Making noise about "silent" cyber

Auf Deutsch Lire en français
Hackers snag a transit system’s controls causing a train derailment. Malware snakes through a GPS-linked navigation system steering a ship into a bridge. Cyber risks can easily cause physical damages or claims. So-called “silent" cyber exposures in traditional property-casualty (P/C) insurance policies create uncertainty for clients, brokers and insurers alike. Allianz is one of the first insurers to rethink established modes of underwriting in order to clarify cyber risks.
  • So-called “silent" cyber exposures in traditional P/C policies create uncertainty for clients, brokers and insurers
  • The nature of cyber risk is ever-evolving with hacker attacks becoming more sophisticated, targeted and far-reaching
  • Most traditional policies were designed when cyber wasn’t a major risk and don’t explicitly mention or even consider cyber risk
  • AGCS has been named the Center of Competence for Cyber ensuring a consistent underwriting approach for cyber risks for Allianz Group, worldwide

It was just a pre-taste of what a real global “cyber hurricane scenario” could look like – and still the impact was disastrous for many companies globally.

In 2017, large cyber-attacks like Petya and NotPetya or WannaCry caused significant losses for businesses – insured losses for the former are estimated to be $3.3bn. Global conglomerates like Merck and Maersk suffered severe disruption of their systems and businesses during that attack. Pharmaceutical giant, Merck, by far the most severely hit, is reportedly receiving about $2bn in cyber insurance coverage; losses for shipping giant, Maersk, exceeded $300mn1.

According to US claims analyst, PCS, nearly 90% of the total industry loss of Petya and NotPetya was attributed to so-called “silent cyber exposures”, which are potential cyber-related losses stemming from traditional property and liability policies not specifically designed to cover cyber risks. As these incidents demonstrate, cyber loss events can impact multiple lines of business beyond specialist cyber cover such as property, business interruption (BI), errors and omissions (E&O) or kidnap and ransom (K&R).

“The 2017 WannaCry and NotPetya attacks highlighted the risks and potential damage across all business areas causing significant concern around cyber risks in traditional property-casualty (P/C) policies,” says Emy Donavan, Global Head of Cyber and Tech PI, AGCS.

In the past few years, cyber risks have gone mainstream. For the first time in the eight-year survey, cyber incidents is the top global risk in the Allianz Risk Barometer 2019, tied with BI. Cyber incidents can trigger not only extensive financial or disruptive losses but, potentially, physical damage, BI, product recall, bodily injury or even have caused life-threatening consequences.

“The nature of cyber risk is evolving rapidly and constantly with hacker attacks becoming more sophisticated, targeted and far-reaching,” Donavan says.

Companies increasingly are exposed to “large-scale, multi-vector mega attacks using advanced attack tools”, often outpacing the maturity level of corporate IT security systems2. Besides cyber-crime, often it is technical failure, IT glitches or human failure which cause massive system outages or data losses.

“Silent” cyber scenarios could include a hacker attack on a transit system causing a train derailment or a malware-infected, GPS-linked navigation system incorrectly guiding a ship3. Another silent risk might include a hacker creating significant disruption by opening the floodgates at a hydroelectric dam, likely causing significant downstream flood damage4 and potentially triggering property policies.

“Most traditional policies were designed when cyber hadn’t yet emerged as a major risk and don’t even explicitly mention or consider cyber risk,” Donavan explains.

Such “silent,” or “non-affirmative,” cyber exposures lead to inadequate protection of customers with a lack of certainty and transparency for all parties involved – customers, brokers and insurers. “A new insurance approach is required to effectively counter new risks posed by cyber and to remove coverage uncertainty for customers,” says Donavan.

Group-wide, Allianz is reviewing cyber risks in P/C policies in commercial, corporate and specialty insurance segments and has developed a new underwriting strategy to address “silent” cyber exposures, ensuring that all P/C policies will be updated and clarified in regard to cyber risks. It has nominated AGCS to establish a Center of Competence for Cyber for the entire company.

“We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed,” Donavan says. The new strategy also responds to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios.

AGCS has already implemented the strategy for new business and will do so for renewal business, subject to regulatory and filing requirements in certain jurisdictions, in April. Other Allianz P/C companies will apply the strategy by January 1, 2020, latest.

For policyholders, the set-up will be different depending on the specific line of business, as well as the market and regulatory environment. If unclarified, cyber exposures will be specified in policy wordings. Clear definitions of when cyber risks are covered under traditional policies, as well as for which scenarios a dedicated cyber insurance solution is required, will be written-in.

“There is no one-size-fits-all approach,” says Marek Stanislawski, Deputy Global Head of Cyber, AGCS.

AGCS policyholders will choose among several options to tailor cyber risk coverage to their individual needs and risk profiles – ranging from “now-affirmative” coverage in a traditional P/C policy to an endorsement embedded into a traditional policy to a specialist cyber insurance policy. In many cases, cyber event definitions will be added to existing wordings (e.g. property offers a dedicated cyber BI extension).

“A comprehensive solution for all products – while extremely challenging to create – is in the best interest of customers and brokers,” explains Stanislawski. “This keeps expertise around specific cyber exposures in the lines of business where they’ve traditionally been underwritten and also benefits customers by providing certainty about the products they've bought.”

Under updated wordings in Allianz P/C policies, physical damage and bodily injury arising from cyber events will generally continue to be covered. Cyber-related “pure financial losses” without physical damage or injury, however, will be covered in affirmative cyber insurance solutions only (see below).

While the global market is beginning to address “silent” cyber exposures, Allianz is a “first-mover” insurer and is engaged in market information and education.

