1 Capsicum Re | Addressing Non-Affirmative Cyber

CAPSICUM RE in partnership with

Addressing

Non- Non-Affirmative Cyber

October 2017

Executive Summary

2 Capsicum Re | Addressing Non-Affirmative Cyber

Global Head of Cyber

Ian Newman

Ian.Newman@capsicumre.com

Tel: +44 (0) 207 204 6000

Head of Cyber Analytics

Maryam Abdullah

Maryam.Abdullah@capsicumre.com

Tel: +: +44 (0)20 3425 3418

Affirmative Cyber Insurance

Johnny Fraser

Johnny.Fraser@capsicumre.com

Tel: + 44 (0)20 7204 6079

Non-Affirmative Cyber

Reinsurance

Patrick Bousfield

Patrick.Bousfield@capsicumre.com

Tel: + 44 (0)20 7204 3091

Supervisory Editor

Conrad Williams

Conrad.Williams@capsicumre.com

Tel: +44 (0)20 7560 3121

The insurance industry needs to address non-affirmative cyber in a meaningful

way. Capsicum Re uses the term non-affirmative cyber (or silent/passive cyber)

to refer to instances where the cyber peril is neither explicitly included nor

explicitly excluded within an insurance policy. This presents obvious problems

in an increasingly interconnected and interdependent business environment.

There is a growing concern for policyholders surrounding non-physical perils

such as network/system failure that can cause disruption to business continuity

and profitability. Affirmative cyber cover refers to insurance policies where the

peril is defined and coverages are explicitly set out within the policy document.

This report attempts to summarise the current state of the cyber market –

focusing in particular upon non-affirmative cyber exposures and where the

market can address them.

In the first section, we identify four current factors which are changing the

dynamics of the cyber insurance market.

1) Increasing regulatory pressure.

2) Increasing frequency of large cyber-attacks / market losses.

3) Lack of uniformity in implementation of Cyber exclusionary wording.

4) Potential macro shift in the existing soft market dynamics.

Following this, we discuss three foreseeable directions in which the cyber

insurance market may move in reaction to these factors.

We will also examine solutions for insurers which have developed naturally

from the need to address non-affirmative cyber exposures. Then, we go on to

discuss existing reinsurance solutions to address and protect against both

affirmative and non-affirmative systemic and aggregation losses in cyber/non-

cyber portfolios:

Non-Affirmative Cyber Products

1) Cyclone – clash of net retentions

2) Systemic aggregate tail protection

Affirmative Cyber Products

1) Aggregate Per Policy Excess of Loss

2) Aggregate Stop Loss

Potential solutions to bring ILS markets into the cyber insurance market

“To me, the elephant in the room today is what we call the ‘cyber’ issue. The growing

interconnectivity of computers, their ability to learn from each other and the fact that

the world’s economy has become absolutely dependant on the internet raises huge

new challenges for the insurance industry.” – Extract from Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance

Business.1

Changing Dynamics of Cyber Insurance

3 Capsicum Re | Addressing Non-Affirmative Cyber

We have identified the following key drivers changing the

current dynamic of the cyber insurance market:

1. Increasing regulatory pressure

The UK’s Prudential Regulation Authority (PRA) recently

released a consultation paper and supervisory statement on

their expectations of firms regarding cyber insurance

underwriting risk. In short:

“the PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk2.”

The PRA statement covers both non-affirmative and

affirmative cyber risk.

Specifically, for non-affirmative cyber risks, expectations are placed on firms to consider:

adjusting premiums to reflect the additional risk and offer

explicit cover;

introducing robust wording exclusions; and/or

attaching specific limits of cover.

The rating agency A.M. Best presents a similar rhetoric:

“[A.M. Best] expect companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and

accumulation of their cyber liability exposure.”

2. Increasing frequency of large cyber-attacks /

market losses

Another key element which is forcing (re)insurers to revaluate their approach

to cyber (re)insurance is the sheer

scale and frequency of losses impacting

policies. In 2017 there has been a

dramatic increase in the number of

ransomware attacks - according to

Cisco, ransomware attacks are growing

at a yearly rate of 350%3. The way in

which modern business is conducted,

via interconnected global networks,

only serves to spread ransomware

around the world at exponential

speeds. Ransomwares such as

WannaCry and NotPetya grabbed headlines in 2017.

