Ensuring cyber policy language is frequently reviewed in the face of rapidly changing threats remains a big challenge for insurers.
Opinions about the nature of cyber losses are in flux. Historically, data breach was considered the greatest cyber risk, with organisations holding large quantities of sensitive or personal consumer information, such as hospitals and banks, presumed to be most at risk.
But cyber is a broad concept and an evolving peril. Fast-forward to 2020 and with the ever-increasing reliance of organisations on data, technology and third-party providers, the risk of cyber extortion is now arguably a greater threat.
Such attacks are encountered frequently, sometimes even daily, by some organisations. The objective is not to steal data but to hijack control of computer networks to demand a ransom, which is usually exorbitant but on payment returns control and access to their owners.
Getting to grips with and mitigating this threat will remain a battle for insurers, brokers and insureds for some time. With that, privacy will remain high on the agenda.
The notion of the “right to privacy” is a somewhat abstract concept that will continue to challenge regulators, legislators and courts for years to come. This issue lay at the heart of the Cambridge Analytica scandal in 2018 and also Capital One in 2019, when there was a so-called “mega-breach” of millions of personal records.
Despite these infamous examples, data breach claims have begun to plateau.
The proliferation of malware is an entirely different story. With the rise and rise of ransomware causing a multitude of problems and business interruption issues, it has become a far greater risk for many organisations and not just large corporations.
Ensuring policy language is frequently reviewed to remain resilient in the face of such fast-evolving threats is a challenge for insurers.
In 2017 the NotPetya malware attack rendered useless 1,700 servers and 24,000 laptops owned by US confectionery manufacturer Mondelez, which claimed for the loss under its property policy. The insurer, Zurich, refused the claim because it regarded the attack as an act of war, which was excluded under the policy.
Under a standalone cyber policy, however, few (if any) claims have ever been denied under a war exclusion. It is an area that still presents complex shades of grey. This also highlights the difficulty of using wordings that were drafted many years ago and may not have adequately considered cyber risks.
Therefore, we should expect work on policy language in areas such as war exclusions to continue and gather momentum this year. As the threat landscape evolves, policy language can easily lag, meaning frequent reassessment is essential to keep pace. This raises the issue of silent cyber: cyber risks that exist within non- specific cyber policies. UK regulators’ increasing intolerance of unmeasured, non-specific cyber cover, is helping to bring clarity to the cyber landscape.
This has and should continue to push cyber risk into the affirmative cyber insurance market and has already prompted the preparation of new London market exclusions.
However, much of the regulatory compliance is in its infancy, as insurers continue to work to qualify and quantify where their cyber exposures lie and devise ways to manage them. Consequently, any meaningful transfer into the affirmative cyber insurance market is yet to take place.
While regulatory requirements have been placed on insurers to articulate their exposures and plans, brokers have not been invited to contribute to the effort to eradicate silent cyber. A more co-ordinated effort that involved intermediaries could be hugely beneficial to the London market’s market’s efforts to provide greater clarity and certainty to insureds.
Without a clear directive, piecemeal solutions are likely as insurers and brokers search for the path of least resistance. Insureds will understandably seek the most cost-efficient means of risk transfer – ideally large cyber limits for a low premium – so a demand for coverage buybacks is anticipated, rather than shifting risk to an affirmative cyber-specific solution. Unfortunately, if the response to this emerging risk is the traditional buyback of coverage then I fear a lack of progress will be made.
When a cyber event occurs, crisis management is needed – systems specialists who will rappel from helicopters to get the insured back into business (proverbially, at least). To truly assist insureds, it is imperative we as a market maintain such specialist response mechanisms, which are unlikely to be available with buy-back covers.
The UK insurance market should remain free and competitive yet a more co-ordinated effort could lead to greater innovation and a clearer proposition and better solutions for insureds. It is down to all of us in the market to build awareness about the greatly differing levels of provision, but that effort will take time.
Meanwhile, cyber risk will increasingly crystalise on the risk radar of all businesses. With the evolution of the peril, new and forthcoming legislation and regulation could drive litigation and the interdependence of organisations because of increasing interconnectivity will in combination create a very new risk landscape. All of that will drive the growth of the cyber market in the years ahead. Pricing will see positive change, the market will remain robust and is set to continue to thrive as risk maturity quickly increases and cyber risk is mitigated increasingly effectively.