NotPetya. It crippled the largest transportation and logistics company in the world. It paralysed corporations. It was deemed ‘hostile’ and ‘warlike’ by global leaders. It was one single piece of code that jolted the world awake to the scary realities of cyber risk.
More than two-years after NotPetya malware began spreading independently around the world, encrypting files beyond repair and causing chaos in its wake, the attack remains the costliest cyber incident in history. This isn’t because particularly high ransom was demanded to decrypt infected systems. Rather, NotPetya was coded in such a way that, even if users did pay up, their data could never be recovered.
The attack was devastating due to the mass accumulation of risk that it successfully exploited. Victims – including giants like transport, logistics and energy firm, Maersk – had to pay out billions of dollars to cover property damages, business interruption loss, reputational harm, and the list goes on. There was a lot of ‘shock loss’ with NotPetya-related issues reaching far beyond IT systems and causing headaches not only for the victims but also for their insurer partners.
“Boards of directors are really concerned about accumulation of risk due to a cyber event, and NotPetya is what scared everyone into waking up to the potential for accumulation of risk,” said Emy Donavan, global head and chief underwriting officer of cyber, tech and media PI at Allianz Global Corporate & Specialty (AGCS). “When underwriting larger risks, we fully expect that many of our clients will have some sort of cyber issue. We’ve constructed our portfolio in a certain way to mitigate against shock loss.”
One of the issues pertaining to accumulation of risk due to a cyber event is silent cyber, or non-affirmative cyber. This refers to cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. Essentially, there’s some coverage ambiguity whereby an insurer may have to pay claims for cyber losses off a policy not designed for that purpose. If they haven’t factored in that silent or non-affirmative risk, they can suffer shock losses on their portfolio.
AGCS was one of the first insurers worldwide to mandate that they would provide affirmative cyber coverage across traditional P&C insurance products. This is now something that many insurers are getting onboard with after increased pressure to provide coverage clarity by regulators, rating agencies, analysts, shareholders and so on.
“There’s no reason that the property team shouldn’t cover property damage associated with a cyber event,” Donavan told Insurance Business. “The reason for that is – when the property damage occurs, it’s entirely possible they may not know the damage was due to a cyber event. Also, cyber underwriters aren’t property underwriters. We don’t know how to do property loss evaluations and so on, but the property underwriters are experts in that. So, we decided to leave the cyber aspect of the insured’s property risk, which was covered on a silent basis, in the hands of our property underwriters – but we decided to affirm it.
“It’s the same in product recall and other liability policies. We’re keeping the decisions in the underwriters’ hands, but we’re providing them with affirmative tools. That’s the first step towards getting your arms around the accumulation of risk across your portfolio. If you can’t name a risk that you’ve captured on your policy and you can’t look at the risk on that policy, then you’ll never be able to get your arms around the risk accumulation on your portfolio. You’re really just guessing at that point. That’s why we decided that giving our clients more clarity around what they’re actually getting from their policies is a big benefit for everybody.”
AGCS also took the position that just because they’re affirmatively covering a risk that was previously covered on a silent basis, that extra coverage clarity doesn’t justify charging additional premium. Some lines of business might be under-priced, Donavan admitted, but that was their situation before the insurer took this stance on silent cyber. She added: “We may need to make some rate adjustments in certain lines of business, but we’ll do that in a transparent manner that will keep our brokers and our clients comfortable. I think we’re taking a very responsible approach to this.”