Addressing NonNon-- Affirmative Cyber · There is a growing concern for policyholders surrounding...
Transcript of Addressing NonNon-- Affirmative Cyber · There is a growing concern for policyholders surrounding...
1 Capsicum Re | Addressing Non-Affirmative Cyber
CAPSICUM RE in partnership with
Addressing
Non- Non-Affirmative Cyber
October 2017
Executive Summary
2 Capsicum Re | Addressing Non-Affirmative Cyber
Global Head of Cyber
Ian Newman
Tel: +44 (0) 207 204 6000
Head of Cyber Analytics
Maryam Abdullah
Tel: +: +44 (0)20 3425 3418
Affirmative Cyber Insurance
Johnny Fraser
Tel: + 44 (0)20 7204 6079
Non-Affirmative Cyber
Reinsurance
Patrick Bousfield
Tel: + 44 (0)20 7204 3091
Supervisory Editor
Conrad Williams
Tel: +44 (0)20 7560 3121
The insurance industry needs to address non-affirmative cyber in a meaningful
way. Capsicum Re uses the term non-affirmative cyber (or silent/passive cyber)
to refer to instances where the cyber peril is neither explicitly included nor
explicitly excluded within an insurance policy. This presents obvious problems
in an increasingly interconnected and interdependent business environment.
There is a growing concern for policyholders surrounding non-physical perils
such as network/system failure that can cause disruption to business continuity
and profitability. Affirmative cyber cover refers to insurance policies where the
peril is defined and coverages are explicitly set out within the policy document.
This report attempts to summarise the current state of the cyber market –
focusing in particular upon non-affirmative cyber exposures and where the
market can address them.
In the first section, we identify four current factors which are changing the
dynamics of the cyber insurance market.
1) Increasing regulatory pressure.
2) Increasing frequency of large cyber-attacks / market losses.
3) Lack of uniformity in implementation of Cyber exclusionary wording.
4) Potential macro shift in the existing soft market dynamics.
Following this, we discuss three foreseeable directions in which the cyber
insurance market may move in reaction to these factors.
We will also examine solutions for insurers which have developed naturally
from the need to address non-affirmative cyber exposures. Then, we go on to
discuss existing reinsurance solutions to address and protect against both
affirmative and non-affirmative systemic and aggregation losses in cyber/non-
cyber portfolios:
Non-Affirmative Cyber Products
1) Cyclone – clash of net retentions
2) Systemic aggregate tail protection
Affirmative Cyber Products
1) Aggregate Per Policy Excess of Loss
2) Aggregate Stop Loss
Potential solutions to bring ILS markets into the cyber insurance market
“To me, the elephant in the room today is what we call the ‘cyber’ issue. The growing
interconnectivity of computers, their ability to learn from each other and the fact that
the world’s economy has become absolutely dependant on the internet raises huge
new challenges for the insurance industry.” – Extract from Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance
Business.1
Changing Dynamics of Cyber Insurance
3 Capsicum Re | Addressing Non-Affirmative Cyber
We have identified the following key drivers changing the
current dynamic of the cyber insurance market:
1. Increasing regulatory pressure
The UK’s Prudential Regulation Authority (PRA) recently
released a consultation paper and supervisory statement on
their expectations of firms regarding cyber insurance
underwriting risk. In short:
“the PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk2.”
The PRA statement covers both non-affirmative and
affirmative cyber risk.
Specifically, for non-affirmative cyber risks, expectations are placed on firms to consider:
adjusting premiums to reflect the additional risk and offer
explicit cover;
introducing robust wording exclusions; and/or
attaching specific limits of cover.
The rating agency A.M. Best presents a similar rhetoric:
“[A.M. Best] expect companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and
accumulation of their cyber liability exposure.”
2. Increasing frequency of large cyber-attacks /
market losses
Another key element which is forcing (re)insurers to revaluate their approach
to cyber (re)insurance is the sheer
scale and frequency of losses impacting
policies. In 2017 there has been a
dramatic increase in the number of
ransomware attacks - according to
Cisco, ransomware attacks are growing
at a yearly rate of 350%3. The way in
which modern business is conducted,
via interconnected global networks,
only serves to spread ransomware
around the world at exponential
speeds. Ransomwares such as
WannaCry and NotPetya grabbed headlines in 2017.
