Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • Sections
  • General Features

The silent treatment

Open-access content Tuesday 14th April 2020 — updated 9.26pm, Wednesday 29th April 2020

Simon Cartagena and Jasvir Grewal explain the issue of non-affirmative ‘silent’ cyber exposure, and share the Cyber Risk Working Party’s framework for helping insurance companies to address it

web_p28_silent-treatment_shutterstock_1507983824-[Converted].png

We live in a digitally connected world, with processes more and more dependent on information technology (IT) systems. This is generating opportunities for new insurance products and coverages  addressing the cyber risks that companies now face. However, it is also changing the risk landscape of existing classes of business within non-life insurance, where there is inherent risk of loss as a result of IT events that cannot be excluded in policy wordings.

Affirmative vs non-affirmative cyber exposure 

Affirmative cover is where the exposure has been intended to be included in the underwriting process and allowed for in the pricing of the policy, based on the risk it presents to the insured. Losses arising on a standalone cyber policy, or where coverage has been added to any other standard policy such as property or general liability, are affirmative losses. These typically cover the first and third-party costs associated with a data breach and/or network security failure. 

Non-affirmative exposure concerns the risk of losses on a policy resulting from ‘cyber as a peril’, where the peril has not been explicitly considered and/or priced for during underwriting. The risk arises when an insurance policy’s wording does not make it sufficiently clear whether losses resulting from a cyber-induced event are included or excluded. In contract wordings, the market has struggled to address ‘silent’ exposure across most lines of business in recent years. Some classes of business, such as property and marine, have recognised the exposure by use of write-backs and exclusionary language. Depending on the line of business, the approach to turning any ‘silent’ exposure into a known quantity will vary – it could be by robust exclusionary language, pricing, or exposure monitoring. Many of the standard wordings have been challenged recently, and the market is adopting new clauses to clarify what the client is covered for and what the insurer has accepted as a risk. 

"Some firms have assessed their non-affirmative cyber exposure as being comparable with major natural 
catastrophes in the US"

What do the regulators have to say? 

Non-affirmative cyber exposure has recently come to the attention of regulators. In January 2019, Anna Sweeney of the PRA reported that firms “almost all agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk”. In July of the same year, Lloyd’s released a bulletin that alerted market participants to upcoming requirements for clarity on coverage for cyber exposures in all policies. In particular, the first phase of the new changes mandates that all first-party property damage policies must clearly state whether they will provide or explicitly exclude affirmative cyber cover.

As could be expected with a risk that has only come into the spotlight during the past few years, approaches taken to identify, quantify and mitigate non-affirmative cyber exposure vary. This range of approaches was also mentioned by Anna Sweeney: she stated that, while some variations in results could be expected due to differences in underlying portfolios, another explanation could be differences in how entities perceive their non-affirmative cyber exposure. Furthermore, she said, “this suggests that some firms should give further thought to the potential for cyber exposure within these specific portfolios.”

Silent cyber assessment framework

The IFoA Cyber Risk Working Party has recently proposed a framework to help insurance companies address non-affirmative cyber risk across their portfolios; Figure 1 summarises the framework. While the framework is not intended to be an all-encompassing solution, it has been developed to help those addressing the issue to perform a structured analysis.  

Note that it is not a requirement to perform every step, or every detail within each step. The framework is suggested best practice, and a proportionate approach is encouraged.

Each company will need to tailor the basis of the framework to fit its structure and underwriting procedures. Ultimately the framework should be used to help analysts engage with management on this issue so that the risk is understood, and risk mitigation actions can be taken. 

Figure 1: The Cyber Risk Working Party’s Silent Cyber Assessment Framework
 

1 Define exposure
 

Identify and define lines of business to be included in your assessment
 

Define what exposure measure forms the basis, ie maximum probable loss/notional
 

Determine if you will consider cyber sub limits
 

2 Wording matrix
 

Assess the usage of contract wordings against lines of business underwritten


Perform a wordings confidence assessment


Consider any difference between direct and reinsurance
 

Consult legal/claims and cyber subject matter experts where possible
 

3 Policy level review


Assess policies individually where possible


Focus on material/peak exposures


Consider any industry concentrations that may be a concern


Consider sample approach to gain sufficient coverage
 

4 Apply matrix to exposure


Combine exposure with the contract confidence


Where policy information is known,determine exposure


Where policy wording is unknown, use market approach
 

5 Define clash coverages


Consider where cyber-triggered coverages may clash with other lines of business


Include legal/underwriting departments and claims where possible


Tailor this to the business you write to understand where to focus strategy
 

6 Apply clash to exposure


Apply the clash assessment to the silent/affirmative (and if required excluded) exposure


