Unstated cyber risks may hit multiple policies

CERT-LatestNews Security News ThreatsCybercrime Uncategorized

When it comes to insuring against cyber threats, insurance industry professionals say silence is not golden.

The potential dangers of silent cyber, referring to policies that don’t explicitly include or exclude cyber coverage, can lead to significant losses.

Last November, the Bank of England’s Prudential Regulation Authority said in a statement that it believed “the potential for a significant ‘silent’ cyber insurance loss is increasing with time.”

“As both ‘silent’ cyber insurance awareness and the frequency of cyber attacks grow, so does the loss potential from ‘silent’ cyber exposures,” the PRA said. “Casualty lines are potentially significantly exposed to silent cyber losses. This is either due to the fact that exclusions are not widely used or because some policies cannot reasonably exclude cyber losses.”

The PRA called for firms exposed to silent and affirmative cyber risk to have clear strategies and articulated risk appetites on the management of the associated risks. These should be owned by the board and reviewed on a regular basis, the PRA said.

“People are expecting to be covered from the corporate side, and from the insurance side they’re saying, ‘Oh, no, of course, it’s not covered’,” said Scott Stransky, assistant vice president and principal scientist at risk modeling firm AIR Worldwide in Boston. “This is why it’s pretty scary, because risk managers and corporations think they’re going to be covered. Insurers think they’re not going to be on the hook.

And that’s why courts are going to have to end up making the decisions.”

In April, AIR announced the release of its Analytics of Risk from Cyber risk modeling application, which is capable of modeling silent cyber.

“We’re hearing more and more, ‘We need to model the silent cyber, we need to at least understand our silent cyber, just in case the courts rule against us,’” Mr. Stransky said.

On Oct. 21, 2016, hackers hit Manchester, New Hampshire-based domain name system provider Dyn Inc. with a series of distributed denial-of-service attacks, and internet users reported having trouble accessing websites, as companies ranging from Amazon to Zillow were affected.

Mr. Stransky said AIR’s modeling determined that had Dyn gone down for a full day, the estimated economic loss would have been about $500 million for the Fortune 1000 companies alone. He added that had Amazon Web Services, which suffered an outage earlier this year, gone down for a full day, economic losses for the Fortune 1000 companies would have been $3 billion.

A study by JLT Re and JLT Specialty Ltd., released in April and titled “Unlocking the Potential of the Cyber Market,” said addressing the issue of silent cyber risk is crucial.

“The lack of clarity in standard (property/ casualty) policies has led some companies to believe that they have adequate cover for cyber risks when they may not,” the report said. “Conversely, (insurers and reinsurers) are being held back by concerns that unquantified cyber exposures are buried in traditional policies by virtue of not being excluded, raising the prospect of unexpected losses in the event of a cyber incident.”

Sarah Stephens, head of cyber for JLT Specialty in London, advised insurers to do a scenario analysis on their standard forms to determine if a cyber incident could be the cause of a loss and, if so, how they would deal with it.

“It probably makes a lot of sense if you’re an insurer and you’re thinking, ‘What do I do about silent cyber risk?’” she said. “Probably the place to start is to align your expectations and your definitions with whatever cyber product you offer to the market.”

Ms. Stephens added that “we’re not going to have a good idea of the way cyber should be insured in the market as a whole anytime soon.”

“The feedback I get from insurers (is) if they had a choice they would much prefer to exclude cyber as a trigger, whether it’s a property or casualty policy,” she said.

“They prefer to take that out and push it into the stand-alone cyber market. But there are two obstacles to that: Soft market conditions make it uncompetitive to do so, and buyers tend to really not like that — and I totally understand that.” Jenny Soubra, U.S. head of cyber for Allianz Global Corporate & Specialty S.E. in San Francisco, said insurers are concerned about the potential for a catastrophic cyber event affecting multiple

lines of coverage. She said the Dyn attack “did truly awaken the industry to the ways that silent cyber can impact other policies.” “We’re looking at a convergence of risk,” she said. “Where in the old days before these new risks and threats existed, it was very easy to put something into the proper bucket, whether it’s a commercial general liability policy, a property policy, a crime policy … These days, with more and more convergence of risk and increased use of technology, we’re seeing bleed-over into these other policies.”

Ms. Soubra added that she believes “we’re going to see people enlightened to this issue.”

“What usually drives it is when a claim occurs,” she said. “Somebody has to feel the pain in order for a change to take place. And of course if there was some sort of catastrophic cyber event that impacted most forms of coverage, I think that would also drive the change much faster.”