The first, WannaCry, is estimated to have impacted more
than 400,000 computers in 150 countries4, with an economic
loss in the region of $4-$8 billion5. The impact for (re)insurers
however, is minimal. The effects of WannaCry on insurable
losses such as business interruption and physical damage were
limited; many companies were able to restrict the
proliferation of WannaCry within their networks and could
recover encrypted data via backups.
NotPetya on the other hand, a wiper disguised as ransomware, has left a lasting impression on many businesses.
This can be attributed to the design of NotPetya; it intended
to destroy, sabotage and disrupt businesses, rather than
extort for financial gain. Following the aftermath of NotPetya,
many companies reported disruptions to business extending
for several weeks, in additional to permanent physical damage
and unrecoverable data losses6. Several global organisations
have reported staggering losses of revenue running into the
100’s of millions. However, as of yet the quantum of insured
loss is still being calculated.
It is interesting to note that traditional cyber breaches
(expected to be covered by affirmative policies), such as the
breach reported recently by Equifax7, can cause significant
losses to cascade through to other towers, such as D&O. In
this manner, non-affirmative cover is affected despite the fact
there is an affirmative cover in place.
3. Lack of uniformity in implementation of cyber
exclusionary wording
Following the NotPetya cyber-attack, there is speculation that
several of the affected publicly listed companies may seek
recoveries from both cyber and property insurance towers
(due to hardware physical damage and associated business
interruption costs).
For example, Merck & Co., an American Pharmaceutical
company, reported severe disruptions to its manufacturing
capabilities8. As a result, it is estimated that Merck’s business
interruption has been heavily affected which could run into
the 100’s of millions. In Merck’s second quarter report they
highlighted the following issue surrounding insurance coverage
on (assumed) non-affirmative cyber property policies9:
“The Company has insurance coverage insuring against costs
resulting from cyber-attacks. However, there may be disputes with
the insurers about the availability of the insurance coverage for
claims related to this incident.”
This lack of clarity creates ambiguity for the insured, unknown exposure for the insurer, and
exponential aggregation for
reinsurers. This prompts
discussion surrounding the
current cyber exclusions used in
(re)insurance contracts, some
examples include Lloyd’s CL380
and NMA2914. Leaving the
courts to decide whether
damage arising from a cyber
event is covered in a property
policy is a failure of the industry
to address evolving exposures. It
will be interesting to see how
the overall market reacts to
these losses and future court decisions. We may also see
organisations themselves seek large limit standalone cyber
cover to protect against ‘catastrophe’ style cyber losses like
NotPetya.
4. Potential macro shift in the existing soft
market dynamics
“As market conditions change following Harvey, Irma and Maria, non-
affirmative cyber will need to be addressed now.”
- Paul Merrey, Insurance Partner, KPMG
With the ongoing active wind season in the Atlantic and large cyber events in 2017, (re)insurers are experiencing significant
losses. While it is unknown if the loss events in 2017 will lead
to a hardening of the soft market or any pricing changes, there
is speculation that reinsurers may look to push back on the
inclusion of non-affirmative cyber in property and other
classes of business (see TransRe remark above).
The potential mounting losses from around the world might be the driver that forces insurers to adequately calculate and
affirmatively accept cyber exposures, which their
policyholders are taking on in their everyday businesses (e.g.
increasing automation, robotics, lights out manufacturing).
Kara Owens, Global Head of Cyber Risk at TransRe
remarks:
“As the (re)insurance industry sees exposures grow and
claims notifications into traditional insurance product lines rise from cyber related incidents, it is in the industry’s best
interest to properly assess, price and track these exposures.
TransRe is following events such as WannaCry, Petya and airline system outages closely.
We are evaluating silent and affirmative exposures and will
be pushing for proper exclusionary language and
underwriting controls as it relates to cyber related exposures within traditional lines such as property and marine.”
Direction of the Cyber Insurance Market
Directions of the Cyber Insurance Market
4 Capsicum Re | Addressing Non-Affirmative Cyber
Dan Trueman, Chief Innovation Officer at
Novae comments:
“Cyber underwriting is a specialist class. The nuances in pricing and aggregation across and
between cyber risks requires expertise.