The first, WannaCry, is estimated to have impacted more

than 400,000 computers in 150 countries4, with an economic

loss in the region of $4-$8 billion5. The impact for (re)insurers

however, is minimal. The effects of WannaCry on insurable

losses such as business interruption and physical damage were

limited; many companies were able to restrict the

proliferation of WannaCry within their networks and could

recover encrypted data via backups.

NotPetya on the other hand, a wiper disguised as ransomware, has left a lasting impression on many businesses.

This can be attributed to the design of NotPetya; it intended

to destroy, sabotage and disrupt businesses, rather than

extort for financial gain. Following the aftermath of NotPetya,

many companies reported disruptions to business extending

for several weeks, in additional to permanent physical damage

and unrecoverable data losses6. Several global organisations

have reported staggering losses of revenue running into the

100’s of millions. However, as of yet the quantum of insured

loss is still being calculated.

It is interesting to note that traditional cyber breaches

(expected to be covered by affirmative policies), such as the

breach reported recently by Equifax7, can cause significant

losses to cascade through to other towers, such as D&O. In

this manner, non-affirmative cover is affected despite the fact

there is an affirmative cover in place.

3. Lack of uniformity in implementation of cyber

exclusionary wording

Following the NotPetya cyber-attack, there is speculation that

several of the affected publicly listed companies may seek

recoveries from both cyber and property insurance towers

(due to hardware physical damage and associated business

interruption costs).

For example, Merck & Co., an American Pharmaceutical

company, reported severe disruptions to its manufacturing

capabilities8. As a result, it is estimated that Merck’s business

interruption has been heavily affected which could run into

the 100’s of millions. In Merck’s second quarter report they

highlighted the following issue surrounding insurance coverage

on (assumed) non-affirmative cyber property policies9:

“The Company has insurance coverage insuring against costs

resulting from cyber-attacks. However, there may be disputes with

the insurers about the availability of the insurance coverage for

claims related to this incident.”

This lack of clarity creates ambiguity for the insured, unknown exposure for the insurer, and

exponential aggregation for

reinsurers. This prompts

discussion surrounding the

current cyber exclusions used in

(re)insurance contracts, some

examples include Lloyd’s CL380

and NMA2914. Leaving the

courts to decide whether

damage arising from a cyber

event is covered in a property

policy is a failure of the industry

to address evolving exposures. It

will be interesting to see how

the overall market reacts to

these losses and future court decisions. We may also see

organisations themselves seek large limit standalone cyber

cover to protect against ‘catastrophe’ style cyber losses like

NotPetya.

4. Potential macro shift in the existing soft

market dynamics

“As market conditions change following Harvey, Irma and Maria, non-

affirmative cyber will need to be addressed now.”

- Paul Merrey, Insurance Partner, KPMG

With the ongoing active wind season in the Atlantic and large cyber events in 2017, (re)insurers are experiencing significant

losses. While it is unknown if the loss events in 2017 will lead

to a hardening of the soft market or any pricing changes, there

is speculation that reinsurers may look to push back on the

inclusion of non-affirmative cyber in property and other

classes of business (see TransRe remark above).

The potential mounting losses from around the world might be the driver that forces insurers to adequately calculate and

affirmatively accept cyber exposures, which their

policyholders are taking on in their everyday businesses (e.g.

increasing automation, robotics, lights out manufacturing).

Kara Owens, Global Head of Cyber Risk at TransRe

remarks:

“As the (re)insurance industry sees exposures grow and

claims notifications into traditional insurance product lines rise from cyber related incidents, it is in the industry’s best

interest to properly assess, price and track these exposures.

TransRe is following events such as WannaCry, Petya and airline system outages closely.

We are evaluating silent and affirmative exposures and will

be pushing for proper exclusionary language and

underwriting controls as it relates to cyber related exposures within traditional lines such as property and marine.”

Direction of the Cyber Insurance Market

Directions of the Cyber Insurance Market

4 Capsicum Re | Addressing Non-Affirmative Cyber

Dan Trueman, Chief Innovation Officer at

Novae comments:

“Cyber underwriting is a specialist class. The nuances in pricing and aggregation across and

between cyber risks requires expertise.

