Understanding the Challenges of Cyber
The industrial revolution reduced the world’s reliance on human labour by replacing large swathes of the workforce with machines. The digital revolution has taken us one stage further by adding computerisation. This, in turn, is progressing towards the Internet of Things, comprising interconnected computerised devices embedded in everyday objects.
As technology has become fundamental to our way of life, in addition to posing a data breach risk to entities that hold consumer data, cyber becomes a risk that challenges most established lines of insurance coverage. Cyber risk is therefore one of the hottest topics in insurance. In addition to being viewed as a cross-class of business issue, it clearly has the potential to give rise to aggregation from single physical or economic loss occurrences, including from cloud computing. Whilst much of the focus has been on cyber-attack including terrorism, the cause of cyber losses could be considerably less targeted (e.g. virus, computer downtime).
Cyber risk is man-made, invisible, intangible, not geographically located, unproven and still evolving. Whilst the nature of an earthquake is there for all to see and history has shown us many examples, we lack technical understanding of cyber risk, the data to underpin underwriting and models to understand loss probabilities. In short, the insurance implications are untested.
The majority of wordings were not developed with cyber risk in mind. Having said this, some policies may carry cyber exclusionary language, sometimes as a result of the fears that arose 20 years ago around the possibility of losses from the Y2K bug. Some wordings may carry cyber-attack exclusions. But cyber may also not be recognised at all in the wording of policies. Many classes of business are completely silent, with cyber exposures having the potential to be a new cause of loss under existing policy wordings.
The challenge to underwriters across all classes of business is to examine whether they are, in fact, providing coverage for cyber-related losses. The risk may present with articulated, excluded or silent cyber coverage but in all cases underwriters are challenged to determine if there is increased exposure and whether they are pricing that risk correctly. And then they – and Lloyd’s for the market as a whole – must consider the issue of accumulation. The LMA has carried out considerable technical work to assist managing agents in establishing their frameworks of risk assessment. This work has also supported Lloyd’s in its market oversight role.
Managing agents also need to be considering the upcoming European General Data Protection Regulation (GDPR), which comes into force in May 2018. Whilst this is anticipated to drive further demand for insurance risk in the form of data breach response policies (CY risk code), it also creates a further challenge to managing agents around their own and their clients’ operational risk arising from breach of data. The LMA is leading a cross-market working group to assist managing agents with GDPR implementation.