Why insurers, reinsurers should care about silent risk exposures
How exposed are your clients to cyber risk via unrelated insurance policies that do not specifically exclude cyber events?
The world of cyber presents an ever evolving risk environment in which attacks can have a global effect on millions of businesses, incurring high severity and high frequency losses.
Two well known recent examples are Wannacry and NotPeyta where each attack affected millions worldwide and caused loss estimations of hundreds of millions of dollars.
Know your exposures
Before launching any initiative to cover affirmative cyber risk, insurers and reinsurers must understand their current level of book exposure: How much are they exposed to cyber risk in other insurance policies that do not clearly exclude cyber risk.
In more detailed description, silent cyber risk is the potential financial loss incurred from cyber-attacks due to silent coverage within insurance policies that were not designed to cover cyber risk. The wording of the policies does not implicitly include or exclude cyber risk.
Some examples of these policies include: marine, transport, aviation, property, etc.
Examples of these type of scenarios can include:
- An attack on a hospital control system resulting in unexpected outage and failure of power backups causing deaths of hospitalized patients connected to life saving machines.
- A malware infecting a vessel’s GPS navigation system, misleading the crew to crash the vessel into the ground, causing injuries and substantial environmental damage due to an oil spill.
- An attack targeting an IoT smart home controller causing the heating boiler to malfunction and explode, leading to a fire resulting in injuries and property damage.
- An attack on an autonomous car system causing the vehicle to crash as well as injuries and deaths of the driver and passengers.
The bottom line
Of course, when it comes to insurance policies, the ultimate question is whether or not the insurer will have to pay out.
Ultimately, the wording of the policy will provide that answer but there’s a high chance that there is more capital at risk than planned.
Reinsurers and Insurers must adjust their capital reserves for these policies with the thought in mind that silent cyber risk exposure will affect loss ratios for these lines. Beyond the uncalculated financial risk, there are also regulatory aspects to take into consideration. Regulators acknowledge the importance of assessing cyber silent risk exposure and actively encourage insurers and reinsurers to assess the level of capital at risk.
Regulators and leadership
There are several regulatory authorities worldwide that actively promote acts to oblige insurers and reinsurers to report their silent cyber risk exposures. This trend has pushed the insurance industry to look for advanced cyber risk modeling solutions which provide an access to relevant cyber risk data which is harvested of from public and closed sources to support continuous and efficient quantification of affirmative and silent cyber risk exposures.
Insurers and reinsurers that want to assess cyber risk are at a big disadvantage when it comes to building out their frequency and severity modeling due to their lack of data. So how exactly can insurance professionals cope with this challenge? They must have the capability to evaluate a business’s security resilience and cross correlate it with actionable global cyber threats intelligence. These are the fundamental building blocks to support proper frequency and severity modeling that can allow clear identification of the type and level of exposures a single company faces and also what are the accumulated ones of the portfolio. As this world of cyber threats is ever evolving, insurers and reinsurers must have these quantification capabilities in a continuous manner to support active management of their cyber risk exposures.
Insurers and reinsurers are almost unknowingly undergoing a major change in their industry and those who recognize the impact of silent cyber risk on coverage and quickly identify their exposures will be the front runners in the industry. After all, knowing the silent risk is a crucial element for assessing the capital at risk. As more insurers develop their programs around silent risk, they’ll also begin to build out the foundation for affirmative cyber risk coverages.
Yakir Golan is CEO of Kovrr. He can be reached by sending email to Yakir@kovrr.com.
The opinions expressed here are the writer’s own.
See also: