Fitch: Cyber Risk Analysis Inhibited by Silent Cyber Risk Exposure

A hooded computer man in front of 3 large monitors with one hand working from a laptop and the other from a computer keyboard

December 17, 2019

A hooded computer man in front of 3 large monitors with one hand working from a laptop and the other from a computer keyboard

Property and casualty (P&C) insurers are gradually gaining sophistication in measuring risk aggregations and modeling potential losses from catastrophic cyber events, but the efficacy of this analysis is inhibited by exposure to nonaffirmative or "silent" cyber risk, according to Fitch Ratings.

Many insurers now view cyber insurance as an attractive source of premium growth and profits. However, future segment performance faces considerable uncertainty given the evolving nature of cyber incidents in a constantly changing technological, legal, and regulatory environment.

Insurers face silent cyber risk when broad commercial packages or other insurance policies do not explicitly address cyber-related coverage terms or specifically exclude cyber risks. This ambiguity in coverage can lead to disputes and litigation following a cyber event when insureds seek funds from available policy limits for protection; it also poses a risk of reputational damage to insurers.

Large silent cyber exposure can restrict an underwriter's ability to measure risk aggregations and correlations of exposure to cyber risk. In a wide-ranging cyber event, this could lead to large unforeseen losses and, in more extreme circumstances, could cause material reductions in capital, which could negatively pressure individual ratings.

Efforts to assess the financial impact from the most severe cyber events include a recent report from Guy Carpenter and Cyber Cube that estimates a 1 in 100 probable maximum loss for the US insurance industry of $14.6 billion. Challenges in measuring silent cyber exposures and the unique nature of cyber events add to the difficulty of creating cyber catastrophe models with similar analytical value as well established natural catastrophe models. Uncertainty lies in estimating the probability of severe events that have never taken place, such as attacks on utilities and energy infrastructure or larger ransomware or cloud service attacks. Also, risk correlations for cyber are not related to the geographic location of the insured.

Underwriters are increasingly aware of the potential exposures posed by silent cyber risk, but remedial actions are moving at a varying pace. Three major insurance carriers recently took public steps to address silent cyber risk that will likely shape market direction.

  • In September, AIG announced an objective for commercial policies to have affirmative cyber coverage or clear exclusions going forward.
  • Beginning in January 2020, Allianz will make clear how cyber risks are covered in traditional P&C policies and define scenarios for which a dedicated cyber insurance product is required.
  • Lloyd's of London announced that, by 2020, they will require underwriters to affirmatively state whether first-party property damage policies include or exclude cyber coverage.

Lloyd's action was influenced by the Bank of England's Prudential Regulatory Authority (PRA) 2019 move to require UK insurers to develop action plans to address silent cyber risks. The PRA noted that casualty, financial, motor, and accident and health lines have outsized silent-cyber exposure. Regulators in other jurisdictions are likely to take a more active approach toward encouraging affirmative cyber coverage going forward.

US statutory cyber direct written premiums doubled from 2015 to 2018 to $2 billion. Demand for cyber insurance coverage is expanding as policyholders' awareness of cyber threats grow with the proliferation of data breaches and more recent developments in ransomware attacks. Client take-up rates for cyber coverage increased to 38 percent in 2018 from 31 percent in 2017, according to global broker Marsh. A more active approach by insurers to write affirmative coverage or, more specifically, add sublimits or exclusions related to cyber in traditional policies would likely increase cyber take-up rates and further bolster segment premium.

December 17, 2019