We consider it both surprising and unsustainable
that cyber risk could be included within so many
policies with effectively no information being
requested and no regards to the measurement or
level of systemic exposure being taken on.”
In reaction to the factors discussed previously that are
driving change in cyber insurance market, we have
identified three foreseeable directions in which the market
may move in the coming years.
1) Remain unchanged
First is the possibility that the cyber insurance market will
remain largely unchanged; insurers will continue to
underwrite (or in the case of non-affirmative, not underwrite)
cyber business in the current manner. In this scenario, the
majority of insurers will continue to include (or not exclude)
cyber on more traditional polices such as property, casualty,
D&O and E&O, while a minority of ‘specialist’ insurers write
standalone cyber cover.
This presents many challenges which are identical to those
identified by the PRA. Cyber risk is, by nature, an extremely
complicated risk to evaluate, and thus it
is difficult to correctly calculate
premium on non-specialist cyber
policies. Furthermore, from a portfolio
standpoint, determining exposure and
aggregation to a specific cyber incident
is a complex task. This in turn makes it
difficult for insurers to be confident
they have adequate reserves to handle
a large number of claims at one time
occurring from a catastrophic global
cyber-attack10.
Continuing in this direction will expose the industry to:
A continued lack of understanding /
knowledge to correctly price / assess non-
affirmative cyber exposure.
A potential increase in non-affirmative cyber
exposures, which though recoverable by
way of insurance are not appropriately being
assessed.
Ben Love, Head of Business Development at Hiscox Re
comments:
“Hiscox Re are actively pressing for changes and clarity that will
better serve all stakeholders, by offering specialist cyber products,
and pushing exclusions elsewhere.”
2) Underwriters gain necessary knowledge for cyber
A second possible direction is for underwriters currently
exposed to non-affirmative cyber to gain the specialist
knowledge necessary to properly understand the risk and
exposure that non-affirmative cyber cover brings.
Underwriters may then begin properly adjusting premiums for
cyber, or possibly including specified sub limits to restrict the
exposure to cyber risk.
This process however, is likely to take several years to
implement and propagate adequately throughout the industry.
At a time when combined ratios are near 100%, additional
investment in specialised knowledge and training is difficult to
justify.
3) Consolidation of affirmative cyber covers;
standalone policy offerings
A third potential direction is an industry shift toward
affirmative cyber policies designed to cover non-affirmative
cyber exposures.
We are already seeing this happen to some extent within the
market, where affirmative cyber products are evolving from
what was historically a non-affirmative product (we discuss
this further in the following section). This alleviates the
burden on underwriters who have limited knowledge/
resources to evaluate and
underwrite cyber risk, onto
specialist underwriters who only
write cyber risks.
Having specialist cyber
underwriters write cyber risks
provides many advantages over
traditional underwriters (who
write non-affirmative cyber back
into policies which have not been
designed to accommodate the risk);
not least the ability to price risk and manage the aggregation
within portfolios.
This is echoed by A.M Best:
“[A.M Best] believes a transition to standalone cyber policies may
contribute to better pricing and reserving methods, which ultimately
may lead to refinements in modelling tools and contribute to more
accurate understanding of risk aggregation11.”
In reality, it is likely that the future shape of the cyber
insurance market will be some hybrid of the above mentioned
directions. The catalyst for change may then be a catastrophic
loss in the cyber or general insurance market, which forces
insurers to evaluate their approach to underwriting non-
affirmative cyber.
“(The Lloyd’s) report gives a real sense of the scale of damage a
cyber-attack could cause the global economy. Just like some of the
worst natural catastrophes, cyber events can cause a severe impact
on businesses and economies, trigger multiple claims and
dramatically increase insurer’s claims costs.12”
– Inga Beale, CEO of Lloyds
Capsicum Re – Insurance Solutions
Potential Insurance Solutions
5 Capsicum Re | Addressing Non-Affirmative Cyber
Exposure to cyber risk is an obvious and dangerous peril if left
unmitigated or reviewed. The challenge facing insurers is how
to assess, quantify and charge appropriately for this risk.
Unlike elemental perils which are restricted by geography,
truly systemic cyber risk is not limited by boundaries and
could be a global threat, across multiple sectors of business, as
NotPetya has shown. In addition to this, the threat
environment within cyber changes constantly which makes the
development of models for risk assessment difficult.