The new strategy helps Allianz better measure its cyber exposure and effectively respond to regulators and rating agencies by effectively managing cyber underwriting risks. With these efforts, Allianz aims to be able to better manage the cyber aggregation risk in its P/C portfolios and make adequate capital provisions to deal with large-scale cyber loss scenarios that could potentially affect multiple policyholders at the same time.

Two scenarios

  • Affirmative coverage in a traditional policy: A hacker attack on industrial software causes an explosion at a factory; physical damage and subsequent BI loss would be covered in a standard Allianz P/C policy.
  • Affirmative coverage through cyber policy or endorsement: Malware leads to a disruption of production or service delivery and loss of revenues for a company without physical damage; such ”pure financial losses” may require a dedicated cyber insurance policy, or a cyber-specific endorsement to traditional policies.

Financial supervision increasingly warns of significant “silent” cyber risk in insurers’ portfolios. The German supervisory authority, Bafin, has announced that it will be more attentive to insurance “silent”  cyber exposures in 2019. The UK’s Prudential Regulatory Authority urged insurers and brokers in 2017 to address cyber risks, so the move is on by regulators globally to raise awareness on a general scale.

Reinsurers have increasingly put “silent” cyber on the agenda, as well. Munich Re Board Member, Doris Hoepke, says: “Insurers have to address ‘silent’ cyber exposures in their traditional policies”[5].

The topic is also increasingly on brokers’ agendas. Aon’s reinsurance division has announced a silent cyber facility, while catastrophe modeling firm, AIR Worldwide, collaborated with reinsurance broker, Capsicum Re, to identify which non-cyber lines of business are exposed to cyber-related losses. Willis Towers Watson’s 2018 Silent Cyber Outlook Survey highlights growing concerns about “silent” cyber exposures.

“I would expect 2019 to be definitely noisier around ‘silent’ cyber exposures”, Donavan says. “The industry has to get a grip on these challenges in one way or another and we are expected to provide attractive solutions around cyber – as today’s key business risk.”

  • Full transparency, clarity and certainty of cyber risk coverage for customers and brokers
  • Increased speed of claims settlement in the event of a due to cyber coverage certainty
  • Updated policies designed for the new generation of cyber risks
  • Custom solutions for cyber risk coverage: From embedded cyber cover in traditional P/C products to standalone cyber insurance
  • Elimination of ‘unknown’ overlaps in various coverages and gaps for policyholders
  • Dedicated cyber expertise in the new Center of Competence for Cyber
  • Clear portfolio monitoring and exposure management for Allianz, allowing effective use of underwriting capacity and optimal capital management.
The Allianz Risk Barometer 2019 – the eighth annual survey of over 2,400 risk management and insurance experts from more than 80 countries which identifies the top risks for businesses – included questions about take-up trends in cyber insurance. Global Risk Dialogue asked Marek Stanislawski, Deputy Global Head of Cyber, AGCS, to comment on the results.
Stanislawski: “While a quarter of our respondents detected a cyber incident last year, more than half did not, calling into question the degree of confidence we can place in detection and prevention systems, as there is a possibility that a cyber-attack was sophisticated and evasive enough that it managed to run undetected. Companies need to constantly monitor, update and modernize their IT security measures. Unfortunately, as with any effort to stay ahead of this risk, it’s a never-ending and circuitous process.”
Stanislawski: “The fact that more than half of respondents purchased cyber insurance last year goes hand-in-hand with their perception of cyber as a serious risk. The rise in take-up of this insurance product is expected to continue, as more and more companies become convinced of the gravity and severity of cyber as a risk.”
Stanislawski: “We take very seriously the message that 61% of respondents point to the insufficiency of available capacity. While traditional business lines provide world-leading capacity, our Alternative Risk Transfer service can assist large corporations in structuring a tailored risk transfer solution which can overcome the insufficient capacity in traditional markets.”
Stanislawski:  “It’s interesting that almost as many  respondents feel that cyber insurance coverage is priced in line with expectations as those who don’t. This seeming discrepancy can be attributed to the fact that the market is softening, despite all the exposures and uncertain accumulation risk, and underwriters can’t always price according to the technical risk. Cyber policies often include coverage for other types of loss such as business income loss or ransom payments and, hence, are generally underpriced to fully cover all the various sources of insured loss because of competition. Pricing will harden as more losses occur and the industry perfects its modeling and analytics.
Stanislawski:  “Although we’ve seen that a vast majority of respondents (over 90%) agree to the need of having cyber insurance, only a little over a half of them have equipped themselves with the product. The reason for this might be due to anything from internal budgeting constraints to uncertainty about the scope of cover to purchasing cyber extensions on existing policies rather than stand-alone products. Allianz is committed to assisting customers with finding the most suitable form of cyber risk transfer to meet their needs.”
Read this article in Global Risk Dialogue. Appearing twice a year, Global Risk Dialogue is the Allianz Global Corporate & Specialty magazine with news and expert insights from the world of corporate risk.

SOURCES

1. Artemis, Merck & silent cyber impacts drove Petya industry loss: PCS, November 7, 2018

2. Check Point, Achieving fifth generation cyber security: A survey research report of IT and security professionals, March 2018

3. Willis Towers Watson, Silent cyber outlook: Is silent cyber risk creeping up on insurers?, September 11, 2017

4. Guidewire, Aon and Guidewire launch cyber scenario for a US dam attack, October 25, 2018

5. Baden-Baden Reinsurance Conference in 2018

Sign up to e-update
Allianz operates as an international insurer on almost every continent. Find Allianz in your own country/region.
With the Allianz network AGCS provides services in over 200 countries and territories.