For insurance company Chief Risk Officers, evolving and increasing cybersecurity risks will be hard to ignore in 2017. In addition to fending off cyber-attacks like every enterprise must, insurance companies also will face new legal and regulatory cyber challenges by way of a groundbreaking regulation from New York’s Department of Financial Services and possibly a Model Law from the National Association of Insurance Commissioners. Meanwhile, insurers are writing more cyber coverage, triggering concerns about cyber events simultaneously affecting multiple insureds across the insurer’s portfolio, leading to massive aggregated losses. While addressing these “noisy” cyber risks will not be an easy task from a risk management perspective, a more subtle and potentially more dangerous cyber risk – a “silent” cyber risk — likely will prove to be even more challenging for today’s CROs.
What is Silent Cyber Risk?
In its November 2016 Consultation Paper, the Prudential Regulation Authority (PRA) of the Bank of England defined “silent cyber” as “implicit cyber exposure within ‘all risks’ and other liability policies that do not explicitly exclude cyber risk.” Following discussions with relevant stakeholders, including insurance and reinsurance firms, (re)insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators, PRA made the following observations:
- there is an almost universal acknowledgement of the loss potential of silent cyber risk;
- the potential for a significant silent cyber insurance loss is increasing with time;
- casualty (direct and facultative), marine, aviation and transport (MAT) lines of business are potentially significantly exposed; and
- the exposure and response of reinsurance contracts is uncertain.
In today’s increasingly digitalized and connected world, it is not difficult to imagine an intentionally caused or accidental technology mishap resulting in mass property damage, bodily injury, and/or business interruption claims simultaneously impacting policies that are not traditionally triggered by, or underwritten to respond to, cyber events. Although this type of “Cyber Superstorm” has not yet materialized, it no longer can be considered hypothetical.
The Role of the CRO
The quantification and aggregation of risks has long been the domain of the CRO and the Enterprise Risk Models (ERM) they maintain. The responsibility to sustain best practices requires the CRO to identify, monitor, and mitigate the risks to their organization under the oversight of the board of directors. For the insurance company CRO, those risks include not only their own risks as a business enterprise, but also the risks the company undertakes in the policies it issues to its insureds. For risks that fall into the latter category, CROs traditionally look at both the reserving risk of past policies and the premium risk of pending policies. Quantification of both types of risk are based on historical correlations grounded in well-documented loss history between various insurance lines.
In the case of emerging cyber threats, however, no such history exists. Insurance risk aggregations created using historical correlations between lines of business will not capture the new dynamic that is created by a Cyber Superstorm. Therefore, and regrettably, these losses would present themselves more like a Black Swan event, with traditional correlations breaking down and losses aggregating across historically uncorrelated lines of business.
Quantifying the Silent Cyber Risk
Fortunately, the issues associated with quantifying the silent cyber risk do not mean that CROs are unable to address the risk in their ERM. Leading organizations will meet the silent cyber challenge with internal resolve and cross functional quantification efforts. Using a library of historically impossible line of business loss combinations, they will capture aggregations across their company’s universe of inforce policies. While historical data will be of little use in these efforts, actuaries and data analysts can work closely with technology and policy experts to provide insight that can help inform the organization about possible calamitous aggregations. Technology will provide some parts of the solution when wielded by a skilled team.
Not explicitly recognizing silent cyber exposure relegates the risk to the operational risk bucket, the dominion of all the too-difficult-to-quantify risks. This approach will likely result in unforeseen loss aggregations, possibly some reputational harm, and probably one or two insurance company failures that could have been averted.
The losses associated with a Cyber Superstorm are recognized to have the potential to outpace many currently recognized catastrophe loss causes and will require explicit recognition in best practice. Strategy and risk discussions will intensify in C-suites in 2017 as cyber claims continue to generate headlines, and regulators scrutinize a rapidly growing and not well understood emerging risk. The challenge of silent cyber will be pushed into sharp focus as technology continues to outpace insurers’ appreciation of what they are insuring in the aggregate.