“Ambiguity in cyber coverage, indeed any coverage, serves no-one
and can lead to potential court room misery for all involved. Cyber
products have to evolve to avoid this: the cyber peril must be
specifically identified, evaluated and priced for.”
- Ben Love, Head of Business Development, Hiscox Re
A number of affirmative cyber solutions have emerged to
address the challenges mentioned above, and act to pull the
cyber peril out of non-affirmative covers.
A few examples of affirmative cyber solutions include:
Brit – Brit Cyber Attack Plus (BCAP)13
Aegis – Cyber Resilience Plus14
FM Global – Advantage Policy Cyber15
For the sake of exposition, we explore in more detail the
coverage and design of BCAP below, as it is one of the largest
products currently available, with $200-$350 million of
capacity (depending on the risk). This product arose from
broker requests to write back the CL380 exclusion clause
into terror contracts.
It was originally a Property Damage and Business Interruption
cover designed to respond when/if an insured suffers
unauthorised/malicious attack to their SCADA systems and
suffers loss as a result.
In response to changes in the cyber insurance market and
broker input, this product expanded to offer limits resulting
from the same malicious / unauthorised access but now
provides indemnification for other covers in addition to
Property Damage and Business Interruption.
Example coverage available in this product and others include:
Non-damage business interruption
Loss mitigation expenses
Digital asset restoration
Cyber extortion
Crisis management costs
Bodily injury
Contingent business interruption
System failure
Notification costs
Additionally, and most relevant to the insurance industry as a
whole, is the utilisation of 3rd party expertise (IT consultancy
firms and cyber vendors) to support the underwriting process
of primarily affirmative cyber.
Standalone products such as the above aim to counteract
existing non-affirmative cover by affirmatively analysing and
understanding cyber risk behaviours within the insurance
market and has a number of benefits:
Ensures a good degree of information exchange to
support the underwriting.
Establishes a clear / definable coverage set in return for a
pre-agreed indemnification.
Litigation among other lines of insurance will be
minimised if there is a cyber specific insurance contract in
place rather than the prevailing silence we see on most
lines.
Ensures the right experts are seeing and contributing
toward risk assessment.
Russell Kennedy, Divisional Director, Brit Insurance, has this
to say on the subject: “Current soft market conditions threaten to undermine the creation of what
should be the most exciting area of the cyber market going
forward. Business continuity faces no greater threat than those posed by a
breakdown in IT infrastructure whether at the micro or macro level.
Brit have devised an underwriting methodology, risk assessment tools and
aggregation management approach which will enable us and our
consortium partners to assess this risk in a considered fashion. The applicability of our product across all business industry is endless and could
result in $BNs of new insurance premium if managed correctly.
Rather ironically a lack of underwriting discipline is perhaps the greatest
threat to this potentially expansive “new” class of business.”
Historically, insurance has served as a vessel to provide
solutions to ‘protect against’ a peril, providing means for risk
management and mitigation. The products discussed in this
section are some solutions aimed at taking the non-affirmative
exposures and ambiguous cover out of the traditional
insurance marketplace, serving precisely as tools for risk
management and mitigation.
Furthermore, these solutions add value through education
surrounding the cyber peril, which may be fully utilised by policyholders.
Geoff Pryor-White, Chief Executive Officer at Tarian Underwriting Limited comments:
“Cyber insurance is in its nascent stages, but has grown greatly over the last five years
from an estimated $850m global premium spend to an expected $4.5bn this year
Tarian have made great strides with all “traditional” lines of business to help them
understand the risks that they are picking up, either affirmatively or with silent cover. It
is our view that affirmative cover provides the best solution for our mutual clients, as
we can work with them to ensure that they have the appropriate cover for their needs,
at a sustainable price, and with the risk management advice that benefits the risk
posture.”
“Novae see this area of the cyber industry market as potentially one of the greatest
areas of growth within the insurance industry. Thus, we have dedicated a great deal of
time into ensuring that we can appropriately underwrite this risk and provide a
meaningful solution for our clients.
Not only this, but we feel that with the expertise we have within the team, we can offer
our clients a level of education surrounding their exposure and how to deal with it, which
you simply would not receive from a non-affirmative policy.”