We consider it both surprising and unsustainable

that cyber risk could be included within so many

policies with effectively no information being

requested and no regards to the measurement or

level of systemic exposure being taken on.”

In reaction to the factors discussed previously that are

driving change in cyber insurance market, we have

identified three foreseeable directions in which the market

may move in the coming years.

1) Remain unchanged

First is the possibility that the cyber insurance market will

remain largely unchanged; insurers will continue to

underwrite (or in the case of non-affirmative, not underwrite)

cyber business in the current manner. In this scenario, the

majority of insurers will continue to include (or not exclude)

cyber on more traditional polices such as property, casualty,

D&O and E&O, while a minority of ‘specialist’ insurers write

standalone cyber cover.

This presents many challenges which are identical to those

identified by the PRA. Cyber risk is, by nature, an extremely

complicated risk to evaluate, and thus it

is difficult to correctly calculate

premium on non-specialist cyber

policies. Furthermore, from a portfolio

standpoint, determining exposure and

aggregation to a specific cyber incident

is a complex task. This in turn makes it

difficult for insurers to be confident

they have adequate reserves to handle

a large number of claims at one time

occurring from a catastrophic global

cyber-attack10.

Continuing in this direction will expose the industry to:

A continued lack of understanding /

knowledge to correctly price / assess non-

affirmative cyber exposure.

A potential increase in non-affirmative cyber

exposures, which though recoverable by

way of insurance are not appropriately being

assessed.

Ben Love, Head of Business Development at Hiscox Re

comments:

“Hiscox Re are actively pressing for changes and clarity that will

better serve all stakeholders, by offering specialist cyber products,

and pushing exclusions elsewhere.”

2) Underwriters gain necessary knowledge for cyber

A second possible direction is for underwriters currently

exposed to non-affirmative cyber to gain the specialist

knowledge necessary to properly understand the risk and

exposure that non-affirmative cyber cover brings.

Underwriters may then begin properly adjusting premiums for

cyber, or possibly including specified sub limits to restrict the

exposure to cyber risk.

This process however, is likely to take several years to

implement and propagate adequately throughout the industry.

At a time when combined ratios are near 100%, additional

investment in specialised knowledge and training is difficult to

justify.

3) Consolidation of affirmative cyber covers;

standalone policy offerings

A third potential direction is an industry shift toward

affirmative cyber policies designed to cover non-affirmative

cyber exposures.

We are already seeing this happen to some extent within the

market, where affirmative cyber products are evolving from

what was historically a non-affirmative product (we discuss

this further in the following section). This alleviates the

burden on underwriters who have limited knowledge/

resources to evaluate and

underwrite cyber risk, onto

specialist underwriters who only

write cyber risks.

Having specialist cyber

underwriters write cyber risks

provides many advantages over

traditional underwriters (who

write non-affirmative cyber back

into policies which have not been

designed to accommodate the risk);

not least the ability to price risk and manage the aggregation

within portfolios.

This is echoed by A.M Best:

“[A.M Best] believes a transition to standalone cyber policies may

contribute to better pricing and reserving methods, which ultimately

may lead to refinements in modelling tools and contribute to more

accurate understanding of risk aggregation11.”

In reality, it is likely that the future shape of the cyber

insurance market will be some hybrid of the above mentioned

directions. The catalyst for change may then be a catastrophic

loss in the cyber or general insurance market, which forces

insurers to evaluate their approach to underwriting non-

affirmative cyber.

“(The Lloyd’s) report gives a real sense of the scale of damage a

cyber-attack could cause the global economy. Just like some of the

worst natural catastrophes, cyber events can cause a severe impact

on businesses and economies, trigger multiple claims and

dramatically increase insurer’s claims costs.12”

– Inga Beale, CEO of Lloyds

Capsicum Re – Insurance Solutions

Potential Insurance Solutions

5 Capsicum Re | Addressing Non-Affirmative Cyber

Exposure to cyber risk is an obvious and dangerous peril if left

unmitigated or reviewed. The challenge facing insurers is how

to assess, quantify and charge appropriately for this risk.

Unlike elemental perils which are restricted by geography,

truly systemic cyber risk is not limited by boundaries and

could be a global threat, across multiple sectors of business, as

NotPetya has shown. In addition to this, the threat

environment within cyber changes constantly which makes the

development of models for risk assessment difficult.

