As organisations become increasingly dependent on technology, cyber risk has entered the top ranks of the corporate risk agenda. According to the Global Risks Report 2019 from the World Economic Forum (WEF), rising cyber dependency is the second most feared interconnected risk.
Rapidly evolving cyber and technological threats are the most significant potential blind spots for businesses that do not fully appreciate the vulnerability of networked societies, it warned.
Major cyber incidents, coupled with far tougher data protection and privacy laws, have resulted in a gear-change when tackling cyber risk. Over the past year, large clients have increased their understanding of technology related risks, and are now seeking more sophisticated and comprehensive cyber insurance solutions.
We would expect this trend to continue and broaden further into the mid-market in coming years. Despite increased claims, the cyber insurance market has shown remarkable resilience and stability, with only slight hardening on excess layers and for loss affected sectors, like banking and airlines. The vast majority of clients should find the cyber insurance market receptive to their needs, with consistent pricing and a willingness to innovate.
However, the wider insurance market is looking to clarify cyber cover offered under property/casualty policies, a trend that is likely to gather momentum in 2019. This will result in a gradual shift towards affirmative cyber as property/ casualty insurers increasingly exclude or explicitly include cover for cyber perils.
In the mid-market and below, we are also likely to see a move towards standardisation. Driven in large part by brokers, industry-wide agreements on standard wordings should make life easier for clients and create more certainty of cover.
Last year witnessed some of the largest data breaches and IT system outages of all time. It was also the year that finally witnessed the implementation of the General Data Protection Regulation (GDPR), amid growing concern for privacy and the use of personal data in political campaigns.
At the start of 2018, experts warned of further large data breaches, a prediction that soon became true. The compromise of data belonging to 500 million customers at the Marriott Hotel group was one of several mega data breaches last year, and one of the largest data breaches of all time. In April, Facebook revealed some 87 million users may have been affected by a breach, while fitness app provider Under Armour said some 150 million records had been compromised. At the start of 2019, there is no reason to believe that further large data breaches will not continue.
Data breaches involving personal data, similar to the British Airways breach in August 2018, are increasingly likely to be covered by more stringent data protection regulation. The GDPR introduced new rights for consumers and requirements for companies in May 2018, as well as the prospect of greatly increased fines. While still early days for GDPR enforcement, data breach notifications are reportedly significantly higher under the new regime.
Data breach class actions have also emerged as a potential source of sizable liability in Europe. A number of data breaches under the GDPR, including British Airways, have sparked group actions, while a landmark class action against UK retailer Morrisons in 2018 showed that organisations may face large claims for damages, even when appropriate safeguards are in place to protect personal data.
The market will carefully watch the development of regulatory enforcement under the GDPR and data breach litigation in 2019. Combined, regulatory and legal liability are likely to become a significant driver for cyber liability and insurance buying.
IT outages also came to the fore in 2018. The IT systems outage at UK bank TSB – caused by a failed platform migration - was one of the most high profile examples of systems failure in 2018. It cost the company GBP 176 million, and resulted in the departure of its CEO. An outage at payment processing company Visa in June affected bank customers and retailers across Europe, while customers of Telefónica and other companies were left without data services in December after a software glitch at Ericsson disabled its network.
2018 also saw experts predict further ransomware and malware attacks. While 2018 escaped the scale of a global malware outbreak seen in the 2017 WannaCry and NotPetya attacks, last year continued to see companies report disruption from such attacks. Taiwan Semiconductor Manufacturing Company—the world’s largest maker of semiconductors and processors—was forced to shut down several of its plants in August 2018 after it was infected by a variant of the WannaCry virus.
At the start of 2018, cyber security analysts also predicted an uptick in cyber conflict and warfare. Political tensions were heightened in 2018, with Russia, China and other states blamed for a number of cyber attacks and detected intrusions. Nation state groups have been accused of stealing trade secrets from businesses and universities, as well as probing critical infrastructure, possibly with the intention of causing property damage or business interruption.
Cyber war will no doubt remain a feature of 2019, as governments look to create definitions and rules for cyber conflicts, as well as promote cyber resilience through cyber security regulations and guidance. Cyber warfare is likely to become a talking point among insurers in 2019, as carriers focus on the effectiveness of war and terrorism exclusions, and can possibly spark a conversation about the need for a market or government-backed solution.
Download Cyber Decoder
For more information, please contact Shannon Groeber, Senior Vice President, Cyber / Errors & Omissions Practice on 215.309.4495.