- Mike Shen (Head of Cyber Innovation, Novae)
Capsicum Re – Reinsurance Solutions
Potential Reinsurance Solutions
6 Capsicum Re | Addressing Non-Affirmative Cyber
Potential ILS Solutions
In the current market place the main driver of volatility, and hence of capital, is property catastrophe. In the future it is likely that cyber will also sit
alongside property catastrophe as one of the key drivers of capital12. Therefore it is worth considering, due to both the scale of the class and its volatile nature, on which balance sheet the cyber risk appropriately exists.
In the last 15 years we have seen an explosion in the amount of capital in this space from insurance-linked securities (ILS) capital. This was driven by
investors seeking an asset class which had a high, non-correlating return and this was enabled by the evolution in property catastrophe models.
While the situation is not the same today for cyber as it was for property catastrophe 15 years ago, interest is mounting from the ILS markets
surrounding cyber risk, which may lead to ILS playing a major role in the cyber space.
Many elements are driving the increasing interest in cyber focussed ILS portfolios:
With the investor base changing, many funds are transitioning towards lower returns on perceived less volatile books. The addition of cyber to an ILS portfolio further aides diversification from other asset classes. As opportunities diminish in the property sector (although the full impact of the 2017 wind season is still to be fully realised), funds are looking to
deploy capital away from property. Some funds view cyber as the obvious next area to focus on.
Vendor cyber models are beginning to offer some theory around deterministic and (less so) probabilistic scenarios, giving funds greater levels of comfort.
At present, it is easier to structure ILS capacity to cover components of non-affirmative cyber such as property damage and business interruption, due to
the way in which triggers may be specified. Structuring for affirmative cyber events such as data breaches is proving to be a challenge but has been done
on a limited basis.
Cyber reinsurance products, non-affirmative or affirmative, should be designed to reflect the underlying risk exposure. At
Capsicum Re we are seeing reinsurance products begin to
address these issues, whilst also tackling the issues of limited
reinsurance capacity and regulatory oversight.
As an example of regulatory reporting required by Lloyd’s of
London, syndicates are required to report on Exceedance
Probability (EP) / Probable Maximum Losses (PML) for various
cyberattack scenarios. In the absence of widespread
probabilistic modelling, Lloyd’s reporting can form a basis for
structuring reinsurance products. Vendor modelling outputs
will play a larger part in the future, once they have been
tested and shows signs of a convergence of methodology.
Products – Non-Affirmative Cyber
Given the potential severe quantum of non-affirmative cyber loss/exposures we expect non-affirmative products to become
more standardised as modelling improves in this area.
Aggregate Products
Products have emerged to deal with the potential clash of
exposure to various lines of business from one cyber loss.
Such scenarios are studied and reported at length amongst
companies. All products within this space focus on providing
tail coverage for a systemic multi-line cyber loss on a net of
reinsurance basis.
This coverage was developed to assist in the absorption of
potential exposure from a lack of uniformity in cyber
exclusions in a portfolio. To address this, products must be
tailored to further encompass the correct exposures.
As an example, our solutions for this include:
Cyclone – clash of net retentions product. Systemic aggregate tail protection.
These products are structured for capital efficiency, inclusion
of affirmative cyber and profit sharing mechanisms.
Products – Affirmative Cyber
Aggregate Per Policy Excess of Loss
This product is designed to mimic original cyber policies and
allow Insureds to aggregate individual claims from a single
policy.
Aggregate Stop Loss
A Systemic or a capital impacting event is something most
insurers and regulators are concerned with in cyber. The stop
loss product ensures the overall net result of the portfolio is
protected against any kind of aggregation of losses, including
small attritional claims. Often, co-participation and profit
sharing terms are included to ensure interests are aligned.
“We have designed a number of structures, pricing methodologies and contract forms that will assist a cedent’s risk transfer needs
and facilitate capital/regulatory relief for this as yet poorly
understood but increasingly prominent peril.”
- Robert Ashton, Cyber Treaty Reinsurance Underwriter,
Fidelis
Multiple cyber insurance loss vectors:
Systemic losses or aggregation losses (a collection of smaller
claims), put demand on vertical limits and, therefore insurers should consider at minimum the potential frequency of claims.