Understand where the main coverages at risk within your portfolio exist
 

7 Generate silent cyber scenarios


Generate relevant and specific silent scenarios to understand possible impacts to your portfolio


Consider peak exposures/clash coverages/industry sectors


Consider relevant clauses triggered by your scenario
 

8 Create management info packs
 

Communicate uncertainty


Highlight wording usage and confidence in those wordings


Present scenarios that convey the risk to your portfolio
 

9 Develop strategy and risk appetite


Do you need to improve data?


Define risk appetite for silent cyber


Update policies to address exposure concerns


Consider risk mitigation options, both internally and external risk transfers


Consider if you meet any regulatory requirement
 

10 Embed as business-as-usual
 

Turn the process into business-as-usual and regular reporting cycle to management


Engage with underwriting department and claims regularly


Follow market updates and trends to keep analysis relevant

Why bother? 

Risk managers and actuaries should be aware of the various sources of non-affirmative cyber risk in a portfolio of business to ensure exposures are being adequately priced for, as well as captured appropriately in capital and pricing models. Reputational costs, as well as increased regulatory interest (from the PRA and/or Lloyd’s), also need to be considered.

As mentioned in the PRA’s letter at the start of this year, some firms have assessed their non-affirmative cyber exposure “as being comparable with major natural catastrophes in the US”. Non-affirmative cyber risk is a real threat, and recent cyber events have highlighted that it could threaten an organisation’s ongoing viability; 90% of the Petya/NotPetya ransomware industry losses, for example, were classed as non-affirmative losses.

The proposed framework is one way to bring consistency to non-affirmative exposure assessment, as well as provide a process for the subsequent generation of loss scenarios. It provides a common taxonomy to ensure key aspects of silent cyber risk are considered, and sets out examples of how to implement the framework. 

When will silent cyber end?

Looking at the increased regulatory pressure and management engagement on silent cyber risk, it would be easy to conclude that it will soon cease to be an issue. In practice, it’s likely that silent cyber will remain a risk in some form for the foreseeable future. Contract wordings and exclusions can do a good job of making it clear how a policy responds to any cyber event. However, they are subject to courts’ interpretations across many jurisdictions, which are difficult to predict. As cyber events become normalised, assureds will seek to recover those costs on their policies where they can. 

Furthermore, the IT landscape is evolving, meaning the changing risk landscape is hard to understand and predict. These changes can increase, decrease or transform the risk profile of traditional policies, and the past may not accurately predict the future of the product. 

Ultimately, insurers should be able to manage single-event losses resulting from cyber across any line of business with traditional underwriting management processes. The risk from the known unknown cyber accumulation scenario is ever increasing, rather than reducing.  

What next?

The Cyber Risk Working Party encourages companies to use its framework where useful, and to help educate management on the risks that cyber peril poses to existing business. Good risk and underwriting management should engage with management to outline a clear strategy for managing this evolving risk and define their own appetite, given their understanding. Furthermore, collaborating and sharing information on cyber risks across the market will help the industry prepare for the inevitable. 

Simon Cartagena is an actuary within the Risk Management team at SCOR 

Jasvir Grewal is a general insurance actuary at Arcus 1856

Also filed in
General Features
Topics
Risk & ERM
General Insurance
Technology

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

New Fast-Growing Team - Actuarial Systems Development

London (Greater)
Excellent Salary Package
Reference
143762

Actuarial Pension Consultant – Scotland/Remote – Up to £90,000 plus bonus

Edinburgh / Glasgow / Remote working
Up to £90,000 + Bonus
Reference
143761

Part Qualified Pensions Actuary– Specialised Pensions Consultancy - Scotland/Remote - Up to £70,000

Edinburgh / Glasgow / Remote working
Up to £70,000 + Bonus
Reference
143760
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