An increasing number of insurers are likely to address silent cyber exposures in traditional property and casualty policies, following a renewed warning from the UK regulator.
The Prudential Regulatory Authority (PRA) wrote to UK insurers at the end of January requesting a silent cyber action plan by the first half of 2019, with clear milestones and dates, specifying actions to be taken to reduce unintended exposure to silent cyber.
The letter builds on the PRA’s existing work on silent cyber. In July 2017, the regulator issued supervisory notice SS4/17, which called for insurers to address silent cyber exposures in traditional property and casualty portfolios. Specifically, the PRA called on insurers to actively manage silent cyber risk, set clearly defined cyber strategies and risk appetites and build their cyber expertise.
The PRA says these expectations remain valid, although its latest communication suggests a level of urgency. Insurers told the PRA that challenging market conditions and lack of historic data, models and expertise were the main impediments for the prudential management of cyber underwriting risk. The PRA says it appreciates these challenges, but does not believe they are insurmountable. WORK IN PROGRESS
The PRA letter was based on the findings of a follow-up survey on silent cyber. It found that, although some work has been done, more ground needs to be covered by insurers, especially in relation to non-affirmative ,risk appetite and strategy. cyber risk management
According to the survey findings, traditional lines of insurance have considerable exposure to silent cyber, also referred to as non-affirmative cyber risk. A cyber event could have widespread impact on a number of different lines of business, while loss exposures from a cyber event could be on par with a major US natural catastrophe.
Casualty, financial, motor and accident and health lines are cited as carrying the largest non-affirmative exposure, according to the survey. Non-affirmative cyber exposure in property, marine, aviation and transport lines was less clear-cut, with insurers estimating their exposure anywhere between zero and the full limits. POSITIVE MOVES
The PRA did, however, welcome announcements by a number of large insurers that they intend to remove silent cyber risks from their traditional property and casualty portfolios. Allianz and AIG, for example, are both moving to affirmative cover, in response to increased scrutiny from regulators and rating agents.
Allianz says it will have addressed silent cyber in all of its property and casualty policies underwritten by the Allianz Global Corporate and Specialty unit by the end of 2019. Its Cyber Risk Insurance Strategy will see AGCS update policy wordings across its portfolio, making clear where cyber cover is, or is not, available.
The insurer will exclude some cyber risks, but may offer cover under extensions or via standalone cyber insurance. It says physical damage and bodily injury arising from cyber events will generally continue to be covered. Cyber-related ‘pure financial losses’ without physical damage or injury, however, will be covered in affirmative cyber insurance solutions only.
Insurers are also responding to large losses and a perceived lack of coverage certainty. The NotPetya malware attack in 2017, for example, led a number of corporates to claim against property insurance policies.
cyber insurance policies paid such losses promptly, a number of NotPetya claims in the property market remain unresolved.
Claims analytics firm PCS estimates that insurers face claims amounting to USD 3.3 billion for the NotPetya attack, of which 90% are for non-affirmative cover. US pharmaceutical group Merck, for example, is looking to claim USD 2 billion from its insurers, of which USD 250 million has been paid by the firm’s affirmative cyber insurance policy. The remaining USD 1.75 billion is being claimed under non-affirmative cover.
In some cases, silent cyber has resulted in litigation, most notably Zurich Insurance’s denial of a claim brought by food manufacturer Mondelez, which suffered business interruption and other losses in the attack. Zurich is using a war clause to deny the USD 100 million claim under an all-risks property policy, although the insurer must now prove in court that the cyber attack was an act of war.
Addressing silent cyber exposure is likely to mean more insurers clarifying coverage under p/c policies, although other options are available.
Alternatively, insurers could continue to offer silent cyber coverage under traditional policies and rely on reinsurance to manage their exposures. However, a number of large reinsurers are growing more cautious of cyber risk, particularly when they involve aggregate or systemic cyber exposures.
TALK TO AN EXPERT
For further information, please contact
Sarah Stephens, Head of Cyber/ Technology E&O on +44 (0)20 3394 0486
Read about Sarah Stephens
As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.
Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.
Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.