The insurability of systemic cyber risk will be one of the defining issues of the next decade for the (re)insurance sector. Rapid technological changes and digitalization in particular have already transformed the characteristics of risks assumed by the (re)insurance market.
Businesses continue to embrace technological innovation despite the fact that doing so may lead to the emergence of new and unforeseen risks, according to Guy Carpenter colleagues Will Garland, President, Centers of Excellence, and Erica Davis, North America Cyber Center of Excellence Leader, Guy Carpenter. As cyber risk is one of the most swiftly evolving perils in the industry, carriers should carefully manage the exposures – and not only for competitive advantage. As regulators formalize capital requirements and qualitative measurements of risk appetite in this rapidly evolving market, companies will be required to enhance cyber underwriting and reinsurance strategies, leverage innovative modeling capabilities and develop technical and underwriting risk talent to continue offering clients the best security possible.
As companies depend more on technology to conduct business, they are also increasingly subject to technology’s unique vulnerabilities. These are wide-ranging and can include system or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks that may result in increased costs and lost revenue.
So how has this environment intensified in 2020 and will it continue even further in 2021?
The Effect of Ransomware
In this heightened exposure environment, ransomware attacks have become especially rampant. Fitch’s Health of the Cyber Insurance Market report notes the direct loss ratio rose to 47 percent in 2019 from the 34 percent level of 2018, with much of this due to ransomware.
The proliferation of ransomware is creating reimagined loss patterns for the sector and blurring the lines between attritional and catastrophic cyber loss. Furthermore, the criminal actors behind this continue to shift behaviors, becoming even more advanced and relentless. According to Crowdstrike, (1) “The most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking victim data in order to force ransom payments and, in some cases, demand two ransoms. Data extortion is not a new tactic for criminal adversaries; however, when BGH operations don’t result in payment, victims now face a double-headed threat of ensuring their data does not make it into the hands of others.”
Ransomware has progressively become a loss trend across the cyber industry, with pricing strategies being recalibrated to account for this growing risk. Guy Carpenter is working closely with our clients to share updates on the threat landscape, deliver cyber industry insights, construct relevant modeling scenarios, and design reinsurance placements to protect these portfolios. The industry is also adopting new risk mitigation, pricing and underwriting tactics in order to course-correct from the impact of this expanding cyber risk.
Potential New Attack Vectors and Technology Impacts
Increasing reliance on technology makes businesses more vulnerable to risks inside and outside the organization. The resulting inter-connectivity creates a dependency maze across businesses and their business partners. For the (re)insurance industry, this supply chain web fuels severity concerns and the potential for systemic events.
All the while, threats to businesses are becoming more advanced and difficult to detect. Emerging trends include:
- The proliferation of big data and cloud computing – confidentiality, integrity and availability of data are critical to organizational survival, whether they be nation state secrets, industrial intellectual property (IP) or personal sensitive data
- Cyber-attacks on mobile devices are increasing and are likely to become a primary phishing vector for credential attacks in 2020. As a result, dual-factor authentication will move to multi-factor authentication
- The continued use of social engineering through phishing and smishing
- An increase in the proliferation of malware and ransomware
- The increasing use of artificial intelligence
- Voice-based cybercrime, which is growing along with the explosion of voice-directed digital assistants
- Global adoption of 5G infrastructure technology
- Newer technologies like deep fake video and audio technology.
The Impact of COVID-19 on Business Models
COVID-19 has only accelerated the trajectory of the cyber exposure landscape. As companies adapted to increased working from home circumstances, changing demand for their products and interrupted supply chains, they adapted their business models and utilized new technologies. This new normal has resulted in increased potential for cyber risk events, and we have observed the following cyber risk amplifiers:
- Alternate modes of working
- Different technology utilization
- Less familiar modes of data movement and exchange
- Rebalancing of supply chain dynamics and third party reliance
- Key personnel risk
- Management and staff distraction
- Facility access and collaboration constraints
- Ability to deal with a ‘double whammy’ crisis of COVID-19 and cyber attack
- Rogue actor motivation
While COVID-19 hasn’t introduced new exposure to the cyber insurance industry, these amplifiers have expanded the cyber attack surface and are prompting organizations to manage risk differently. As we look toward 2021, these complexities are shifting the landscape not only for individual businesses, but also the broader risk landscape.
