‘Silent’ cyber is risky business for underwriters

20 February 2017

Justin Clarke, Director of Underwriting and Pricing at NIG, explores the PRA’s warnings about ‘silent’ cyber loss and what insurers and government can do to reduce risk.

With cyber crime on the rise, there’s a growing need for insurers to provide explicit cover. Last July, we reported in Cyber Insights that 90% of large UK businesses had suffered an online security breach; but the question remains, are insurers keeping up with cyber threats, and how can businesses manage ‘silent’ cyber risk – where cover for cyber risk is implied in policies, but not specifically included or excluded?

The UK’s Prudential Regulation Authority (PRA) tackled these issues in their CP39/16 consultation paper (SC1). Released in November 2016, the paper addresses affirmative cyber insurance policies (policies that explicitly cover cyber risk, such as data breach products) and ‘silent’ cyber risks.

In it, the PRA notes that insurers don’t fully understand their exposure nor have clear strategies to manage cyber risks. It concludes that to close the gap, they must invest in cyber expertise.

Risky business

In an accompanying letter (SC2) to insurance company CEOs, PRA director of general insurance, Chris Moulder, warns underwriters are committing “material shortcomings” when managing ‘silent’ cyber risk. Like failing to have a clear strategy for managing threats: “The PRA’s work found an almost universal acknowledgement of the loss potential of cyber exposures endemic in ‘silent’ cyber,” Moulder writes, “however, most insurers did not demonstrate robust methods for quantifying and managing ‘silent’ cyber risk.”

The industry watchdog highlighted several cyber underwriting challenges:

• The potential for ‘silent’ cyber loss is increasing over time.
• Uncertainty around the exposure and response of reinsurance contracts.
• Insurers lack clear strategies and risk appetites.
• Insurers aren’t investing enough in cyber expertise, and don’t always understand affirmative cover risks.
• Risk management teams aren’t properly skilled or experienced to effectively challenge the business.
• The new EU Data Protection Directive in 2018 will increase businesses’ affirmative cyber exposure.

How to reduce ‘silent’ cyber risk

The PRA sets out steps insurers should take to reduce their risk. This includes investing in cyber expertise, and effectively monitoring, managing and mitigating ‘silent’ cyber risk effectively. Insurers should also develop a risk strategy and appetite statements, which the board should own and regularly review.

To do this, the PRA suggests adjusting premiums to reflect the extra risk and offer explicit cover, or introducing “robust wording exclusions”, or by offering cyber cover at no extra premium, in instances when the board agrees a line of business doesn’t carry material ‘silent’ cyber risk.

Why has ‘silent’ cyber risk become so important?

“In the past few years, cyber insurance has been a key growth area for insurance and reinsurance businesses, even against a background of softening rates and challenging market conditions,” Moulder writes.

Ignoring these challenges could impact insurers’ viability – and damage the industry’s reputation.

The changes will also give policyholders peace of mind, and a better understanding of their type and level of cover. Since cyber insurance is still relatively new, many customers (and insurers, according to the PRA) often don’t know if they’re adequately covered for cyber incidents.

Given the average cost of a cyber attack has more than doubled since 2014, to between £1.5m and £3m for large business and up to £300,000 for small businesses, now is the time to act (SC3).

Do we need a government guarantee?

That being said, insuring against cyber risk is incredibly (and increasingly) difficult.

As Mark Field, MP for Cities of London and Westminster, writes, “The lack of data when it comes to insuring against such an onslaught makes the modelling of loss scenarios extremely hard. As a result, significant solvency requirements are likely to be imposed on any insurer offering cover for cyber-related losses and it is hard to secure losses over £100m” (SC3).

There has been talk that reinsurance scheme Pool Re’s cyber exclusion could be softened to cover cyber-enabled property damage. Think cyber terrorists overriding a chemical plant’s safety systems and triggering an explosion.

In case you’re not aware, Pool Re is a joint partnership between the government and insurers, backed by a government guarantee which pools premiums to cover losses from terrorist incidents. Like Flood Re, introduced after devastating floods hit in 2013, it plugs the insurance gap.

The Pool Re team has been working with the Centre for Risk Studies, Cambridge Judge Business School to explore cyber risk and how the scheme might respond to cyber-terrorism incidents. Extending the scheme’s protection could bolster industry, the community and the economy against large-scale cyber attacks.

As Mark Field points out, it makes sense since terrorism and cyber risk are now intertwined. So “rather than create a standalone Cyber Re which, like Flood Re, could take years to establish, we might look instead at a broader catastrophe pool that could be expanded in response to emerging threats.”

Such a scheme would boost our security and cyber-terrorism resilience, ignite best practice, and help us collect data to better guide cyber policies and pricing thereby making the UK a global leader in cyber security and expertise (SC3).

Insurers would still have to play their part, insuring losses under a certain amount – with government footing the bill for lofty losses.

Insurance requirements

With the issue of ‘silent’ cyber risk in mind, now would be a good time to explore NIG’s Cyber Cover policy which was given a 4/5* rating by an independent broker reviewer in Insurance Times during 2016.

The comprehensive cover that our product offers, including our 24/7 support, can go a long way to helping safeguard the future of your business should you ever be the victim of a cyber-attack. Here’s what our Cyber policy also covers: 

• Cybercrime – financial loss from hacking, fraudulent input or alteration of data
• Cyber liability – damages and defence costs attributed to a data breach
• Data-Breach expense – the cost of expenses following a data-protection failure
• Third party data storage – data held at a third party storage provider
• Loss of business income following a cyber-event (Optional)
• Damage, loss, corruption and breakdown of hardware (Optional)
• Data corruption and extra costs (Optional)

You can find more information about NIG’s Cyber Cover product, including Key Facts, Sales Aid, Proposal Form and Policy Wording, on our website here. 

NIG. Here’s Why…

As well as having a great Cyber Cover product, here are some key benefits of choosing NIG:

• Established – we have more than 120 years of commercial underwriting expertise.
• Focus – we’re 100% focused on brokers, and trade all of our products exclusively through UK brokers
• Size and scale – as part of the Direct Line Group we have the strength, security, and scale of a FTSE 100 company behind us.
• Comprehensive – our extensive range of products cater for businesses large and small.
• Competitive – our one-quote-to-market principle provides a real edge for brokers.
• Financial support – we can provide in-house surveying and risk management funding
• UK-wide – we have eight regional offices across the UK, combining regional coverage with local expertise.

Sources.

SC1: http://www.bankofengland.co.uk/pra/Documents/publications/cp/2016/cp3916.pdf

SC2: http://www.bankofengland.co.uk/pra/Documents/about/letter141116.pdf

SC3: http://www.cityam.com/238785/how-london-can-turn-the-cyber-attack-onslaught-into-an-opportunity