Visesh Gosrani, Chair of the Institute and Faculty of Actuaries Cyber Risk Working Party, explains why insurers need to ensure that they have effectively assessed their exposure to cyber perils within their existing non-cyber policies, and how the framework developed by the Working Party can help them achieve this.
Cyber risk has potential to cause losses to many different lines of business due to the potential to cause damage to the property of the insured or third parties, business interruption to the insured or third parties and exposure to liability claims.
However, cyber risk is an evolving threat and our understanding of the potential ways in which cyber perils could cause losses also continues to evolve. This requires cyber exclusions to be continually developed, as deficiencies in exclusion wording or lack of recognition that a cyber peril could be an issue, could result in losses on policies.
Some recent examples include the claims on Merck’s Property policy as a result of their losses from NotPetya. The claim is still being pursued through the courts, where the outcome is likely to depend on whether the court decides that the claim can be denied on the basis of:
- NotPetya being judged to be a “hostile and warlike action” (based on US responses, attributing the cyber attack to Russia),
- the “warlike action” being directed against the Ukraine, and
- no use of the word “indirect” in the war risks exclusion.
If the court rules that the exclusion does not apply, this will mean that the $250m cyber sub-limit of Merck’s property policy does not apply and the property policy is likely to experience a significant or total loss to its $1.75bn insurance tower.
The concerns of the Prudential Regulatory Authority, Lloyd’s of London and market commentators about lack of understanding of the potential for Cyber perils to cause unforeseen losses to non-cyber policies have been well documented.
The key messages coming through are that insurers need to take the following actions:
- Understand what their exposure to cyber perils might be
- clarify their policy coverage and wording, so they are covering what they intend
- clarify that pricing includes the losses resulting from cyber risk exposure
- enhance risk appetite to include non-affirmative cyber risk exposure.
The IFoA Cyber Risk Working Party have outlined a series of steps you can take to support your company to react to the regulatory requirement (see hyperlinks to PRA and Lloyd’s above) to assess and manage aggregate expose to cyber risk.
What can you do to better understand and manage your company’s cyber risk exposure?
1. Assess your company’s cyber risk exposures
The IFoA’s Cyber Risk Working Party has put together a free, easy to use framework that walks you through the process of assessing your cyber risk exposures, the endorsements you have applied and the confidence you have in them.
If you haven’t already started to assess your cyber risk exposures, the framework offers a starting point, with flexibility taking into account the materiality of the cyber risk issue to your organisation and the amount of time you have to assess your exposure. This is discussed in greater detail in Section 4.2 of the paper that accompanies our framework.
If you have already started to assess your cyber risk exposures, you can use the non-affirmative cyber assessment framework to review your current assessment and to highlight any areas you may have missed or treated differently.
2. Apply exclusions appropriately and update them where necessary
There has been considerable reliance in the market on long established clauses such as CL380 and NMA2914/5 to exclude Cyber coverage and write back specific parts of the coverage.
CL380 and NMA2914/5 were both written in 2001, and have had updates in 2018 and 2015 respectively to JS2018-001 and NMA2914/5A. Given the significant developments in, and understanding of, cyber risk since then, you need to assess whether policy forms include the latest updates to clauses and also analyse the perils to which the risk is exposed to assess whether these exclusions are appropriate.
Where clauses are applied inconsistently across lines of business, this may result in the need to perform a greater level of analysis to understand the impact of endorsements to policy wording.
3. Where you are not excluding a threat, price it in
Once you have established the cyber perils that you are exposed to, you need to decide whether to exclude or explicitly include them in the coverage of the policy. If you affirmatively include this exposure you need to use appropriate endorsements to manage the exposure with greater certainty.
4. Agree your cyber risk appetite
Agree which lines of business you are prepared to include cyber risk exposure for and whether there are industries you wish to avoid exposure for. You should also agree your aggregate exposures to companies and groups across your different lines of coverage.
5. Be proportionate
The IFoA Cyber Risk Working Party recognises that cyber risk exposures will be significantly less material for some organisations than others. Therefore, we have provided a pyramid of approaches within the framework, (explained in detail the accompanying paper)[LINK] to assist you in tailoring your approach to the appropriate level of materiality indicated in initial steps of the framework assessment.
Further support with cyber risk
The IFoA Cyber Risk Working Party seminar (available to view on the IFoA’s Virtual Learning Environment) on the 9 December 2019 provided a walk-through of the framework and answered questions arising. We will follow up with a Chatham House rules roundtable early in 2020 where attendees can discuss the issues they have found in assessing and managing their Cyber Risk exposures.
The Working Party is soliciting ideas for how it can help the profession tackle this issue better so if you have any ideas for what would help you, please tell us! You can contact the Chair of the working party at firstname.lastname@example.org.
Cyber Risk Event
If you are interested in finding out what good cyber practices look like and, to what extent we as an industry, can implement these operationally and recognise these for underwriting, join us at a brand new IFoA Cyber Risk Event (Monday 10 February 17.30-20.00 at Staple Inn Hall, London) which aims to provide options and solutions. Find out more and register.