Cyber: a risk in rapid change
Siobhan O’Brien, Cyber Centre of Excellence Leader for International and Global Specialties for Guy Carpenter, discusses cyber risk in 2020 and the dynamics drastically changing the nature of exposure.
Has the COVID-19 pandemic affected the cyber market due to the number of people working from home?
As companies have transitioned to remote working and responded to changing demand for their products and the challenges of interrupted supply chains, they have adapted their business models and, in many cases, embraced new technologies. Though many of these exposures were already contemplated in cyber insurance policies, these developments have resulted in the increased potential for cyber losses.
For example, where the security of the connections of employees working from home is weak, companies risk losing sensitive information and are more exposed to both malicious and non-malicious cyber events.
Ransomware attacks have also further escalated during lockdown along with social engineering, phishing and impersonation scams with key personnel working remotely increasingly targeted by business e-mail compromise attacks. Not only have we seen heightened frequency of ransomware, the ransom amounts and costs associated with these attacks have also increased.
What do you feel are the main issues for the market at the moment?
Cyber loss ratios have increased and the change in overall claim activity reflects the changing landscape of cyber as the sophistication of phishing e-mails, data theft and ransomware continues to mature. Pricing adjustments are in effect to combat this adverse development on portfolios.
Ransomware claims show no sign of abating in 2020. The costs of a ransomware attack have significantly increased in the past 12 months. Insurers are considering the impact of ransomware as they develop new underwriting and risk mitigation strategies, including partnering with cyber security companies to help better control this increasing risk.
Silent, non-affirmative, cyber continues to be a cause of concern at the board level of insurers and reinsurers with efforts already under way to clarify the intent of coverage.
In response to the Lloyd’s mandates for clarity of coverage, the LMA has issued many new exclusions and clarification clauses for use on insurance and reinsurance policies. As a result, four options exist for insurers/reinsurers to address the cyber coverage under policies:
- Affirmation of coverage by direct coverage grant
- Affirmation with a sublimit
- Absolute exclusion – excluding all cyber exposures
- An exclusion but with write backs for specific areas of coverage
Silent cyber will become either ‘Newly Affirmed Cyber’ or excluded and therefore the ambiguity of coverage is eliminated across portfolios.
When a large cyber breach occurs, it is increasingly common to see a corresponding directors and officers (D&O) claim. Insurers and reinsurers are managing their aggregate exposures to multiple policies from one event, and the underwriting of cyber and D&O has become more aligned.
The rating agencies continue to view cyber as a growth market for P&C companies but acknowledge the impact of the uncertainty of the current economic decline on growth. Cyber is still a relatively modest portion of overall P&C premium, but concern exists that a large unforeseen cyber event could lead to large individual incurred losses with potentially adversely effects on capital levels.
What has the cyber market been most affected by this year?
There are a number of factors that have had an impact on the cyber insurance market so far in 2020. These include:
- The acceleration of rate increases compared to prior quarters is largely a response to significant increases in the frequency and severity of ransomware claims. In particular, the uptick has affected primary insurers in the middle market segment.
- The California Consumer Privacy Act (CCPA), which took effect 1 January 2020, represents one of the toughest data privacy laws in the U.S. Insurers continue to monitor growing regulatory exposures as coverage has expanded to address new laws like CCPA, GDPR, or the Brazilian General Data Protection Law.
- Capacity remains relatively stable with notional capacity exceeding $1bn the largest and we are seeing insurance programs exceeding $700m in limits.
- Some excess insurers have cut back on limit deployment but there have been new entrants in the market to offset this. Many insurers are managing limit deployment to coincide with global aggregate strategies.
- Increased reliance on technology make companies more subject to technology’s unique vulnerabilities, including system or supply-chain disruption or failures, distributed denial of service, hacking and ransomware attacks.
- COVID-19 related exclusions were not being applied on standalone cyber policies.
- Insurers are asking additional underwriting questions pertaining to COVID-19, business resiliency and business continuity planning.
What threats are on the horizon as we approach 2021?
There are multiple threat factors on the cyber horizon as we approach 2021. The first point I would make is that cyber risk is constantly evolving at an increasingly rapid rate. The proliferation of Cloud computing is a growing aggregation concern for insurers and reinsurers alike. An organisation’s sustainability and survival depends upon the availability of data, maintaining the confidentiality and integrity of that data. This applies whether it relates to personal or business sensitive data, research and development information or indeed nation state secrets.
