NON-AFFIRMATIVE CYBER: What lies beneath?

Nearly two years on from WannaCry and NotPetya, it’s not surprising that a survey issued last November by the World Economic Forum (WEF) identified cyber risk as the biggest threat to doing business in Europe and among the top five risks for organisations globally.

Although no incident in 2018 matched the scale of those attacks, hotels group Marriott International and British Airways were among major corporate names whose customer records were breached and personal data accessed. In addition, the incidence of ransomware attacks, spoofing or business e-mail compromise (BEC) attempts and spear-phishing attacks again rose sharply last year. Surveys suggest that two in three UK businesses have been targeted by cybercriminals in the past 12 months.

More alarmingly, the National Cyber Security Centre’s chief Ciaran Martin has warned that the 10 attempted cyber attacks tackled by the NCSC in a typical week will, in time, inevitably include a life-threatening ‘category one’ emergency. Emerging new technologies such as artificial intelligence (AI) and the Internet of Things (IoT) threaten to open up the potential for new forms of attack to more sophisticated criminals and activists.

Martin reports that since its creation in 2016, the NCSC has regularly seen cyber attacks on online and high street retailers, resulting in the theft of millions of items of personal data; a major systemic attack on IT service providers, and through them their clients; and targeted attacks on the financial system ranging from SWIFT endpoints to ATM cash-outs and the disruption of services.

He cites IBM’s estimate of the global average cost of a data breach at £3 million, which in addition to money stolen extends to installing new IT equipment, fines from the regulator, lost productivity and the company’s share price falling. For Danish shipping group Maersk, which had to mount a Herculean reinstatement of its infrastructure, reported losses were US$250-300 million from NotPetya, while for courier Federal Express and pharmaceuticals giant Merck the financial hits were US$400 million and US$670 million respectively.

Exclude, or stay silent?

Inevitably, the increase in attacks has focused attention on the issue of so-called ‘silent cyber’ or ‘non-affirmative cyber’; potential cyber-related losses not specifically addressed by the language of traditional insurance policies such as property, business interruption (BI) and D&O liability, that were not specifically designed to cover cyber risk.

BI losses related to cyber attacks were already increasing pre-WannaCry and NotPetya and while the scope for damage might have been underappreciated, the potential for silent cyber was recognised long before those events pushed the issue further up the risk agenda, says Mark Synnott, global cyber practice leader at Willis Towers Watson’s reinsurance division, Willis Re.

Landmark reports include The Sybil Logic Bomb Cyber Catastrophe Scenario, produced by RMS and the Cambridge Centre for Risk Studies at Cambridge University. Published in 2014, it examined the consequences of a “correlated loss” event in which a global system-wide IT failure has an impact on multiple organisations. The following year, Lloyd’s of London introduced its cyber Realistic Disaster Scenario (RDS), which required syndicates to estimate their losses in the event of two specific disaster scenarios.

Various exclusion clauses for cyber have been devised; indeed the widely-used Institute Cyber Attack Exclusion Clause – AKA CL380 – dates back to 2003. In addition to being used for years on marine lines, it has also been applied to policies in the bloodstock/livestock, general liability, onshore energy, political risk/political violence, power generation and UK commercial property markets. “A whole market has grown up around the buyback of that exclusion,” says Sarah Stephens, senior partner and head of cyber/technology E&O at JLT Specialty’s financial lines group.

Nonetheless, silent cyber exposure threatens to push up loss ratios on many other policies not specifically designed to cover cyber risk, but which remain silent on the issue. The International Underwriting Association (IUA) has responded by drafting a clause that can be added to most P/C insurance policies to totally exclude cyber exposures, says Max Perkins, senior vice-president, global cyber and technology – global professional and financial risks at Lockton UK. Alongside this exclusion, a provision would allow the contractual parties to agree to reinstate cover for cyber-related exposures on a case-by-case basis.

Despite this, many insurers have been noticeably reluctant to tackle the silent cyber issue head-on. “They have the motivation to clean up their wordings, but struggle with going as far as an outright exclusion,” says Jennifer Copic, research associate, Centre for Risk Studies, Cambridge Judge Business School. “Conditions in the insurance market are still relatively soft and they don’t want to lose business.