“Ambiguity in cyber coverage, indeed any coverage, serves no-one

and can lead to potential court room misery for all involved. Cyber

products have to evolve to avoid this: the cyber peril must be

specifically identified, evaluated and priced for.”

- Ben Love, Head of Business Development, Hiscox Re

A number of affirmative cyber solutions have emerged to

address the challenges mentioned above, and act to pull the

cyber peril out of non-affirmative covers.

A few examples of affirmative cyber solutions include:

Brit – Brit Cyber Attack Plus (BCAP)13

Aegis – Cyber Resilience Plus14

FM Global – Advantage Policy Cyber15

For the sake of exposition, we explore in more detail the

coverage and design of BCAP below, as it is one of the largest

products currently available, with $200-$350 million of

capacity (depending on the risk). This product arose from

broker requests to write back the CL380 exclusion clause

into terror contracts.

It was originally a Property Damage and Business Interruption

cover designed to respond when/if an insured suffers

unauthorised/malicious attack to their SCADA systems and

suffers loss as a result.

In response to changes in the cyber insurance market and

broker input, this product expanded to offer limits resulting

from the same malicious / unauthorised access but now

provides indemnification for other covers in addition to

Property Damage and Business Interruption.

Example coverage available in this product and others include:

Non-damage business interruption

Loss mitigation expenses

Digital asset restoration

Cyber extortion

Crisis management costs

Bodily injury

Contingent business interruption

System failure

Notification costs

Additionally, and most relevant to the insurance industry as a

whole, is the utilisation of 3rd party expertise (IT consultancy

firms and cyber vendors) to support the underwriting process

of primarily affirmative cyber.

Standalone products such as the above aim to counteract

existing non-affirmative cover by affirmatively analysing and

understanding cyber risk behaviours within the insurance

market and has a number of benefits:

Ensures a good degree of information exchange to

support the underwriting.

Establishes a clear / definable coverage set in return for a

pre-agreed indemnification.

Litigation among other lines of insurance will be

minimised if there is a cyber specific insurance contract in

place rather than the prevailing silence we see on most

lines.

Ensures the right experts are seeing and contributing

toward risk assessment.

Russell Kennedy, Divisional Director, Brit Insurance, has this

to say on the subject: “Current soft market conditions threaten to undermine the creation of what

should be the most exciting area of the cyber market going

forward. Business continuity faces no greater threat than those posed by a

breakdown in IT infrastructure whether at the micro or macro level.

Brit have devised an underwriting methodology, risk assessment tools and

aggregation management approach which will enable us and our

consortium partners to assess this risk in a considered fashion. The applicability of our product across all business industry is endless and could

result in $BNs of new insurance premium if managed correctly.

Rather ironically a lack of underwriting discipline is perhaps the greatest

threat to this potentially expansive “new” class of business.”

Historically, insurance has served as a vessel to provide

solutions to ‘protect against’ a peril, providing means for risk

management and mitigation. The products discussed in this

section are some solutions aimed at taking the non-affirmative

exposures and ambiguous cover out of the traditional

insurance marketplace, serving precisely as tools for risk

management and mitigation.

Furthermore, these solutions add value through education

surrounding the cyber peril, which may be fully utilised by policyholders.

Geoff Pryor-White, Chief Executive Officer at Tarian Underwriting Limited comments:

“Cyber insurance is in its nascent stages, but has grown greatly over the last five years

from an estimated $850m global premium spend to an expected $4.5bn this year

Tarian have made great strides with all “traditional” lines of business to help them

understand the risks that they are picking up, either affirmatively or with silent cover. It

is our view that affirmative cover provides the best solution for our mutual clients, as

we can work with them to ensure that they have the appropriate cover for their needs,

at a sustainable price, and with the risk management advice that benefits the risk

posture.”

“Novae see this area of the cyber industry market as potentially one of the greatest

areas of growth within the insurance industry. Thus, we have dedicated a great deal of

time into ensuring that we can appropriately underwrite this risk and provide a

meaningful solution for our clients.

Not only this, but we feel that with the expertise we have within the team, we can offer

our clients a level of education surrounding their exposure and how to deal with it, which

you simply would not receive from a non-affirmative policy.”

