This article is a synopsis of a discussion session held at The Geneva Association’s 43rd Annual General Assembly in Rome in July 2016. The discussion was led by Ms Inga Beale, CEO of Lloyd’s.
Cyber risks are expanding at an exponential rate. During this session, it was emphasised how relatively easy it is to conduct cyberattacks – on personal data, important business information, banks, power plants or at national level through attacks aimed at undermining national security.
Very often cyber risk is associated with the theft of data. But the risk is much more far-reaching and includes data destruction/loss of data and data disruption—and combinations of these various forms of risk.
Lack of historical data and loss experience
Cyber risk is not just a new risk which can be managed in a traditional way and left to the IT department of businesses. It is a fundamental business risk, and to manage it, it is necessary to consider all aspects of the business, including the culture.
Cyber risk does give rise to opportunities for insurers, but also to many challenges. There is no established framework defining and scoping the risk, and calculations are made difficult because of the lack of suitable historical data and loss experience.
Data is being weaponised
Lloyd’s CEO, Ms Inga Beale, described cyber risks as transcending geographical borders and any traditional concept of insurance markets. Indeed, some of the most valuable commodities of the future will not be those of the past such as chemicals and hydrocarbons, but rather data and its accompanying services. With Big Data comes the risk of cybercrime and, as data and associated services become more and more important, so does cyber risk.
According to a Thomson Reuters’ prediction, by 2025, almost all our electronic devices will be connected to the Internet in some way, and the data analytics industry itself will be worth US$50 billion in just a few years. Data is being weaponised. G20 nations are suffering the bulk of losses, and the costs are running into the billions. Indeed, the annual cost of cybercrime is now estimated to be $450 billion, according to Ms Beale. Using a live map of attacks taking place around the world from Kaspersky Labs, Ms Beale highlighted the vulnerability of insurers and other businesses, as well as the opportunity for insurance to play a role in supporting its customers.
Changing legal regimes
Mr Hans Allnutt, Partner, DAC Beachcroft, stated that there is confusion within companies about who “owns” cyber risk. From Mr Allnutt’s perspective, it is a business risk from an operational, informational and physical perspective.
From an operational perspective, in the last 12 months, Mr Allnutt pointed to a number of cyber insurance claims that he has handled, including a business that had suffered a distributed denial of service attack, losing GBP5 million (US$6.5 million) in profits in a matter of days, as customers were unable to access its site, and a company whose systems were encrypted with ransomware. These examples evidenced how a cyber risk can have very real financial consequences immediately, he said.
The informational aspects arise not only from the increasing amounts of data that companies hold, but also from the changing legal regimes about holding that information. He pointed to a trend in the UK for attacks on law firms, where hackers use information to impersonate clients, and direct the firm to transfer client funds to accounts operated by the criminals.
He mentioned that the legal regimes on data are being changed, particularly through the EU’s General Data Protection Regulation announced in May and which will come into force on 25 May 2018. Whilst politically it is aimed at big corporations who collect and use increasing volumes of personal data, the new law will apply to any company that processes data in Europe, or offers goods and services to European citizens from outside Europe.
In respect of data security breaches, the law provides for fines of up to 4% of annual worldwide turnover or EUR20 million, whichever is higher. As an example, Mr Allnutt highlighted that, following Sony’s data security breach in 2011, it was fined GBP250,000 out of a maximum of GBP500,000 by the UK regulator under the current regime. Under the May 2018 regime, Sony could have faced a fine of up to US$1 billion.
Suit for non-financial damages in the pipeline
The compensation regime is also changing in Europe, reflecting a desire by governments, courts and citizens that, when companies hold customer data and lose it, compensation should be paid.
The new May 2018 regime allows for individuals to sue a company for their non-financial damage resulting from data breaches and also pass on their rights to a non-profit institution to pursue the case on their behalf—class action lawsuits by another name, said Mr Allnutt. The regulation is global in scope in that, even if you are not based in Europe, if you sell products and services into the EU, you are subject to this law.
From a physical perspective, there is also a real fear of physical assets being infiltrated and damaged. Even here, the law is changing, where national critical infrastructure is obliged to inform government when it is attacked.
Framework needed for description of cyber risks
Ms Mel Goddard, Market Liaison Director, Lloyd’s Market Association, opened her comments by highlighting the need for a framework that describes cyber risks in order that any and all discussions between insurers and their clients take place on a basis of mutual understanding.
A new data breach product has been launched in recent years that is innovative and responsive to US regulation. It will be launched elsewhere, including Europe, in the coming months. It has produced some minor surprises in terms of frequencies and severity, and it is providing a sense of the extent of personal data breaches and the first - and third-party losses that are associated with it.
However, the much bigger and tougher challenges are the new exposures arising from the technological evolution of risk and how this impacts existing lines of business. The framework for that needs to deal with in-house computer systems, cloud storage, industrial control systems (including artificial intelligence and the Internet of Things), and finally, national critical infrastructures, which are the biggest challenge in terms of the physical risks, and business interruption losses.
Plethora of potential non-physical liabilities
From the ongoing debate, it seems that many stakeholders consider cyber risk an “old risk manifesting itself in new ways”. But from an underwriting perspective, there are a raft of questions an underwriter needs to be asking and challenging in order to understand the new exposures.
Cyber permeates many existing lines of business in new ways. Many property policies already include property definitions that may not encompass data or exclusions for data risks created for the Y2K event, but these wordings are as yet untested in this new cyber environment. Terrorism is excluded in many marine and aviation policies, whilst directors and officers (D&O) policies, for example, are silent on cyber, although the legislation described by Mr Allnutt will give rise to a board risk that sits potentially in a D&O policy, according to Ms Goddard.
The issues mentioned so far are all physical losses, but there are also a plethora of potential non-physical liabilities created by cyber. Contingent business interruption, reputational risk and loss of intellectual property are examples – this is cross-class and clearly systemic.
Lack of data
From a practical standpoint, an underwriter is challenged to understand the probability and scale of a potential loss. To some extent new products are arising and a couple of the major brokers are trying to create products here, but there is a problem with a lack of
The Department for Homeland Security in the US, and others in the UK, for example, are proposing to collect data that will one day be helpful for insurers, but this is an immature area. Ms Goddard commented that, whilst there seems to be demand for new products to match these new risks, there does not yet seem to be any appetite to pay for new products. It is clear that losses are occurring, but they are uninsured, not hitting the headlines and therefore not driving real insurance demand at this point.
Historic examples show us that new products can be produced in response to new technologies – the motor and aviation industries are good examples – and initially these were set based to some degree on acts of faith by the insurer.
Increased regulatory scrutiny has also been a driver of new policy development, in the liability area, for example. It is critically important that a mechanism is in place for collecting data so that the exposure can be assessed and underwritten. The issue with cyber risk is that it is a cross-class exposure and an intangible world that is not readily understood, so this is not an easy challenge to solve, but to which insurers have to respond.
They have to define cyber risk and decide what exposures they want to give in order to be ready to meet their clients’ needs, concluded Ms Goddard.