The extent of exposure for third party liability, business
interruption and physical damage varies widely between industries.
A cause of loss such as malware may lay dormant for a long time
before being activated and/or discovered. This makes it difficult to apply traditional reinsurance catastrophe clauses in which a time period is required for covered (e.g. Hours Clause).
Actors in cyber events are often unknown; hence the definition
of a cyber event needs to be carefully identified as it should only encompass the required and understood coverage.
Historical data becomes less relevant due to the changing nature
of cyber risk over time (for example, prevalence of data breaches to ransomware16)
7 Capsicum Re | Addressing Non-Affirmative Cyber
1. Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance Business.
2. http://www.bankofengland.co.uk/pra/Pages/publications/ss/2017/ss417.aspx
3. https://blogs.cisco.com/financialservices/ransomware-lessons-for-the-financial-services-
industry
4. https://blog.barkly.com/wannacry-ransomware-statistics-2017
5. https://www.reinsurancene.ws/reinsurance-take-minimal-share-8-billion-wannacry-economic-
loss-m-best/
6. http://www.securityweek.com/notpetya-attack-costs-big-companies-millions
7. https://www.equifaxsecurity2017.com/
8. http://www.mrknewsroom.com/news-release/corporate-news/merck-announces-second-
quarter-2017-financial-results
9. https://www.sec.gov/Archives/edgar/data/310158/000031015817000037/mrk0630201710q.ht
m
10. https://www.theregister.co.uk/2017/07/11/pra_insurers_may_have_to_adjust_policies_to_r
eflect_silent_cyber_risks/
11. http://news.ambest.com/presscontent.aspx?altsrc=14&refnum=25414
12. https://www.lloyds.com/news-and-insight/press-centre/press-releases/2017/07/cyber-attack-
report
13. http://www.britinsurance.com/brit-global-specialty/war-and-terrorism
14. https://www.aegislink.com/aegislink/services/underwriting/products/cyber-coverage-and-
services.html
15. https://www.fmglobal.com/products-and-services/products/the-fm-global-advantage-all-risk-
policy/cyber-property-coverage
16. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
This document has been prepared by Capsicum Reinsurance Brokers LLP (for itself and on behalf of
each affiliate) “Capsicum” at the request of and for the exclusive and confidential use of the recipient only. This document is provided to recipient on condition that the recipient shall treat it as strictly confidential and shall not communicate it in whole, in part or in summary to any third
party. Capsicum assumes no duty in contract, tort or otherwise to any third party (excepting any
liability which as a matter of law cannot be excluded) in respect of the underlying data or any material based upon it and no third party should expect Capsicum to owe it any such duty.
Capsicum shall retain any and/all copyright and other forms of intellectual property or other proprietary rights subsisting anywhere in the world (together, “Intellectual Property Rights”) in any and/all works; developments (including but not limited to any ideas, know-how, techniques,
documentation, software and reports) and materials (including but not limited to any design, specification, instruction, software, information, data and documents) used or produced by Capsicum whether individually or in conjunction with others in connection with this document. The
recipient does not acquire any right or license in relation to any Intellectual Property Rights owned or used by Capsicum by virtue of this document being provided to the recipient.
Acceptance by the recipient of this document shall be deemed to be agreement by the recipient to the above. © Copyright 2017 Capsicum Re. All rights reserved: No part of this document may be reproduced,
stored in a retrieval system, or transmitted in any form or by means, whether electronic, mechanical, photocopying, recording or otherwise, without the permission of Capsicum Re.
UK Offices
Capsicum Re
The Walbrook Building
25 Walbrook
London
EC4N 8AW
67 Lombard Street
London
EC3V 9LJ
+44 (0) 20 7204 6000
Bermuda Office
Capsicum Re
Overbay
106 Pitts Bay Road
Pembroke, Bermuda
HM08
+1 (441) 824 4321
Brazil Office
501. Torre Corcovado – 2nd
Andar.
Praia de Botafogo
Rio de Janeiro
+1 (441) 824 4321
Chile Office
El Golf 99 Of. 1301
Las Condes,
Santiago
PO 755015 Chile
Miami Office
1000 Brickell Avenue
Suite 590
www.capsicumre.com