- Mike Shen (Head of Cyber Innovation, Novae)

Capsicum Re – Reinsurance Solutions

Potential Reinsurance Solutions

6 Capsicum Re | Addressing Non-Affirmative Cyber

Potential ILS Solutions

In the current market place the main driver of volatility, and hence of capital, is property catastrophe. In the future it is likely that cyber will also sit

alongside property catastrophe as one of the key drivers of capital12. Therefore it is worth considering, due to both the scale of the class and its volatile nature, on which balance sheet the cyber risk appropriately exists.

In the last 15 years we have seen an explosion in the amount of capital in this space from insurance-linked securities (ILS) capital. This was driven by

investors seeking an asset class which had a high, non-correlating return and this was enabled by the evolution in property catastrophe models.

While the situation is not the same today for cyber as it was for property catastrophe 15 years ago, interest is mounting from the ILS markets

surrounding cyber risk, which may lead to ILS playing a major role in the cyber space.

Many elements are driving the increasing interest in cyber focussed ILS portfolios:

With the investor base changing, many funds are transitioning towards lower returns on perceived less volatile books. The addition of cyber to an ILS portfolio further aides diversification from other asset classes. As opportunities diminish in the property sector (although the full impact of the 2017 wind season is still to be fully realised), funds are looking to

deploy capital away from property. Some funds view cyber as the obvious next area to focus on.

Vendor cyber models are beginning to offer some theory around deterministic and (less so) probabilistic scenarios, giving funds greater levels of comfort.

At present, it is easier to structure ILS capacity to cover components of non-affirmative cyber such as property damage and business interruption, due to

the way in which triggers may be specified. Structuring for affirmative cyber events such as data breaches is proving to be a challenge but has been done

on a limited basis.

Cyber reinsurance products, non-affirmative or affirmative, should be designed to reflect the underlying risk exposure. At

Capsicum Re we are seeing reinsurance products begin to

address these issues, whilst also tackling the issues of limited

reinsurance capacity and regulatory oversight.

As an example of regulatory reporting required by Lloyd’s of

London, syndicates are required to report on Exceedance

Probability (EP) / Probable Maximum Losses (PML) for various

cyberattack scenarios. In the absence of widespread

probabilistic modelling, Lloyd’s reporting can form a basis for

structuring reinsurance products. Vendor modelling outputs

will play a larger part in the future, once they have been

tested and shows signs of a convergence of methodology.

Products – Non-Affirmative Cyber

Given the potential severe quantum of non-affirmative cyber loss/exposures we expect non-affirmative products to become

more standardised as modelling improves in this area.

Aggregate Products

Products have emerged to deal with the potential clash of

exposure to various lines of business from one cyber loss.

Such scenarios are studied and reported at length amongst

companies. All products within this space focus on providing

tail coverage for a systemic multi-line cyber loss on a net of

reinsurance basis.

This coverage was developed to assist in the absorption of

potential exposure from a lack of uniformity in cyber

exclusions in a portfolio. To address this, products must be

tailored to further encompass the correct exposures.

As an example, our solutions for this include:

Cyclone – clash of net retentions product. Systemic aggregate tail protection.

These products are structured for capital efficiency, inclusion

of affirmative cyber and profit sharing mechanisms.

Products – Affirmative Cyber

Aggregate Per Policy Excess of Loss

This product is designed to mimic original cyber policies and

allow Insureds to aggregate individual claims from a single

policy.

Aggregate Stop Loss

A Systemic or a capital impacting event is something most

insurers and regulators are concerned with in cyber. The stop

loss product ensures the overall net result of the portfolio is

protected against any kind of aggregation of losses, including

small attritional claims. Often, co-participation and profit

sharing terms are included to ensure interests are aligned.

“We have designed a number of structures, pricing methodologies and contract forms that will assist a cedent’s risk transfer needs

and facilitate capital/regulatory relief for this as yet poorly

understood but increasingly prominent peril.”

- Robert Ashton, Cyber Treaty Reinsurance Underwriter,

Fidelis

Multiple cyber insurance loss vectors:

Systemic losses or aggregation losses (a collection of smaller

claims), put demand on vertical limits and, therefore insurers should consider at minimum the potential frequency of claims.