Parallels of COVID-19 and Cyber Risk
The business community is evaluating risk through a transformed lens, in light of COVID-19. The (re)insurance sector is also identifying the lessons learned about unforeseen aggregated exposure. The systemic nature of both affirmative and silent cyber risk has long been one of its most defining, and challenging, characteristics. When the impacts of COVID-19 were evidenced in 2020, we identified parallels to cyber exposure unfold through this other newly emerging industry risk:
- Potential for an aggregated global event with no regional boundaries
- Cascading effects on direct and indirect supply chains
- Multi-prong industry impact manifesting across property, casualty and specialty lines of business
- Policy language that may not explicitly address underwriting intent, or may be triggered inadvertently
- Sweeping financial consequences that could ultimately be an existential threat.
The far-reaching impacts of this event have yielded valuable insights on the criticality of business continuity planning, supply chain resiliency and policy language clarity. Awareness around these issues caste an even brighter spotlight on the (re)insurance industry’s response to cyber risk.
How the Market Continues to Address Silent Cyber
The sector’s understanding of silent cyber has meaningfully developed in recent years following the NotPetya and WannaCry attacks, which highlighted the potentially catastrophic impact of silent cyber within non-cyber lines of business. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the (re)insurance industry.
The UK Prudential Regulatory Authority (PRA) stated on January 30, 2019: “Firms reported challenging market conditions, broker pressure, and lack of historical data, models and expertise as the main impediments for the prudential management of cyber underwriting risk. We appreciate these challenges but do not believe they are insurmountable.” In addition, in January 2019 the PRA issued a “Dear CEO” letter indicating that all (re)insurers should develop Silent Cyber Action Plans to evaluate, model and quantify risks.
The Lloyd’s Market Bulletin that became effective in January 2020 requires all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty. This approach, which will be phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it.
Globally, we have seen regulators issue similar statements on managing silent cyber risks, including the European Insurance and Occupational Pensions Authority and in the United States, the National Association of Insurance Commissioners, issuing their guidelines to help firms manage this risk.
Insurers and reinsurers have now developed underwriting strategies, portfolio roadmaps and clarifying language to address this growing concern. Though formal timeframes have not been established in the United States, it is clear that the changing market conditions of 2020 have created an opportune time for eradication efforts to accelerate around silent cyber.
This industry-wide initiative is a massive undertaking for risk bearers and requires a multi-stakeholder approach with cyber strategies being revisited across all lines of business as new events transpire, incident data becomes more robust and legal precedent develops.
Silent Cyber Modeling and Guy Carpenter Solutions
To address these challenges, (re)insurers require an effective means of qualifying and quantifying the risk of silent cyber across entire portfolios. While many insurers have undergone analysis on their own policy wording, there remain lingering concerns regarding:
- Execution of strategy to attach appropriate exclusionary or clarification wording
- Proper and thorough excess placement analysis of underlying wording
- Manuscript policies, which deviate from standard wording and often offer more generous terms.
To assist in this often highly laborious undertaking, Guy Carpenter has established a strategic relationship with RiskGenius, an insurtech firm that utilizes artificial intelligence to evaluate potential silent cyber exposure at an individual policy level. This offering provides clients with a means of assessing corporate silent cyber exposure at scale, while generating deeper risk insights.
GC Cyber Analytics has also developed an in-house solution that combines the qualitative RiskGenius tool outputs with a proprietary modeling tool for silent cyber – GC SCoPESM. GC SCoPE utilizes a robust catalog of unique scenarios to model silent cyber across various lines of business. Through this analytic capability, we are able to help clients measure the gross loss impact of cyber events by industry segment, scenario and even by insured.
This level of granularity and transparency of output is critical to our clients to help them proactively address both affirmative and non-affirmative cyber risks, including silent cyber in property, casualty and several other lines of business.
Leading to 2021
For the insurance industry, cyber and technology risks pose a number of opportunities, challenges and threats. Cyber risk is constantly evolving and at an increasingly rapid rate, causing insurers and businesses difficulties in measuring, assessing and responding to cyber events.
Especially with this emerging and dynamic risk, leveraging a comprehensive suite of modeling and analytic resources is increasingly critical as clients build more informed portfolio strategies. 2020 has been a year of unprecedented events, and the complexities innate within cyber risk prove no exception.