cyber changes constantly which makes the development of models for risk assessment difficult.

“Ambiguity in cyber coverage, indeed any coverage, serves no-one and can lead to potential court room misery for all involved. Cyber products have to evolve to avoid this: the cyber peril must be specifically identified, evaluated and priced for.”

– Ben Love, Head of Business Development, Hiscox Re

A number of affirmative cyber solutions have emerged to address the challenges mentioned above, and act to pull the cyber peril out of non-affirmative covers. A few examples of affirmative cyber solutions include:

  • Brit – Brit Cyber Attack Plus (BCAP)(13)
  • Aegis – Cyber Resilience Plus(14)
  • FM Global – Advantage Policy Cyber(15)

For the sake of exposition, we explore in more detail the coverage and design of BCAP below, as it is one of the largest products currently available, with $200-$350 million of capacity (depending on the risk). This product arose from broker requests to write back the CL380 exclusion clause into terror contracts. It was originally a Property Damage and Business Interruption cover designed to respond when/if an insured suffers unauthorised/malicious attack to their SCADA systems and suffers loss as a result.

In response to changes in the cyber insurance market and broker input, this product expanded to offer limits resulting from the same malicious / unauthorised access but now provides indemnification for other covers in addition to Property Damage and Business Interruption.

Example coverage available in this product and others include:

  • Non-damage business interruption
  • Loss mitigation expenses
  • Digital asset restoration
  • Cyber extortion
  • Crisis management costs
  • Bodily injury
  • Contingent business interruption
  • System failure
  • Notification costs

Additionally, and most relevant to the insurance industry as a whole, is the utilisation of 3rd party expertise (IT consultancy firms and cyber vendors) to support the underwriting process of primarily affirmative cyber.

Standalone products such as the above aim to counteract existing non-affirmative cover by affirmatively analysing and understanding cyber risk behaviours within the insurance market and has a number of benefits:

  • Ensures a good degree of information exchange to support the underwriting.
  • Establishes a clear / definable coverage set in return for a pre-agreed indemnification.
  • Litigation among other lines of insurance will be minimised if there is a cyber specific insurance contract in place rather than the prevailing silence we see on most lines.
  • Ensures the right experts are seeing and contributing toward risk assessment.

Russell Kennedy, Divisional Director, Brit Insurance, has this to say on the subject:

“Current soft market conditions threaten to undermine the creation of what should be the most exciting area of the cyber market going forward. Business continuity faces no greater threat than those posed by a breakdown in IT infrastructure whether at the micro or macro level. Brit have devised an underwriting methodology, risk assessment tools and aggregation management approach which will enable us and our consortium partners to assess this risk in a considered fashion. The applicability of our product across all business industry is endless and could result in $BNs of new insurance premium if managed correctly. Rather ironically a lack of underwriting discipline is perhaps the greatest threat to this potentially expansive “new” class of business.”

Historically, insurance has served as a vessel to provide solutions to ‘protect against’ a peril, providing means for risk management and mitigation. The products discussed in this section are some solutions aimed at taking the non-affirmative exposures and ambiguous cover out of the traditional insurance marketplace, serving precisely as tools for risk management and mitigation. Furthermore, these solutions add value through education surrounding the cyber peril, which may be fully utilised by policyholders.

Geoff Pryor-White, Chief Executive Officer at Tarian Underwriting Limited comments:

“Cyber insurance is in its nascent stages, but has grown greatly over the last five years from an estimated $850m global premium spend to an expected $4.5bn this year Tarian have made great strides with all “traditional” lines of business to help them understand the risks that they are picking up, either affirmatively or with silent cover. It is our view that affirmative cover provides the best solution for our mutual clients, as we can work with them to ensure that they have the appropriate cover for their needs, at a sustainable price, and with the risk management advice that benefits the risk posture.”

 

“Novae see this area of the cyber industry market as potentially one of the greatest areas of growth within the insurance industry. Thus, we have dedicated a great deal of time into ensuring that we can appropriately underwrite this risk and provide a meaningful solution for our clients.