The extent of exposure for third party liability, business

interruption and physical damage varies widely between industries.

A cause of loss such as malware may lay dormant for a long time

before being activated and/or discovered. This makes it difficult to apply traditional reinsurance catastrophe clauses in which a time period is required for covered (e.g. Hours Clause).

Actors in cyber events are often unknown; hence the definition

of a cyber event needs to be carefully identified as it should only encompass the required and understood coverage.

Historical data becomes less relevant due to the changing nature

of cyber risk over time (for example, prevalence of data breaches to ransomware16)

7 Capsicum Re | Addressing Non-Affirmative Cyber

1. Stephen Catlin, Risk & Reward: An Inside View of the Property/Casualty Insurance Business.

2. http://www.bankofengland.co.uk/pra/Pages/publications/ss/2017/ss417.aspx

3. https://blogs.cisco.com/financialservices/ransomware-lessons-for-the-financial-services-

industry

4. https://blog.barkly.com/wannacry-ransomware-statistics-2017

5. https://www.reinsurancene.ws/reinsurance-take-minimal-share-8-billion-wannacry-economic-

loss-m-best/

6. http://www.securityweek.com/notpetya-attack-costs-big-companies-millions

7. https://www.equifaxsecurity2017.com/

8. http://www.mrknewsroom.com/news-release/corporate-news/merck-announces-second-

quarter-2017-financial-results

9. https://www.sec.gov/Archives/edgar/data/310158/000031015817000037/mrk0630201710q.ht

m

10. https://www.theregister.co.uk/2017/07/11/pra_insurers_may_have_to_adjust_policies_to_r

eflect_silent_cyber_risks/

11. http://news.ambest.com/presscontent.aspx?altsrc=14&refnum=25414

12. https://www.lloyds.com/news-and-insight/press-centre/press-releases/2017/07/cyber-attack-

report

13. http://www.britinsurance.com/brit-global-specialty/war-and-terrorism

14. https://www.aegislink.com/aegislink/services/underwriting/products/cyber-coverage-and-

services.html

15. https://www.fmglobal.com/products-and-services/products/the-fm-global-advantage-all-risk-

policy/cyber-property-coverage

16. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

This document has been prepared by Capsicum Reinsurance Brokers LLP (for itself and on behalf of

each affiliate) “Capsicum” at the request of and for the exclusive and confidential use of the recipient only. This document is provided to recipient on condition that the recipient shall treat it as strictly confidential and shall not communicate it in whole, in part or in summary to any third

party. Capsicum assumes no duty in contract, tort or otherwise to any third party (excepting any

liability which as a matter of law cannot be excluded) in respect of the underlying data or any material based upon it and no third party should expect Capsicum to owe it any such duty.

Capsicum shall retain any and/all copyright and other forms of intellectual property or other proprietary rights subsisting anywhere in the world (together, “Intellectual Property Rights”) in any and/all works; developments (including but not limited to any ideas, know-how, techniques,

documentation, software and reports) and materials (including but not limited to any design, specification, instruction, software, information, data and documents) used or produced by Capsicum whether individually or in conjunction with others in connection with this document. The

recipient does not acquire any right or license in relation to any Intellectual Property Rights owned or used by Capsicum by virtue of this document being provided to the recipient.

Acceptance by the recipient of this document shall be deemed to be agreement by the recipient to the above. © Copyright 2017 Capsicum Re. All rights reserved: No part of this document may be reproduced,

stored in a retrieval system, or transmitted in any form or by means, whether electronic, mechanical, photocopying, recording or otherwise, without the permission of Capsicum Re.

UK Offices

Capsicum Re

The Walbrook Building

25 Walbrook

London

EC4N 8AW

67 Lombard Street

London

EC3V 9LJ

+44 (0) 20 7204 6000

Bermuda Office

Capsicum Re

Overbay

106 Pitts Bay Road

Pembroke, Bermuda

HM08

+1 (441) 824 4321

Brazil Office

501. Torre Corcovado – 2nd

Andar.

Praia de Botafogo

Rio de Janeiro

+1 (441) 824 4321

Chile Office

El Golf 99 Of. 1301

Las Condes,

Santiago

PO 755015 Chile

Miami Office

1000 Brickell Avenue

Suite 590

www.capsicumre.com