“However, there is greater clarity than when we researched in 2015 and found there were only a handful of exclusions addressing cyber-related losses, whereas now there are around 20.

Courtroom clashes

This reluctance by insurers to address cyber risk is unlikely to persist if rejected claims are challenged in court. The new year began with US food group Mondelez, spun off from Kraft and the parent to Cadbury, suing Zurich Insurance for declining a US$100 million claim relating to damage to servers and laptops caused by NotPetya.

Mondelez claimed under its property insurance and asserts that Zurich even agreed to a US$10 million interim payment, but subsequently invoked a policy exclusion for any “hostile or warlike action” by a government or sovereign power or persons acting for them.

A further driver for coverage clarity is increased regulatory scrutiny. Last July, the Prudential Regulatory Authority (PRA) issued guidelines on European P&C insurers’ cyber exposures and made three recommendations for calculating the requisite amount of capital.

The PRA’s Bulletin SS4/17 stated: “Firms are expected to introduce measures that reduce the unintended exposure to (silent cyber) risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board.” It suggested three basic options to achieve this:

• adjusting the premium to reflect the additional risk in return for confirming cover for cyber risks;
• applying robust wording exclusions; and/or
• attaching specific limits of cover for cyber

“Although I’m not generally a fan of new regulation, to a degree the PRA’s mandate was a welcome one,” says Copic. Yet an insurer’s attitude towards cyber exposure still owes much to both the type of business insured and the type of insurer, notes Synnott.

“Many mutual insurers are owned by their policyholders and a number of specialist mutuals were set up to provide professional liability cover for law firms or professional advisors,” he comments. “These mutuals focus on quality of service which includes providing clear coverage language. This resulted in policy clarification several years ago on exactly what cyber exposures would be covered and those that would be excluded.”

“The commercial insurance market is more nuanced as it competes on both price and cover. There has been some concern by commercial insurers that providing clarity of coverage might serve as an opportunity for competitors to target their business.”

So Synnott hails as “a bold move” the announcement by Allianz Global Corporate & Speciality (AGCS) in November that it would be one of the first corporate insurers to update and clarify its P/C policies globally regarding its stance to cyber risks. The programme was rolled out globally at the start of this month for new business, with renewal business to be added from April.

Alongside this belated move to address silent cyber is a fast-growing market for stand-alone cyber cover, which Aon predicts will show annual growth of over 14 per cent over the next three years to reach US$4 billion worldwide by the end of 2021. Morgan Stanley’s analysts are even more bullish, forecasting that it will be at least double that figure by next year.

Collateral damage

The scattergun approach of the NotPetya attack demonstrated that groups not directly targeted can still suffer considerable incidental damage, notes Domenico del Re, a director at PwC. “For insurance managers and buyers our main recommendation is not to rely on any cyber-related incidents you’ve experienced in the past to calculate potential future exposure or losses.

“Your company’s digital footprint is steadily getting bigger – as are the potential losses, which include third party liability in the event of a data breach.

“Invest time in understanding of the scenarios you should use internally for risk mitigation activities. What digital assets does your organisation hold that could be stolen, compromised or corrupted? How strong are your defences? What’s a plausible loss scenario and what could the potential financial loss look like?

“That knowledge will empower internal decisions and mean you are more informed when sitting down to discuss cover with your broker and insurers. It also makes you an improved risk and the insurer will recognise your insights as a strength rather than weakness.

Providing clarity and certainty

CIR Magazine speaks to Emy Donovan, global head of cyber and tech PI, As Allianz Global Corporate & Specialty, as the insurer updates its policy wordings to address the issue of silent cyber.

Has the issue of silent cyber only been considered by the market since the WannaCry and Not Petya attacks of May/June 2017, or has it been on insurers’ radars for longer?

Silent cyber risks have been discussed in the cyber underwriting expert community for a while but the 2017 malware attacks were a broader wake-up call. WannaCry/NotPetya highlighted the risk and potential damage across all business areas. Cyber exposures materialised far beyond the expected, impacting multiple lines of business in addition to specialist cyber insurance such as property, business interruption, errors and omissions or kidnap and ransom.