Not only this, but we feel that with the expertise we have within the team, we can offer our clients a level of education surrounding their exposure and how to deal with it, which you simply would not receive from a non-affirmative policy.”

– Mike Shen (Head of Cyber Innovation, Novae)

Cyber reinsurance products, non-affirmative or affirmative, should be designed to reflect the underlying risk exposure. At Capsicum Re we are seeing reinsurance products begin to address these issues, whilst also tackling the issues of limited reinsurance capacity and regulatory oversight. As an example of regulatory reporting required by Lloyd’s of London, syndicates are required to report on Exceedance Probability (EP) / Probable Maximum Losses (PML) for various cyberattack scenarios. In the absence of widespread probabilistic modelling, Lloyd’s reporting can form a basis for structuring reinsurance products. Vendor modelling outputs will play a larger part in the future, once they have been tested and shows signs of a convergence of methodology.

Products – Non-Affirmative Cyber

Given the potential severe quantum of non-affirmative cyber loss/exposures we expect non-affirmative products to become more standardised as modelling improves in this area.

Aggregate Products

Products have emerged to deal with the potential clash of exposure to various lines of business from one cyber loss. Such scenarios are studied and reported at length amongst companies. All products within this space focus on providing tail coverage for a systemic multi-line cyber loss on a net of reinsurance basis. This coverage was developed to assist in the absorption of potential exposure from a lack of uniformity in cyber exclusions in a portfolio. To address this, products must be tailored to further encompass the correct exposures.

As an example, our solutions for this include:

  • Cyclone – clash of net retentions product.
  • Systemic aggregate tail protection.

These products are structured for capital efficiency, inclusion of affirmative cyber and profit sharing mechanisms.

Products – Affirmative Cyber

Aggregate Per Policy Excess of Loss

This product is designed to mimic original cyber policies and allow Insureds to aggregate individual claims from a single policy.

Aggregate Stop Loss

A Systemic or a capital impacting event is something most insurers and regulators are concerned with in cyber. The stop loss product ensures the overall net result of the portfolio is protected against any kind of aggregation of losses, including small attritional claims. Often, co-participation and profit sharing terms are included to ensure interests are aligned.

“We have designed a number of structures, pricing methodologies and contract forms that will assist a cedent’s risk transfer needs and facilitate capital/regulatory relief for this as yet poorly understood but increasingly prominent peril.”

– Robert Ashton, Cyber Treaty Reinsurance Underwriter, Fidelis

Multiple cyber insurance loss vectors:

  • Systemic losses or aggregation losses (a collection of smaller claims), put demand on vertical limits and, therefore insurers should consider at minimum the potential frequency of claims.
  • The extent of exposure for third party liability, business interruption and physical damage varies widely between industries.
  • A cause of loss such as malware may lay dormant for a long time before being activated and/or discovered. This makes it difficult to apply traditional reinsurance catastrophe clauses in which a time period is required for covered (e.g. Hours Clause).
  • Actors in cyber events are often unknown; hence the definition of a cyber event needs to be carefully identified as it should only encompass the required and understood coverage.
  • Historical data becomes less relevant due to the changing nature of cyber risk over time (for example, prevalence of data breaches to ransom-ware(16))

Potential ILS Solutions

In the current market place the main driver of volatility, and hence of capital, is property catastrophe. In the future it is likely that cyber will also sit alongside property catastrophe as one of the key drivers of capital(12). Therefore it is worth considering, due to both the scale of the class and its volatile nature, on which balance sheet the cyber risk appropriately exists.

In the last 15 years we have seen an explosion in the amount of capital in this space from insurance-linked securities (ILS) capital. This was driven by investors seeking an asset class which had a high, non-correlating return and this was enabled by the evolution in property catastrophe models. While the situation is not the same today for cyber as it was for property catastrophe 15 years ago, interest is mounting from the ILS markets surrounding cyber risk, which may lead to ILS playing a major role in the cyber space.

