Skip to main content
Blog Post

3 factors that make silent cyber risk so challenging for CROs

Cyber Risk Management|Insurance Consulting and Technology|Reinsurance
Insurer Solutions

September 13, 2019

A standardized and centralized approach to cyber risk assessment across multiple lines of business enhances management understanding of portfolio risk at various return periods as well as the potential scope for “black swan” events that might exist in the tail.

Exposure to silent cyber – potential cyber-related losses arising from coverage under insurance policies not specifically designed to cover cyber risk – is continuing to concern regulators, boards, management and, of course, chief risk officers (CRO). Beginning January 1, 2020, Lloyd's of London will require all first-party property damage policies to clarify whether cyber coverage is affirmed or excluded.

Unlock More

About our 'A Year in the Life of the Strategic CRO' series

In our ongoing A Year in the Life of the Strategic CRO series, risk experts from our Insurance Consulting and Technology team, Willis Re and other parts of Willis Towers Watson cover how a strategically focused CRO can drive corporate strategy through the enterprise risk management planning process and throughout the year.

For liability and treaty reinsurance, the same requirements will come into effect in two phases during 2020 and 2021. These actions were in response to UK's Prudential Regulation Authority (PRA) requirement that (re)insurers in the UK reduce their unintended exposure to non-affirmative cyber risk.

Several factors are driving these concerns:

  1. Dependence on digital technology is growing dramatically. The graph below shows just one aspect of that dependence, the growth in the internet of things. But there are many more: our increasing usage of cloud computing, the reliance we place on mobile phones for an ever-growing range of activities and the inability of many companies (and individuals) to function when the internet goes down.

    As a recent article by Norma Krayem in Decode Cyber Brief focusing on just the manufacturing industry set out, this has far-reaching implications.

  2. Growth of internet-connected devices: 2014 - 2020
    Growth of internet-connected devices: 2014 - 2020
  3. The whole world is one catastrophe zone. The internet has no geographical boundaries, so the when it comes to cyber, everything is interconnected. A glimpse of what this means for the future was provided by the WannaCry and NotPetya malware attacks of 2017, when targeted assaults on the digital infrastructure of Ukraine had massive knock-on effects to worldwide commercial enterprises such as Merck, the pharmaceuticals manufacturer, or national institutions, such as the National Health Service in the UK.

    This has major implications for accumulation exposure. Unlike property exposures, cyber exposures cannot be divided into geographical catastrophe zones.

  4. The breadth of cyber exposures challenges reinsurers. First, there is the issue of intrinsic exposure to cyber risk that (re)insurers themselves present. Tom Finnan writes about this in the most recent edition of Decode Cyber Brief.

    Then there are the issues presented to (re)insurers as writers of business:

    • How does the CRO assess exposure for a peril that has only been around for a couple of decades, with rapidly growing exposures but little in the way of available loss data to guide risk quantification?
    • How does the CRO assess exposure for a man-made peril that is constantly changing, so that concerns about data breach one day morph into concerns about ransomware the next and broader concerns about the wide-scale impact of a malware attack the next after that?
    • How does the CRO assess exposure for a peril that didn't exist when most policy forms were written and where the extent of coverage varies across multiple lines of business according to policy language that has not yet been tested in the courts?

    Opinions vary widely on these and other questions, and there seems to be considerable volatility in how the market views the risk of silent cyber. The results of Willis Re's most recent survey about silent cyber exposure bear this out, with a significant drop in concern about the perceived level of exposure across multiple lines of business and different industry groups between 2018 and 2019, perhaps driven by the lack of any wide-scale cyber events since the WannaCry and NotPetya attacks in the middle of 2017.

We think the scale and complexity of the problems posed by silent cyber necessitate that the CRO initiate discussion of a strategic group-level approach to managing this risk. A consistent view can then be established about the level of exposure that potentially exists under various policy wordings for individual lines of business. This can then form a basis for the assessment of accumulation exposure and the setting of risk appetites and tolerances.

Given the lack of data and early stage of model development, we think (re)insurers should then adopt a plural view when it comes to determining cyber risk exposure. Understanding cyber model composition and individual model strengths and weaknesses is key to risk quantification. We think that (re)insurers should employ both stochastic and deterministic model methodologies to assess accumulation exposure and employ other approaches, such as market share analysis, so downside risk is looked at from as many angles as possible.

A standardized and centralized approach to cyber risk assessment across multiple lines of business enhances management understanding of portfolio risk at various return periods as well as the potential scope for "black swan" events that might exist in the tail. This will help develop the understanding necessary to manage exposure, establish risk tolerance levels and determine the most effective risk mitigation strategies for any amounts that exceed risk tolerance levels. It will also demonstrate to stakeholders – senior management, BODs, investors – and regulators, that a well thought out approach has been adopted to managing this hard-to-measure but rapidly growing exposure.

Previously in the A Year in the Life of the Strategic CRO series: Risk managers: Beware of the right side of the decimal.

Related Content

Contact Us