In autumn 2019 the IFoA Cyber Risk Working Party launched a survey to better understand perceptions around the uncertainty cyber risk has on different areas of actuarial work. The principal aim of the survey was to gather information to help the working party steer its future output, as it continues to provide guidance to IFoA members on cyber risk.

Now that we have collated the results we thought it would be useful to share what came out of the survey and some of the insights it provided.

Survey responses

We received responses from a wide range of industry segments and roles, demonstrating the breadth of interest in cyber risk. Perhaps unsurprisingly the majority of responses were from risk management practitioners (25%) and consultants (20%), with other traditional actuarial functions contributing to the bulk of the remainder of responses (pricing and reserving both 13% each).

Given where the standalone cyber product line sits, it came as no surprise that a large portion of responses were from members working in the General Insurance (GI) sector (43%). Of these respondents, the spread of focus on specific lines of business clearly demonstrates that cyber concerns are rippling across the market as a whole:

  • Cyber        
  • Marine, Aviation and Transport
  • Motor    
  • Financial lines   
  • Casualty  
  • Terrorism
  • Property
  • Specialty                   

It was also encouraging to see contributions from the Pensions, Life, Health and Investment communities. Notable other responses came from consultants, model vendors and brokers.

Key survey themes

The survey attempted to understand the perceived level of uncertainty and concern around key cyber areas in the market. The following areas were cause for the biggest concerns among respondents.

Data, data, data…  with technology developing at pace, data is widely seen as critical in understanding cyber risk better. There are many third-party data providers servicing the insurance industry, all who claim to enhance our understanding of the risk. Respondents’ concerns lay in the fact that it can be difficult to understand the relative merits of providers and the relevance / criticality of individual data points being provided. There was also significant concern that the increasing reliance on technology to do business is altering exposure measures currently used in pricing traditional insurance lines of business. If we can get a deeper understanding of external data sources, then maybe these provide the key to improving our understanding of this concern too?

Given the increasing focus from regulators, accumulation management continues, unsurprisingly, to be an area of high concern. It was clear that the market does not have a clear and consistent methodology for approaching accumulation management of cyber risks. With regards to the calibration of such events, respondents felt that attacking the uncertainty in frequency was a more immediate issue than improving understanding of the maximum possible loss.

The working party naturally includes members concerned with the potential for catastrophic cyber accumulation, so it was reassuring to see that there is a high concern that such events have the potential to be capital depleting, with 25% of respondents indicating it was a ‘major and immediate issue’ and only 4% offering ‘no concern’.

The survey results also suggested that the topic of silent cyber is one that keeps us awake at night. There was high priority concern around clarity of the definition of silent cyber and the lines of business it could impact. Hopefully the developments in Q4 2019 (noted below) have gone some way to alleviating this concern. Firstly, the working party published guidance on the issue of silent cyber through a worked example of a ‘Silent Cyber Assessment Framework’. This can be found in the outputs section of the working party page. Secondly, Lloyd’s contributed heavily to moving this conversation on by mandating that either explicit coverage or exclusionary language be written into all first-party property damage policies by 1/1/20. Liability and Treaty reinsurance lines will follow later in 2020 and 2021.

Cyber operational risk was a key theme of concern within the survey result. Given the potential magnitude of operational impact, there was a consensus that this was a high priority concern. Respondents were clear more should be done to understand potential impacts better, with slightly less priority put on how to allow for this risk within an insurer’s capital model. One respondent suggested that ‘benchmark parameters for operational loss from cyber-related events’ would be useful. The working party went some way to addressing this concern during 2019 (the BAJ published an output of the Cyber Risk Working Party on cyber operational risk for insurers ‘Cyber operational risk scenarios for insurance companies’) but this is certainly an area for increased focus throughout 2020.

It was encouraging to see responses from the pension sector with specific questions arising around the impact of cyber risk on pension schemes. Both sponsors and trustees are asking more questions around the security measures in place - whether that’s in relation to in-house services, trustees or third-party providers - and the protection offered to the pension scheme. However, cyber insurance products specifically designed for pension schemes are currently limited. In terms of tangible action, the Pensions Regulator has issued its cyber security principles for pension schemes and there are examples of cyber security, insurance and pensions specialists supporting pension schemes with deepening understanding around this issue.

Concluding comments

It’s clear from our survey results that there continues to be significant interest in cyber risk within the actuarial community. The potential for systemic loss continues to draw ‘black swan’ analogies but it’s clear there are more tangible day-to-day areas of concern around applicability of data, impacts of operational risk, and how the peril impacts the underwriting of traditional insurance.

As a working group planning our output for 2020, we will take these learnings and insights and look to provide guidance on some of these key issues. As one respondent commented, ‘Cyber risk has become a global concern and therefore needs collaborative efforts to effectively deal with the root cause.’