For Allianz cyber exposures in traditional P&C policies have been a priority underwriting topic in the past two years. In a group-wide project in 2017-18 involving major flagship entities, Allianz reviewed cyber risks in P&C policies in the commercial, corporate and specialty insurance segment. The working group identified the policy wordings that are unclear or uncertain as to coverage for cyber events, and developed a consistent new underwriting approach for cyber risks.

Is there a uniform approach as to how cyber exposures on policies not specifically designed to cover cyber risk are handled? Or does it vary from insurer to insurer?

Allianz is one of the first insurers to consistently and globally address cyber risk in traditional policies in a group-wide strategy for the commercial, corporate and specialty insurance segment. While the re/insurance market agrees that assessing and underwriting cyber risk is a key challenge for the industry, the group decided to take decisive action. We are not aware of similar comprehensive strategies by our major competitors at this stage.

This initiative is purely driven by Allianz and we are only considering our own underwriting strategy. Of course cyber risks, as well as silent cyber exposures, are relevant topics across our industry but how other insurers address these risks is entirely up to them.

Regulators such as the PRA are taking closer interest in the issue of insurance cover for cyber exposure. Are they putting pressure on insurers to clarify their position and have they issued rules or guidelines?

We were aware that regulators such as the UK’s PRA and Germany’s Bafin are concerned about cyber exposures in traditional P&C policies and encourage insurers to address the cyber underwriting risk systematically – so far without any detailed instructions or guidelines. With our new underwriting strategy, we’re responding to regulatory and also rating agencies’ interests by clarifying cyber exposures in our P/C insurance portfolios.

However, the primary driver for developing a new underwriting approach was our customers. In most traditional P&C insurance products, cyber risks are not explicitly mentioned or considered, as these policies were developed when cyber was yet to emerge as a major risk. This ambiguity can lead to uncertainty and a lack of clarity for our customers in the event of a cyber incident.

Our customers need clarity, certainty and confidence – and our new cyber risks insurance strategy will specify and clarify which cyber risks are covered under traditional policies, as well as for which scenarios a dedicated cyber insurance solution is required.

There are stand-alone cyber covers now available in the insurance market – how fast has this sector been growing in the past couple of years and what do you estimate its potential to be?

Cyber risk has been a major risk for several years, but as with any new risk it has struggled with awareness. We have now reached a point where cyber is equally concerning for companies as their major traditional exposures and this will certainly further drive the penetration of cyber insurance in Europe in particular.

AGCS has offered cyber insurance since 2013 in many European and Asian markets and since 2015 in the North American market. The cyber insurance market in United States is more mature, while in Europe and Asia it is still in its infancy but steadily developing. Key drivers for that are growing risk awareness of companies and tighter privacy regulation such EU General Data Protection Regulation (GDPR) that came into force last May.

In our core European markets, we’ve been able to underwrite a large number of new cyber policies in the past 12 months, particularly in core markets such as Germany. We have also able to rapidly grow our US book since it launched in 2015. Globally, AGCS generated cyber insurance premiums in the higher double-digit million range last year.

In addition to ‘silent cyber’, alternative terms such as ‘non-affirmative cyber’ have been used. Is there an industry-wide term that has been adopted?

We see both terms being used when discussing cyber risk exposures in traditional P/C policies and perhaps there is no real need to agree on an industry-wide terminology. While non-affirmative is a more technical underwriting language, the term ‘silent cyber’ is more tangible and has even been broadly used in non-UK insurance markets.

This article was published in the January 2019 issue of CIR Magazine.

Download as PDF

More interviews and analysis

Contact the editor

Follow us on Twitter

    Share Story:


Deborah Ritchie speaks to Chief Inspector Tracy Mortimer of the Specialist Operations Planning Unit in Greater Manchester Police's Civil Contingencies and Resilience Unit; Inspector Darren Spurgeon, AtHoc lead at Greater Manchester Police; and Chris Ullah, Solutions Expert at BlackBerry AtHoc, and himself a former Police Superintendent. For more information click here

Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023