Insurance and reinsurance companies are in the main, not sufficiently equipped to underwrite and model cyber exposure and lack the required capacity to address the rising threat of an aggregation of losses from ‘silent’ cyber attacks, according to Rick Welsh of Sciemus.
Welsh says that the uncertainty surrounding so-called silent cyber exposures suggests that steps must be taken to deepen the market’s technical understanding of the potential exposures
‘Silent’ cyber attacks were discussed recently by the Bank of England’s Prudential Regulation Authority (PRA) in a consultation paper and, in response to the paper and to provide some insight into the expanding world of cyber risks, Welsh, Chief Executive Officer (CEO) of Sciemus, spoke with Artemis.
‘Silent’ cyber risks, which can be thought of as catastrophic losses from cyber-attacks on policies that don’t actually state whether cyber-attack is covered or excluded, is an area that needs urgent attention and has the potential to be seriously deleterious to re/insurance capital. An important issue raised by the PRA is the distinction between silent cyber issues and non-fortuitous cyber risk and whether cyber risk is being improperly conflated with broad operational risk.
“Our belief is that unless steps are made to employ the requisite expertise and modelling techniques that ‘silent’ cyber exposure presents a significant risk for financial contagion, particularly with the confluence of indeterminate operational risk within open-ended reinsurance structures such as stop loss reinsurance,” said Welsh.
For insurers, reinsurers, and increasingly insurance-linked securities (ILS) players, as the space expands its remit, ‘silent’ cyber exposures are on the rise, as the increasing interconnectedness of the world, and the transition to a truly digital world dials up the potential for cyber-attacks to be far reaching and damaging to all industries, both directly and indirectly.
Furthermore, the inclusion of cyber cover in property and casualty policies that is not understood, or in some cases the reinsurer may be unaware of the inclusion of cyber all together, can leave re/insurance capital dangerously overexposed to an accumulation of cyber risks.
“This concentration of risk is pooled within the reinsurance market (as illustrated by the prevalence of stop loss covers above traditional treaties), together with traditional non-cyber towers of property and casualty ingesting cyber risk that is little understood,” explained Welsh, highlighting that cyber risk can be written by property insurers within energy and property all risk programs, and aviation insurers can also write unintended cyber exposure.
“Cyber-risk aggregation will not manifest itself, and therefore be able to be modeled, as well as the underlying, original property or aviation risk,” Welsh told Artemis.
In situations where traditional insurance (i.e. non-cyber) assumes ‘silent’ cyber exposures either willingly or otherwise, Welsh explained that technical pricing, rate adequacy, and therefore capital adequacy, is insufficient.
For the most part, Welsh stressed that cyber security expertise in underwriting or with the modeling of cyber exposures is limited and scarcely deployed, something that needs to be improved if the risk transfer world is serious about addressing one of the most continually evolving yet ill-understood exposures in the world today.
“The key to modeling in cyber is designing a clear, scientific approach to event modeling in conjunction with the cyber security community. Aggregation modeling is only part of the solution and cannot be agnostic of the underlying event causation; in the main, the reinsurance market’s existing concept of causation that underpins property aggregation does not hold with cyber,” said Welsh.
By their very nature cyber attacks are extremely complex and until advanced modeling techniques are developed and the risks are better understood the insurance, reinsurance, and ILS space could struggle to adequately and effectively provide solutions.
Affirmative and ‘silent’ cyber threats appear to be expanding all the time, and with policies continuing to include cyber risks when it’s understanding is limited, companies are in real danger of being overexposed to an aggregation of cyber losses that they might well be completely unaware they were exposed to in the first place.
As technology advances this will also increase the potential of cyber attacks in the majority of business lines, but at the same time should provide the industry and catastrophe risk modelers with more ability to develop the right solutions, ultimately mitigating the cyber threat, and expanding distribution of risk in this area.