Stakeholders of the insurance industry should take advantage of the calm before a potentially bigger cyber-crime storm to get their act together.
Cyber-risk is both a great opportunity and a huge threat for insurers. Insurance giant Allianz predicts that cyber-insurance premiums currently amounting to about £3.05billion will increase to £15.2billion by 2025. A 30 to 40 per cent rate of annual growth in the cyber-insurance market looks likely to persist, with the combined ratio in the industry running at 60 per cent.
Two eye-opening cyber-incidents
Two major cyber-attacks, though, have posed some serious questions regarding the aggregate loss insurers and reinsurers may have to deal with if and when cyber-crime becomes even more common.
The first incident insurers and regulators can learn lessons from is the data hack on the room reservation network of giant American hotel chain Marriott. By the time Marriott merged with Starwood Hotels in 2016 to become the biggest hotelier in the world, hacking of personally identifiable information (PII) had already been going on for two years. The hotel chain reported the breach to authorities following an alert in its internal security system in September 2018.
More than half of the 500 million victims of the hack had their passport numbers, emails, date of birth, gender and mailing addresses stolen. Moreover, Marriott couldn’t definitively rule out the exposure of credit card information either.
Marriott’s cyber-insurance cover, ranging between £190 and £260, will most probably be wiped out by just the claims for the cost of data recovery. (Pressed on by US senators and the New York Attorney, Marriott made a pledge to pay £84 compensation to cover the cost of new passports). At this scale, only the cost of contacting customers adds up to a large sum, which may be then compounded by lawsuit costs (a class-action lawsuit is claiming $12.5million in damages), and business interruption during the overhaul of the computer system.
Although the Marriott hack stands a good chance of becoming the largest affirmative cyber-insurance claim to date, and the hotel chain might become the first to pay a hefty GDPR fine, the Wannacry ransomware attack from 2017 made an even deeper impression on CEOs minds regarding the importance of cyber-insurance.
While client data gained from identity theft almost invariably ends up on the dark net, where it becomes untraceable and the abuse of data can go unnoticed for years, Wannacry was a type of denial-of-service (DoS) attack, taking down entire computer systems at businesses and public institutions one after the other. Although the ransomware was stopped in its tracks when a software engineer accidentally stumbled on a cure, risk analysts estimate the aggregate economic loss the attack caused over four days at approximately £3billion – with the actual ransom figures eventually paid out by victims accounting for only £50,000.
The slim silver lining on the sinister cloud of cyber-attacks is a sharp spike in the number of cyber-insurance inquiries and orders following the incidents, as well as insurers’ growing willingness to confront the problem of non-affirmative or silent risk.
Silent risk exposure
Catastrophic cyber-attacks and the resulting losses for insurers have led to the issue of non-affirmative or silent risk coming under the spotlight. Insurers can incur non-affirmative or silent losses through other P/C and liability insurance policies that don’t exclude cyber-risk explicitly. In the case of cyber-attacks such as the Marriott data breach or the Wannacry attack, it is extremely hard to quantify the insurer’s cyber-risk exposure, as up to 90 per cent of the risk may come not from cyber-insurance but other policies, especially if countries with low cyber-insurance uptake have been hit by the attack.
In the wake of these cyber-attacks insurers are trying to tighten up their non-cyber policy documents by rewording and amending them to eliminate any ambiguities. Allianz, a global insurer spearheading this trend, for example, aims to include cyber-related “pure financial losses” without any injuries or damage only in dedicated cyber-insurance covers. Regulatory and rating agencies have also put a lot of pressure on insurers recently to provide clarity about their cyber-risk exposure.
But in order to design new cyber-insurance products, insurers need a lot of data which they simply don’t have at their disposal, due to the novelty and the changing nature of cyber-risks. In a discussion about the data shortage problem, TransRe’s Kara Owens, Global Head of Cyber Risk, explained that, although his firm, being a reinsurer, is sitting on a lot of data, this data hasn’t been historically coded as cyber-risk, but under policies that provide cover against inadequate work or negligent actions. “We have to manually go through all claims, and we can’t change anything in the system because then that’s going to mess everything up,” she explains.
Risk modelling firms coming to the rescue
The low number of major cyber-attacks and the resulting lack of cyber-insurance data, however, also present risk-modelling firms with a great opportunity. These companies harvest data from public and closed sources to quantify the cyber-risk exposure of insurers and businesses. One of the most often used risk-modelling techniques relies on scenario planning. The business undergoes a cyber-security resilience analysis first which, in turn, is processed through a number of risk-scenario models to help predict the frequency and severity of the attacks that the business is likely to experience, or the insurer may have to pay out compensation for. To make sure that the assessment keeps pace with the latest challenges coming from cyber-criminals, threat intelligence from real-time incidents is continuously fed into the scenarios.
One would think that risk-modelling is typical insurtech territory. However, technology obviously can’t go it alone. The increasing severity of recent cyberattacks calls for all stakeholders – incumbent insurers, insurtechs, businesses and regulators – joining forces and using the current respite to reinforce their defences and step up their cyber-security game. Make no mistake, the last season of cyber-crimes is bound to be followed by new ones of increasing severity.