It was just a pre-taste of what a real global “cyber hurricane scenario” could look like – and still the impact was disastrous for many companies globally.
In 2017, large cyber-attacks like Petya and NotPetya or WannaCry caused significant losses for businesses – insured losses for the former are estimated to be $3.3bn. Global conglomerates like Merck and Maersk suffered severe disruption of their systems and businesses during that attack. Pharmaceutical giant, Merck, by far the most severely hit, is reportedly receiving about $2bn in cyber insurance coverage; losses for shipping giant, Maersk, exceeded $300mn1.
According to US claims analyst, PCS, nearly 90% of the total industry loss of Petya and NotPetya was attributed to so-called “silent cyber exposures”, which are potential cyber-related losses stemming from traditional property and liability policies not specifically designed to cover cyber risks. As these incidents demonstrate, cyber loss events can impact multiple lines of business beyond specialist cyber cover such as property, business interruption (BI), errors and omissions (E&O) or kidnap and ransom (K&R).
“The 2017 WannaCry and NotPetya attacks highlighted the risks and potential damage across all business areas causing significant concern around cyber risks in traditional property-casualty (P/C) policies,” says Emy Donavan, Global Head of Cyber and Tech PI, AGCS.
In the past few years, cyber risks have gone mainstream. For the first time in the eight-year survey, cyber incidents is the top global risk in the Allianz Risk Barometer 2019, tied with BI. Cyber incidents can trigger not only extensive financial or disruptive losses but, potentially, physical damage, BI, product recall, bodily injury or even have caused life-threatening consequences.
“The nature of cyber risk is evolving rapidly and constantly with hacker attacks becoming more sophisticated, targeted and far-reaching,” Donavan says.
Companies increasingly are exposed to “large-scale, multi-vector mega attacks using advanced attack tools”, often outpacing the maturity level of corporate IT security systems2. Besides cyber-crime, often it is technical failure, IT glitches or human failure which cause massive system outages or data losses.
“Silent” cyber scenarios could include a hacker attack on a transit system causing a train derailment or a malware-infected, GPS-linked navigation system incorrectly guiding a ship3. Another silent risk might include a hacker creating significant disruption by opening the floodgates at a hydroelectric dam, likely causing significant downstream flood damage4 and potentially triggering property policies.
“Most traditional policies were designed when cyber hadn’t yet emerged as a major risk and don’t even explicitly mention or consider cyber risk,” Donavan explains.
Such “silent,” or “non-affirmative,” cyber exposures lead to inadequate protection of customers with a lack of certainty and transparency for all parties involved – customers, brokers and insurers. “A new insurance approach is required to effectively counter new risks posed by cyber and to remove coverage uncertainty for customers,” says Donavan.
Group-wide, Allianz is reviewing cyber risks in P/C policies in commercial, corporate and specialty insurance segments and has developed a new underwriting strategy to address “silent” cyber exposures, ensuring that all P/C policies will be updated and clarified in regard to cyber risks. It has nominated AGCS to establish a Center of Competence for Cyber for the entire company.
“We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed,” Donavan says. The new strategy also responds to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios.
AGCS has already implemented the strategy for new business and will do so for renewal business, subject to regulatory and filing requirements in certain jurisdictions, in April. Other Allianz P/C companies will apply the strategy by January 1, 2020, latest.
For policyholders, the set-up will be different depending on the specific line of business, as well as the market and regulatory environment. If unclarified, cyber exposures will be specified in policy wordings. Clear definitions of when cyber risks are covered under traditional policies, as well as for which scenarios a dedicated cyber insurance solution is required, will be written-in.
“There is no one-size-fits-all approach,” says Marek Stanislawski, Deputy Global Head of Cyber, AGCS.
AGCS policyholders will choose among several options to tailor cyber risk coverage to their individual needs and risk profiles – ranging from “now-affirmative” coverage in a traditional P/C policy to an endorsement embedded into a traditional policy to a specialist cyber insurance policy. In many cases, cyber event definitions will be added to existing wordings (e.g. property offers a dedicated cyber BI extension).
“A comprehensive solution for all products – while extremely challenging to create – is in the best interest of customers and brokers,” explains Stanislawski. “This keeps expertise around specific cyber exposures in the lines of business where they’ve traditionally been underwritten and also benefits customers by providing certainty about the products they've bought.”
Under updated wordings in Allianz P/C policies, physical damage and bodily injury arising from cyber events will generally continue to be covered. Cyber-related “pure financial losses” without physical damage or injury, however, will be covered in affirmative cyber insurance solutions only (see below).
While the global market is beginning to address “silent” cyber exposures, Allianz is a “first-mover” insurer and is engaged in market information and education.
The new strategy helps Allianz better measure its cyber exposure and effectively respond to regulators and rating agencies by effectively managing cyber underwriting risks. With these efforts, Allianz aims to be able to better manage the cyber aggregation risk in its P/C portfolios and make adequate capital provisions to deal with large-scale cyber loss scenarios that could potentially affect multiple policyholders at the same time.
Financial supervision increasingly warns of significant “silent” cyber risk in insurers’ portfolios. The German supervisory authority, Bafin, has announced that it will be more attentive to insurance “silent” cyber exposures in 2019. The UK’s Prudential Regulatory Authority urged insurers and brokers in 2017 to address cyber risks, so the move is on by regulators globally to raise awareness on a general scale.
Reinsurers have increasingly put “silent” cyber on the agenda, as well. Munich Re Board Member, Doris Hoepke, says: “Insurers have to address ‘silent’ cyber exposures in their traditional policies”.
The topic is also increasingly on brokers’ agendas. Aon’s reinsurance division has announced a silent cyber facility, while catastrophe modeling firm, AIR Worldwide, collaborated with reinsurance broker, Capsicum Re, to identify which non-cyber lines of business are exposed to cyber-related losses. Willis Towers Watson’s 2018 Silent Cyber Outlook Survey highlights growing concerns about “silent” cyber exposures.
“I would expect 2019 to be definitely noisier around ‘silent’ cyber exposures”, Donavan says. “The industry has to get a grip on these challenges in one way or another and we are expected to provide attractive solutions around cyber – as today’s key business risk.”
1. Artemis, Merck & silent cyber impacts drove Petya industry loss: PCS, November 7, 2018
2. Check Point, Achieving fifth generation cyber security: A survey research report of IT and security professionals, March 2018
3. Willis Towers Watson, Silent cyber outlook: Is silent cyber risk creeping up on insurers?, September 11, 2017
4. Guidewire, Aon and Guidewire launch cyber scenario for a US dam attack, October 25, 2018
5. Baden-Baden Reinsurance Conference in 2018