US Property Insurers Might Face a $12.5 Billion "Silent Cyber" Risk

The US property insurance market is accumulating cyber risk to the extent that a 1-in-100-year loss could result in $12.5 billion in nonphysical damage losses, according to a new report.

The report, Spotlight on Cyber: A Study of Aggregation Risk in the US Property Insurance Market, warns a loss of this magnitude could trigger a downgrade in A.M. Best's Best Capital Adequacy Ratio (BCAR) for 18 US property insurance companies.

The report is based on a study conducted by insurance industry cyber-risk analytics firm CyberCube, A.M. Best, and Aon.

For the study, CyberCube created a sample portfolio based on the US small-business property insurance industry and subjected it to modeled cyber-loss scenarios, quantifying nonphysical damage losses. The modeled losses for the sampled portfolio were then scaled up to a countrywide basis and allocated to each US property-casualty insurer based on direct written commercial property premium as a percent of the total US property-casualty insurance industry's direct written commercial property premium.

A.M. Best then used the results of that analysis to assess the balance sheet impacts on 579 US property insurers. After allocating losses to each of the 579 insurers, Best designed a stress test for its capital model to assess the BCAR impact on each insurer.

Of the 579 insurers Best analyzed, 12 insurers would fall 1 level in BCAR, 4 would drop 2 levels, 1 would drop 3 levels, and 1 would drop 4 levels. While BCAR assessments aren't the only factor in determining an insurer's financial strength rating, a significant deterioration in BCAR could contribute to a downgrade in an insurer's rating.

Aon assisted with quantifying the risks and exposures written back into property insurance policies and highlighted some of the best practices in managing the risks.

The report notes that in the context of natural catastrophe perils with physical damage components, a $12.5 billion loss represents a small loss event. But, considering that many insurers might not be pricing for the accumulating cyber risks or accounting for them in their enterprise risk management efforts, the impact of such a cyber loss on property insurers could be significant.

"The lessons learned from COVID-19 can be applied to cyber risks as well," the report says. "A pandemic and cyber have striking similarities in that both of them can spread quickly, can go undetected for quite a while, cannot be contained within a specific geography like a hurricane or an earthquake, and cause lockdowns and associated economic losses. The litigation around COVID-19 losses and cyber losses in the past serves to emphasize the need for clarity in property insurance contracts specifically in wordings around property damage and sublimits related to cyber."

According to the report, the NotPetya and WannaCry cyber attacks in 2017 highlighted the potential catastrophic impact of silent cyber coverage within noncyber lines of business. The majority of claims from those events globally were on policies that were nonaffirmative—silent—on cyber-insurance coverage.

"Today, a mixture of regulatory pressure and good portfolio management practice is driving [insurers] to explicitly exclude (or affirm) cyber coverage from non-stand-alone policies, where silent cyber exposure may exist," the report says. "This move is to be applauded, as clarity of coverage allows [insurers] to assess and price risk appropriately and ensure a smooth claims process for the insured."

Still, the report suggests it's becoming apparent that US insurers, while beginning to offer explicit cyber coverage in commercial property policies, may not be underwriting or pricing the risk appropriately. "Therefore, cyber exposures in the US property market may be unaccounted for in [an insurer's] enterprise risk management (ERM) strategies," the report says.

The report says "silent cyber" can be defined in two ways. One is unintended cyber coverage in which policy language does not explicitly address cyber as a potential cause of loss. "Therefore, cyber coverage is neither excluded, nor affirmatively granted, under non-stand-alone policies," the report says. "Any loss arising from unintended cyber will likely be contested with the policyholder."

The other type of silent cyber is unpriced cyber coverage, according to the report, in which cyber risk is implicitly accepted by the insurer, but no premium is allocated or charged for the risk. "Typically, in this unpriced cyber risk, a cyber attack is not a covered cause of loss but could trigger a covered peril or cause of loss," the report says. "Crucially for [insurers], there is often no adjustment to premium for the marginal increase in frequency or severity due to the risk of a cyber-related loss."

The research behind the report assessed the impact of both unintended and unpriced cyber risks.

The report notes that insurers have responded in various ways to silent cyber, including excluding cyber coverage and actually underwriting the exposure.

The report concludes that the $12.5 billion 1-in-100-year exposure is currently manageable by the US property insurance industry, though the exposure could have solvency impacts for some insurers. Meanwhile, the large growth in cyber losses anticipated in the coming years will challenge the industry's ability to address quickly increasing loss estimates, the report says.

Appropriate cyber underwriting by insurers also stands to benefit insurance buyers, the October 12, 2021, report suggests.

"Thorough underwriting of cyber exposures will also help to clarify for insurance buyers what cyber cover they have in their property policies and how it might respond," the report says. "Offering cyber coverage through package policies, or write-backs in property policies, may provide adequate cover for small businesses. [Insurers] should be explicit in what coverage is granted and how the property policy might respond."