Silent cyber risk concerns growing across the board

2018 Silent Cyber Risk Outlook

September 17, 2018
| United States, United Kingdom, Canada +1 more
  • Bermuda
2018 marks the second year of Willis Re’s market survey about silent cyber exposure — potential cyber-related losses due to silent coverage under insurance policies not specifically designed to cover cyber risk.

Since our 2017 survey, there have been some headline silent cyber losses in lines as diverse as property, marine, and directors and officers (D&O) arising out of events such as the NotPetya malware attack and the Equifax data breach. How have these events, and an increased awareness of the potential for silent cyber losses, affected market perceptions?

In 2018, our survey sample comprised close to 700 participants from over 100 insurance companies and groups around the world as well as a number of Willis Towers Watson employees. The focus for the survey was five lines of business: first-party property, other liability (which this year incorporated auto), workers compensation (all of which were included in 2017), and two new lines — errors and omissions (E&O) and D&O.

In addition, this year we also asked questions about large cyber loss events, exploring the extent to which respondents think the specified lines of business are correlated in the event of a large cyber event (1:100 or worse) and what return periods respondents would attach to a series of recent cyber events, including NotPetya and Equifax.

View the full report using the “Download” button at the top or bottom of this page.

What the numbers mean

To recap, we asked all respondents to assess the extent to which, over the next 12 months, the cyber aspect of exposure would increase the likelihood of a covered loss. Based on the available range of responses – <1% (less than one additional cyber-related loss for every 100 non-cyber related losses) to 100% (as many cyber-related losses as non-cyber-related losses) – we then converted these into a silent cyber risk factor (for example, 1.01 or less, indicating one or fewer than one cyber-related loss for every 100 non-cyber-related losses, and 1.5, representing 50% more covered losses).