Simon Cooper Consultant
PRA Considers cyber insurance underwriting risk
The continued dependence on electronic and network-based systems, combined with the constant development and sophistication of the threats posed to those systems by criminals, political activists, terrorist groups and others, means that all businesses, regardless of their size or area of operation, are increasingly exposed to cyber risks.
Against this background, and the changing legislation and heightened regulation surrounding data protection internationally, it is not surprising that companies are looking more closely at their options for transferring cyber risk or that cyber insurance is one of the fastest developing classes in the insurance sector.
Cyber insurance does, however, present a number of issues for insurers and their clients alike.
The potential aggregation of cyber risk should be a concern to everyone writing cyber risk, either directly or indirectly as an adjunct to more traditional classes. Cloud-computing is one example of this exposure: one single cyber event, such as a successful attack against or the failure of one of the cloud hosts, could cause loss to hundreds of thousands of parties by exposing large swathes of the data within the cloud. Alternatively, multiple hacking attacks might be instigated by one organisation against numerous targets simultaneously as part of an organised campaign. Depending on the language of the policies concerned, there may, in these circumstances, be grounds for aggregation of the losses both on an insurer’s inwards business and in respect of attempted recoveries from reinsurers. Similarly, it is by no means implausible, given appropriate language, that cyber related losses from a particular virus will aggregate, particularly for reinsurance purposes.
The issue of aggregation is a potential problem not only for specialist cyber insurers but also for insurers of other classes of business who intentionally or not may well have an exposure to cyber related events, for example in the form of infrastructure breakdown, terrorism, theft or consequential property damage.
The structure of the direct policy and terminology employed is clearly important in this regard and the definition of terms such as “loss”, “event” or “originating cause” will have a significant impact as any express aggregation provisions.
The issue relating to policy structure and wordings is not, however, confined to aggregation. There is an extremely broad variety of cyber insurance products in the market, some produced by insurers and some by brokers, some designed to cover only specific elements of cyber risks and some to operate as comprehensive cyber insurance. On a macro-level, the result of this is a lack of consistency in the wordings and no standardised approaches to particular areas. Definitions differ between policies and there is no standard approach to terms, such as “damage”, “loss”, “network” and “property”. Insofar as these terms are relevant to the cover offered, they need to be considered carefully in line with what insurers or their clients are expecting to be covered under the policy. Further, the changing nature of cyber risks means that insurers and brokers will need to review wordings and definitions in particular to ensure that they encapsulate all relevant elements and to ensure that the policy still responds as expected in view of any emerging cyber risks. This is of course a challenge in itself when there is little in the way of settled legal precedent in this area, nor any market-standard definitions.
Triggers of coverage within the cyber policy wordings may also present challenges. This is not only important for matters such as notification of claims or circumstances, but also forms an integral part of specific types of cover, such as business interruption, where time deductibles are often applied. Focusing on expectations of how the policy should respond is crucial when deciding at what point the insured should be required to notify or deemed to be aware of notifiable circumstances, or at what point time starts running for any applicable time deductibles. For example, one policy may require notification of the circumstances once any member of staff has or should have discovered the issue and another policy may only require notification once a member of the insured’s management has been informed. Alternatively, rather than attaching the trigger to time of discovery at all, it is possible for a policy to require notification upon the occurrence of an event or loss. That itself presents a number of problems, especially where a cyber attack has gone unnoticed, either because it has not caused a loss that can be easily identified, or because a virus has remained dormant for some time prior to being identified or activated. This kind of issue may present particular problems in policies which cover a different class of risk, such as property and where cover for cyber has been added subsequently as an additional benefit.
The cyber insurance market has little in the way of track record; it is all still new. The lack of historic profile, including claims and case law, makes it difficult to base underwriting decisions on any meaningful evidence-based analysis.
Unsurprisingly, therefore, the regulators have become increasingly concerned about the management of cyber insurance risk and on 14 November 2016 the Prudential Regulation Authority (PRA) issued a consultation paper (CP39/16) on the topic.
In the paper the PRA outlines its proposals for a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk. Cyber underwriting risk is defined as the set of prudential risks emanating from writing insurance contracts that are exposed to losses resulting from a cyber event. Insurers are expected to be able to identify, quantify and manage the risks emanating from cyber underwriting, both in terms of explicit and ‘silent’ cover. ‘Silent’ cover refers to implicit cyber exposures within “all risks” and other liability insurance policies that do not explicitly exclude cyber risk.
Interested parties are invited to comment on the draft supervisory statement, with a closing date of 14 February 2017.
The risks posed by the varied sources of cyber threat are not only here to stay but will continue to develop and become more advanced. Cyber insurance products have a crucial role to play in supporting the companies and bodies who have a need to mitigate their exposures, especially where they may be a particularly vulnerable target for directed cyber attacks. However, cyber insurers themselves face a number of issues and whilst it has demonstrated rapid advances, it remains to be seen how these issues can be overcome or how they will shape the future of the market. Similarly, insurers of other classes of business face the vital task of understanding where they may have an incidental, silent, exposure to cyber risk with the potential to cause unexpected loss and to aggregate across a large book of business.
This article originally appeared on the insuranceday.com website, November 23rd 2016.