Many elements are driving the increasing interest in cyber focussed ILS portfolios:

  • With the investor base changing, many funds are transitioning towards lower returns on perceived less volatile books.
  • The addition of cyber to an ILS portfolio further aides diversification from other asset classes.
  • As opportunities diminish in the property sector (although the full impact of the 2017 wind season is still to be fully realised), funds are looking to deploy capital away from property. Some funds view cyber as the obvious next area to focus on.
  • Vendor cyber models are beginning to offer some theory around deterministic and (less so) probabilistic scenarios, giving funds greater levels of comfort.

At present, it is easier to structure ILS capacity to cover components of non-affirmative cyber such as property damage and business interruption, due to the way in which triggers may be specified. Structuring for affirmative cyber events such as data breaches is proving to be a challenge but has been done on a limited basis.

Authors

Global Head of Cyber
Ian Newman
Ian.Newman@capsicumre.com
Tel: +44 (0) 207 204 6000

Head of Cyber Analytics
Maryam Abdullah
Maryam.Abdullah@capsicumre.com
Tel: +: +44 (0)20 3425 3418

Affirmative Cyber Insurance
Johnny Fraser
Johnny.Fraser@capsicumre.com
Tel: + 44 (0)20 7204 6079

Non-Affirmative Cyber Reinsurance
Patrick Bousfield
Patrick.Bousfield@capsicumre.com
Tel: + 44 (0)20 7204 3091

Supervisory Editor
Conrad Williams
Conrad.Williams@capsicumre.com
Tel: +44 (0)20 7560 3121

References

1. Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance Business.
2. http://www.bankofengland.co.uk/pra/Pages/publications/ss/2017/ss417.aspx
3. https://blogs.cisco.com/financialservices/ransomware-lessons-for-the-financial-servicesindustry
4. https://blog.barkly.com/wannacry-ransomware-statistics-2017
5. https://www.reinsurancene.ws/reinsurance-take-minimal-share-8-billion-wannacry-economicloss-m-best/
6. http://www.securityweek.com/notpetya-attack-costs-big-companies-millions
7. https://www.equifaxsecurity2017.com/
8. http://www.mrknewsroom.com/news-release/corporate-news/merck-announces-secondquarter-2017-financial-results
9. https://www.sec.gov/Archives/edgar/data/310158/000031015817000037/mrk0630201710q.ht m
10. https://www.theregister.co.uk/2017/07/11/pra_insurers_may_have_to_adjust_policies_to_r eflect_silent_cyber_risks/
11. http://news.ambest.com/presscontent.aspx?altsrc=14&refnum=25414
12. https://www.lloyds.com/news-and-insight/press-centre/press-releases/2017/07/cyber-attackreport
13. http://www.britinsurance.com/brit-global-specialty/war-and-terrorism
14. https://www.aegislink.com/aegislink/services/underwriting/products/cyber-coverage-andservices.html
15. https://www.fmglobal.com/products-and-services/products/the-fm-global-advantage-all-riskpolicy/cyber-property-coverage
16. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

 

This document has been prepared by Capsicum Reinsurance Brokers LLP (for itself and on behalf of each affiliate) “Capsicum” at the request of and for the exclusive and confidential use of the recipient only. This document is provided to recipient on condition that the recipient shall treat it as strictly confidential and shall not communicate it in whole, in part or in summary to any third party. Capsicum assumes no duty in contract, tort or otherwise to any third party (excepting any liability which as a matter of law cannot be excluded) in respect of the underlying data or any material based upon it and no third party should expect Capsicum to owe it any such duty.

Capsicum shall retain any and/all copyright and other forms of intellectual property or other proprietary rights subsisting anywhere in the world (together, “Intellectual Property Rights”) in any and/all works; developments (including but not limited to any ideas, know-how, techniques, documentation, software and reports) and materials (including but not limited to any design, specification, instruction, software, information, data and documents) used or produced b Capsicum whether individually or in conjunction with others in connection with this document. The recipient does not acquire any right or license in relation to any Intellectual Property Rights owned or used by Capsicum by virtue of this document being provided to the recipient. Acceptance by the recipient of this document shall be deemed to be agreement by the recipient to the above.

© Copyright 2017 Capsicum Re. All rights reserved: No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by means, whether electronic, mechanical, photocopying, recording or otherwise, without the permission of Capsicum Re

Leave a Comment