No firm wants to risk the reputational damage
“Silent Cyber” is the term given to cyber related losses that may/or may not fall under a traditional property and liability policies that were not designed for that purpose, writes Akber Datoo, Founder and Managing Director, D2 Legal Technology.
The concerns of silent cyber have recently come to the fore and the shock waves created by the Mondelez / Zurich Insurance case have reverberated around the market. Whilst publicity may have temporarily abated over the past few months, very few insurance companies have begun to truly address the risk posed by silent cyber. In an industry predicated on strong reputation, the decision by Zurich to reject a claim from a client whose business had been devastated by the NotPetya cyber-attack in 2017 made headlines around the world – not least for citing exclusion for ‘hostile or warlike action in time of peace or war’ by a ’government or sovereign power’.
Yet as the cost of such attacks are being counted, the impact of silent cyber on the industry as a whole is becoming painfully apparent. PCS Global Cyber has recently attributed 90% of the insurance industry’s losses relating to the NotPetya cyber-attack to non-affirmative (silent) cyber, and the rest to affirmative losses.
Certainly, the PRA believes the UK insurance industry can do more to ensure the effective management of affirmative and non-affirmative cyber risk exposures. It has ordered firms to develop an action plan, with clear milestones and dates by which action will be taken.
Despite the cost to the industry, there remains a concerning lack of consistency in terms of risk awareness and planning as well as risk appetite and understanding. The PRA’s own survey in 2018 revealed significant divergence in firms’ views of the potential exposure to silent cyber. Within Marine, Aviation and Transport (MAT), Property and Miscellaneous lines, exposure was rated at anywhere between zero and the full limits.
With PCS Global Cyber believing the cost to the industry of NotPetya associated claims has now exceeded $3 billion, there is ever greater focus on insurance companies’ cyber stress tests. Fears that gross losses could run into the multiples of annual cyber premiums are very real. However, to date such exercises are based on minimal fact: firms lack robust or reliable claims data relating to silent cyber. As a result, models are immature and there is little faith in the resultant capital adequacy calculations. Just how much capital should the regulator demand firms to set aside against possible exposures when the silent cyber risk is so poorly understood?
In addition to the model and assessment demanded by the PRA, firms need to look closely at existing policy documentation to gain better insight into risk. What is the current position? Does wording need to be amended to address silent cyber risk? How can the legacy book be analysed and key data and wording from the contracts extracted to assess the potential silent cyber exposure going forward?
In many ways, the insurance industry is better placed than many for the challenges ahead. Document digitisation has been on the agenda for some time and the industry has already created clause libraries to make it easier for firms to gain access to vetted policy wordings and regularly used clauses. However, the low take-up of these libraries is disappointing. Not only do firms have a somewhat confusing choice – between the Lloyd’s Wording Repository, the IUA (International Underwriting Association) Clauses Document Library and the Xchanging Model Wordings Library, but the checklist structure is not providing the required solution.
Insurance companies and brokers need to better understand how to use these clause libraries within current business models, preferably in tandem with a document generation tool to improve data management. The goal is to create data driven contracts, where documents are drafted based on known outlooks. But to get to that point, firms need to actively embrace document digitisation to gain a better handle over the current risk position and create a foundation for rapidly changing wording to avoid any ambiguity regarding silent cyber. Moreover, we need the link wordings in clause libraries to classified business outcomes, and then derive business intelligence from policy portfolios.
No firm wants to risk the reputational damage associated with refusing a high profile claim – nor endure the huge losses associated with attacks such as NotPetya. With the rise in cyber attacks, this is an issue that has to be addressed immediately: firms need to act now and embrace the opportunity of digitisation strategies within policy documentation to mitigate the potentially devastating silent cyber risk.