Cyber Risks and Reinsurance
Surveys of risk managers routinely rate cyber risk or cyber liability among the top ten risks facing companies today. And not surprisingly, options for managing and mitigating various cyber risks are currently an ongoing topic of discussion in the press, in Lloyd’s, in the boardroom, or indeed within this very forum. So far, however, most of the focus has been from an insurance perspective. But reinsurance clearly has a significant part to play in confronting this evolving and escalating risk.
An Evolving Reinsurance Market
Most direct insurers will be familiar with the client that wants cyber insurance, but often with limited knowledge of their specific cyber risks or the solutions that would be best suited to their needs. Do they understand the range of coverages available? Do they need cyber coverage in the first place? Is it first-party exposures, third-party or both which are of primary concern?
These same questions are relevant to reinsurers. Expert writers of the class know how to manage their portfolios, avoiding saturation in a particular segment or territory, and making sure there is adequate risk management in place via encryption and internal governance. They are also aware of the importance of response times, crisis management and the potential costs involved. These writers will often purchase reinsurance on a traditional risk or clash basis to mitigate volatility and smooth their underwriting results.
More concerning are direct insurers that want to dip a toe into the cyber arena, often through facilities where they don’t control the underwriting; this can be seen as a way to diversify the portfolio and achieve rate on what is perceived to be historically loss free business. We also see increased interest from direct insurers to provide cover for cyber in the retail and healthcare sectors; some high profile breaches in these sectors led to significant rate increases, and also improved risk management and controls. Some direct insurers seek cyber opportunities in the open market while others elect to access this business via MGA’s or consortiums.
We are regularly approached by clients in London and internationally who are looking to get into cyber. They are usually looking to cover first-party elements like business interruption, data restoration and cyber extortion, as well as third-party exposures such as security and multimedia liability along with the costs associated with breach response including notification, credit monitoring and privacy liability.
Our response is entirely consistent. We want to know if the client has: a dedicated cyber underwriter (rather than a PI underwriter dabbling in the class); their own Policy Wording and Prop Form; an understanding of the notification requirements and laws in the territories they are targeting; and sufficient claims capabilities including credit monitoring and data forensics.
We are also working to enable clients’ to white-label our offering by packaging the form, application and rating model together with crisis and claims management.
What is Covered?
Cyber-attacks are a relatively new phenomenon and the (re)insurance markets are still developing robust solutions for managing and mitigating the various risks. As a result, an issue for reinsurers is cyber-related claims filed under a Commercial GL or other “traditional” policy. A prime target for claiming cover under GL could be the personal and advertising injury section. While cyber claims brought under a Commercial GL treaty have been defended in the U.S., this has not been tested in the UK courts.
Also, while an element of cyber exposure has been present in FI language through the Electronic Computer Crime provisions, there are some protections here from “hacktivists” whose objective is to disrupt operations and perhaps make a statement but are not in it for personal gain. And with these coverages, if there is no improper personal gain, there is no insurable loss.
An exclusion crafted today could be obsolete in six months.
We are also seeing Bankers Blanket Bond and Crime forms being extended to clarify cyber exposures. While cyber is not excluded on PI policies (although we see the coverage sublimited), it almost certainly would be indemnified as the original wording is written on a civil liability basis.
In terms of D&O, since there is no perceived first-party exposure a claim would have to rely on D&O negligence or a class action alleging that proper security procedures were not in place. Some suits along these lines have been filed, but so far none has been successful. For example, after a major U.S. retailer experienced a massive breach, a class action was filed alleging that the board had contravened its fiduciary duties by not having the necessary defences in place to protect the company from a cyber-attack and its consequences. This suit was dismissed in July after an independent Special Litigation Committee investigation advised that it was not in the company’s best interest to pursue derivative claims against the officers and directors.
Another challenge is that reinsurance treaties currently lack appropriate exclusions for cyber risks. The CL380, for example, is standard in Marine and Energy treaties, and on original policies, but competitive pressures are pushing some brokers and clients to insist it be removed. However, by just deleting an exclusion are we providing the appropriate coverage in a very technical class? The Lloyd’s Market Association and International Underwriting Association are both keen to develop reasonable exclusionary language, but if we exclude it now are we positively affirming there was coverage in the past? Also, in a challenging reinsurance market clients and brokers are unwilling to accept exclusions, and given the evolving nature of cyber-crime, an exclusion crafted today could be obsolete in six months.
In this case, it seems likely that the cyber market will develop in a fashion similar to the terrorism market after September 11th. That is, as more tailored cyber coverages are developed and the market matures, reinsurers should be able to incorporate suitable cyber exclusions into the coverages for traditional classes.
Expertise and Monitoring Are Critical
If aggregation control is under the spotlight in insurance, the concerns are magnified in reinsurance. However, risk coding within Lloyd’s is improving, as is how we apply our exposures to Realistic Disaster Scenarios. And our in-house software enables us to monitor our exposure to individual risks on an original client basis. It will be some time, however, before we can fully monitor exposures to third-party service providers, cloud users and owners.
In the meantime, we have regular meetings with our clients to understand how they assess risk, and conduct regular audits to ensure original policy forms are not broadening.
There is also the potential for aggregation from cedants backing consortiums and MGA’s. From the client’s perspective, this can be a great way to access the business without incurring expensive setup costs. For a reinsurer, however, that could mean more exposure collectively to the consortium than the exposure individual consortia members face if they back multiple partners. And in these instances, clients also need to consider carefully whether they are comfortable ceding underwriting control in such a complex and high profile class.
So where does that leave reinsurance? Our clients’ expertise is crucial. Direct insurers regularly work with clients to improve their risk management capabilities and practices. As reinsurers are a step removed from the original policy, our focus is ensuring we back experts rather than follow capacity and without proper underwriting controls for pricing, aggregation and portfolio construction.
Reinsurers also need to be conscious of the constantly changing legal landscape including data protection/privacy laws and breach notification requirements in the territories where our clients are operating. And while upcoming changes to EU regulations could encourage more clients to buy cyber cover, it could take some time for the markets to respond.
For reinsurers, the opportunity – and challenge – is to create solutions to help manage and mitigate even the most complex risks. And that certainly includes cyber risks where our immediate challenge is to help clients grow responsibly and without compromising this evolving and increasingly important class of business.