Simon Cartagena and Jasvir Grewal explain the issue of non-affirmative ‘silent’ cyber exposure, and share the Cyber Risk Working Party’s framework for helping insurance companies to address it
We live in a digitally connected world, with processes more and more dependent on information technology (IT) systems. This is generating opportunities for new insurance products and coverages addressing the cyber risks that companies now face. However, it is also changing the risk landscape of existing classes of business within non-life insurance, where there is inherent risk of loss as a result of IT events that cannot be excluded in policy wordings.
Affirmative vs non-affirmative cyber exposure
Affirmative cover is where the exposure has been intended to be included in the underwriting process and allowed for in the pricing of the policy, based on the risk it presents to the insured. Losses arising on a standalone cyber policy, or where coverage has been added to any other standard policy such as property or general liability, are affirmative losses. These typically cover the first and third-party costs associated with a data breach and/or network security failure.
Non-affirmative exposure concerns the risk of losses on a policy resulting from ‘cyber as a peril’, where the peril has not been explicitly considered and/or priced for during underwriting. The risk arises when an insurance policy’s wording does not make it sufficiently clear whether losses resulting from a cyber-induced event are included or excluded. In contract wordings, the market has struggled to address ‘silent’ exposure across most lines of business in recent years. Some classes of business, such as property and marine, have recognised the exposure by use of write-backs and exclusionary language. Depending on the line of business, the approach to turning any ‘silent’ exposure into a known quantity will vary – it could be by robust exclusionary language, pricing, or exposure monitoring. Many of the standard wordings have been challenged recently, and the market is adopting new clauses to clarify what the client is covered for and what the insurer has accepted as a risk.
"Some firms have assessed their non-affirmative cyber exposure as being comparable with major natural
catastrophes in the US"
What do the regulators have to say?
Non-affirmative cyber exposure has recently come to the attention of regulators. In January 2019, Anna Sweeney of the PRA reported that firms “almost all agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk”. In July of the same year, Lloyd’s released a bulletin that alerted market participants to upcoming requirements for clarity on coverage for cyber exposures in all policies. In particular, the first phase of the new changes mandates that all first-party property damage policies must clearly state whether they will provide or explicitly exclude affirmative cyber cover.
As could be expected with a risk that has only come into the spotlight during the past few years, approaches taken to identify, quantify and mitigate non-affirmative cyber exposure vary. This range of approaches was also mentioned by Anna Sweeney: she stated that, while some variations in results could be expected due to differences in underlying portfolios, another explanation could be differences in how entities perceive their non-affirmative cyber exposure. Furthermore, she said, “this suggests that some firms should give further thought to the potential for cyber exposure within these specific portfolios.”
Silent cyber assessment framework
The IFoA Cyber Risk Working Party has recently proposed a framework to help insurance companies address non-affirmative cyber risk across their portfolios; Figure 1 summarises the framework. While the framework is not intended to be an all-encompassing solution, it has been developed to help those addressing the issue to perform a structured analysis.
Note that it is not a requirement to perform every step, or every detail within each step. The framework is suggested best practice, and a proportionate approach is encouraged.
Each company will need to tailor the basis of the framework to fit its structure and underwriting procedures. Ultimately the framework should be used to help analysts engage with management on this issue so that the risk is understood, and risk mitigation actions can be taken.
Figure 1: The Cyber Risk Working Party’s Silent Cyber Assessment Framework
1 Define exposure
Identify and define lines of business to be included in your assessment
Define what exposure measure forms the basis, ie maximum probable loss/notional
Determine if you will consider cyber sub limits
2 Wording matrix
Assess the usage of contract wordings against lines of business underwritten
Perform a wordings confidence assessment
Consider any difference between direct and reinsurance
Consult legal/claims and cyber subject matter experts where possible
3 Policy level review
Assess policies individually where possible
Focus on material/peak exposures
Consider any industry concentrations that may be a concern
Consider sample approach to gain sufficient coverage
4 Apply matrix to exposure
Combine exposure with the contract confidence
Where policy information is known,determine exposure
Where policy wording is unknown, use market approach
5 Define clash coverages
Consider where cyber-triggered coverages may clash with other lines of business
Include legal/underwriting departments and claims where possible
Tailor this to the business you write to understand where to focus strategy
6 Apply clash to exposure
Apply the clash assessment to the silent/affirmative (and if required excluded) exposure
Understand where the main coverages at risk within your portfolio exist
7 Generate silent cyber scenarios
Generate relevant and specific silent scenarios to understand possible impacts to your portfolio
Consider peak exposures/clash coverages/industry sectors
Consider relevant clauses triggered by your scenario
8 Create management info packs
Highlight wording usage and confidence in those wordings
Present scenarios that convey the risk to your portfolio
9 Develop strategy and risk appetite
Do you need to improve data?
Define risk appetite for silent cyber
Update policies to address exposure concerns
Consider risk mitigation options, both internally and external risk transfers
Consider if you meet any regulatory requirement
10 Embed as business-as-usual
Turn the process into business-as-usual and regular reporting cycle to management
Engage with underwriting department and claims regularly
Follow market updates and trends to keep analysis relevant
Risk managers and actuaries should be aware of the various sources of non-affirmative cyber risk in a portfolio of business to ensure exposures are being adequately priced for, as well as captured appropriately in capital and pricing models. Reputational costs, as well as increased regulatory interest (from the PRA and/or Lloyd’s), also need to be considered.
As mentioned in the PRA’s letter at the start of this year, some firms have assessed their non-affirmative cyber exposure “as being comparable with major natural catastrophes in the US”. Non-affirmative cyber risk is a real threat, and recent cyber events have highlighted that it could threaten an organisation’s ongoing viability; 90% of the Petya/NotPetya ransomware industry losses, for example, were classed as non-affirmative losses.
The proposed framework is one way to bring consistency to non-affirmative exposure assessment, as well as provide a process for the subsequent generation of loss scenarios. It provides a common taxonomy to ensure key aspects of silent cyber risk are considered, and sets out examples of how to implement the framework.
When will silent cyber end?
Looking at the increased regulatory pressure and management engagement on silent cyber risk, it would be easy to conclude that it will soon cease to be an issue. In practice, it’s likely that silent cyber will remain a risk in some form for the foreseeable future. Contract wordings and exclusions can do a good job of making it clear how a policy responds to any cyber event. However, they are subject to courts’ interpretations across many jurisdictions, which are difficult to predict. As cyber events become normalised, assureds will seek to recover those costs on their policies where they can.
Furthermore, the IT landscape is evolving, meaning the changing risk landscape is hard to understand and predict. These changes can increase, decrease or transform the risk profile of traditional policies, and the past may not accurately predict the future of the product.
Ultimately, insurers should be able to manage single-event losses resulting from cyber across any line of business with traditional underwriting management processes. The risk from the known unknown cyber accumulation scenario is ever increasing, rather than reducing.
The Cyber Risk Working Party encourages companies to use its framework where useful, and to help educate management on the risks that cyber peril poses to existing business. Good risk and underwriting management should engage with management to outline a clear strategy for managing this evolving risk and define their own appetite, given their understanding. Furthermore, collaborating and sharing information on cyber risks across the market will help the industry prepare for the inevitable.
Simon Cartagena is an actuary within the Risk Management team at SCOR
Jasvir Grewal is a general insurance actuary at Arcus 1856