Cyber insurance is a growing class of business and one that presents many opportunities, particularly given the challenging market conditions we are operating in. But how well do we understand the risks that our clients are exposed to? More importantly, how well do we as an industry actually understand our own exposure to these cyber threats? Cyber-attacks can arise and multiply in unexpected ways; we only have to look at the attack last year on Dyn (the largest distributed denial of service (DDos) attack in history) to see this. With the advent of new technologies, our growing reliance on the cloud, and the increasing hyper-connectivity globally, the threat is exacerbated and it has been brought to the attention of the regulator.
In November 2016 the PRA published a consultation paper setting out its expectations for the prudent management of cyber underwriting risk, for affirmative cyber insurance policies (such as a data breach product) as well as non-affirmative, or ‘silent-cyber policies’ (implicit exposure within all risks and policies that do not explicitly exclude risk). The PRA’s work has shown that firms do not have clear strategies and risk appetites for managing risk, those firms also do not have sufficient expertise to monitor and manage the exposure emanating from cyber risks. There is almost universal acknowledgement of the loss potential of ‘silent’ risk and the potential for a significant ‘silent’ cyber insurance loss is increasing all the time.
This is not good news for an industry whose job is to assess and analyse risk, so what is the solution?
One of the problems facing the industry is that the current exposure management is not good enough. There is an urgent need to invest in and develop cyber expertise to ensure we understand our own risks and those of our clients. This is something we are taking very seriously at Capsicum Re. We have built the largest cyber reinsurance broking team in the market and are building upon our understanding of the issues and risks affecting cyber exposures, and pushing ourselves to identify where the new risks will arise.
There is also a demand for probabilistic cyber catastrophe (CAT) models as the lack of uniformity among those currently in the market is an ongoing issue. The original CAT models were not set up to try and aggregate these exposures, which means the collection of data is too slow; this lack of real time data monitoring is a serious problem.
With the EU data directive coming into force next year, this is a risk that will remain at the top of the regulator’s agenda. The PRA has clearly stated its concerns and these should not be taken light heartedly. Now is the time for the industry to take action, to improve our exposure management to cyber risk and try and create a uniform approach in what will continue to be a growing class of business in the market.
By Patrick Bousfield
Patrick Bousfield is the moderator on a panel entitled, ‘Exposure Management in the Insurance Sector’, 11:45 – 12:45 at the Advisen Cyber Risk Insights Conference on Tuesday 07 March.