As cyber attacks cause increasing losses in the physical world, the insurance industry is turning up the volume on so-called silent cyber risks.
“Silent cyber is the danger that’s lurking in the existing policy coverage that insurers have been offering and something that could be triggered by cyber,” says Prashant Pai, vice president of cyber offerings at Verisk. “That’s something [insurers] haven’t really thought through.”
The hidden, or silent, risks arise when cyber-related exposures are not specifically included or excluded in policy language. Unlike stand-alone cyber insurance, which clearly defines the parameters of cyber cover, such as security and privacy breach expense and liability and business interruption, traditional insurance policies in many cases will not specifically refer to cyber and could end up paying claims for cyber losses. This exposure is also referred to as non-affirmative cyber, in contrast to affirmative cyber coverages that are explicitly outlined in a policy.
And these hidden risks can come with a high price tag. Last year’s global ransomware attacks NotPetya and WannaCry highlighted how cyber attacks can affect multiple lines of business and lead to massive losses. FedEx reported a $300 million impact on its operating earnings from the NotPetya attack, and shipper Maersk put the financial impact at $250 million to $300 million. The risks continue to grow as internet-connected devices multiply throughout all aspects of businesses and modern life.
To help bring these silent risks to light, Verisk’s risk modeling company, AIR Worldwide, is collaborating with global reinsurance brokerage Capsicum Re to expand its cyber modeling capabilities to include silent cyber.
AIR Worldwide’s existing cyber models estimate the potential frequency and severity of cyber attacks as well as the financial impact. As part of their development project, AIR Worldwide and Capsicum will identify which non-cyber lines of business are more likely to be exposed to losses related to silent cyber. Finding the cyber cause behind what looks on the surface like a traditional loss can prove challenging.
“Even if you think about it, and even if you implicitly include cyber-induced risks, there could be many different ways where you may not be able to attribute that back to cyber,” says Verisk’s Pai. For example, if an overheating printer hijacked by hackers causes a fire, it may be possible to attribute the fire to the printer but not necessarily to the malware planted in the now-destroyed printer.
AIR Worldwide hopes to finish the initial version of the silent cyber model by year-end and to release it early next year. The first version of the silent cyber model will focus on about a half-dozen lines, Pai says.
Working with a reinsurance brokerage allows AIR Worldwide to see a broad set of data from across the industry, Pai says.
“Our focus is to really sink our teeth into it and do a detailed job of analyzing and coming out with a view on what that risk really means,” Pai says.
Among other industry moves, Aon announced in September that it has sourced $350 million of reinsurance capacity from firms in Bermuda, London and Europe to help insurers mitigate their silent cyber exposures. Aon also has launched a silent cyber solution to help insurers identify, quantify and mitigate these exposures. The goal is to help insurers get a clearer picture of their cyber risks with an option to exclude or recognize the exposure in each portfolio.
Another development may tempt alternative capital into the silent cyber market. Verisk’s Property Claim Services is adding a cyber catastrophe component to its PCS Global Cyber loss index and estimates. The cyber cat estimates will include both affirmative and silent cyber losses of at least $250 million. That may help fuel the growth of trading in alternative solutions such as industry loss warranties, PCS says.