The call for collaboration on battling cyber risk is a beacon that has been lit by many organisations, associations and corporations to date. An example of collaboration done right in this space was recently presented to the market in the form of a report conducted by CyberCube, AM Best and Aon which revealed that the hidden cyber risk in the US property market could lead to $12.3 billion in non-physical damage losses.
Commenting on the report, Rebecca Bole (pictured), CyberCube’s head of industry engagement, clarified that while the report spotlighted one small sub-segment of the P&C market, it’s fair to say that this issue of silent cyber is likely not limited to just the small-to-medium-sized US commercial property portfolio modelled in the report. What this report has done, she said, is move the theoretical to the concrete and the practical by taking this portfolio and modelling it, she said, and in doing so it has derived some key takeaways.
“The main conclusion that I draw from the report,” she said, “is that this is a call to action for carriers to assess the cyber risk in non-affirmative policies - to quantify that risk, and then to underwrite and price it accordingly, and then to apply good portfolio management and enterprise risk management best practices to them.
“And it’s also good for policyholders to have that clarity of cover, [to know] what it is that may be covered and how their policies might respond. I think that call to action for carriers to dig into their portfolios and assess that cyber risk in them was probably the stronger takeaway for me than the actual numbers themselves necessarily.”
If recent high-profile cyber security events haven’t sharpened the attention of the industry when it comes to cyber then they ought to, Bole noted. CyberCube’s modelled one-in-100 year loss estimate suggested that the US property market is exposed to $9.5 billion of attritional losses, she said, which is in keeping with the waves of ransomware attacks being seen across the wider market where data loss is still prevalent and those types of claims are being paid.
Looking at the $3 billion of catastrophic losses, she said, it’s again around ransomware and data loss.
“The report highlights that not just catastrophic but attritional losses are being paid outside of standalone cyber policies,” Bole said. “But also that, within those catastrophic losses, the types of attacks that are occurring and could occur in today’s environment would certainly hit some of those non-affirmative policies as well.”
Exploring whether more carriers are now looking to explicitly include or exclude cyber coverage in their policies, Bole stated that the UK has led the way on this subject with work done by the LMA, Lloyd’s and the PRA calling for explicit treatment for cyber exposures in non-affirmative policies. The rest of the world is starting to follow that lead from a regulatory oversight perspective, she said, and some carriers have acted early to address cyber cover in non-standalone policies.
“It is being underwritten and priced accordingly by some carriers, whereas others are less mature in this process, and may be disproportionately exposed to cyber losses,” she said. “Like any market, there are early movers and there are some who take more time. In saying that, even where that explicit treatment is being made, I think there still remains ambiguity in the language. I think there is still a need for good cyber hygiene to be top of mind, for carriers to model their own individual portfolios, to stress-test those portfolios, to work with their own capital requirements and also risk transfer, through reinsurance, for example, to appropriately manage that risk.”
The wider regulatory framework around cyber is driving the direction of the coverage and governance plays a strong part in producing clarity and creating a robust cyber market. And, as suggested by the report, Bole said, some actions can also be taken by industry players to mitigate their own exposures.
“The definition of good cyber hygiene will differ across different market participants,” she said, “[so] I would reiterate the need to identify that cyber exposure, to model your own portfolios, to understand where that cyber exposure is and then underwrite that exposure, price it, and then manage the risk internally through portfolio management, risk transfer and capital allocation. I think through the combination of those actions, you will be able to create robust risk transfer for cyber exposures.”