Significant cyber events such as the NotPetya malware attack and the Equifax data breach grabbed international headlines in 2017 and put the spotlight on cybersecurity. Just months before, Willis Re conducted its first insurance industry survey studying the perceived dangers of silent cyber risk or, in other words, coverage under policies not specifically designed to cover cyber. For insurers, the resultant claims and losses in lines as diverse as property, marine, and directors and officers (D&O) liability have left their mark.
Significant increases in the level of expected cyber-related losses were evident in the 2018 Silent Cyber Risk Outlook global survey. Over 60% of respondents said they will likely incur more than one cyber-related loss for every 100 non-cyber covered losses over the next 12 months in all lines of business except workers compensation — compared with less than 50% who envisioned this in any line of the classes of business surveyed in 2017.
Variations by industry
The indiscriminate nature and reach of cyberattacks such as WannaCry have caused respondents to our survey to re-evaluate potential liability in different industries. In 2017, a majority of respondents rated only two of the nine industry groups included in the survey as having a silent cyber risk factor of greater than 1.01 for Property coverage, while none of the industries met this threshold in Other Liability. In 2018, a majority of respondents attached at least that level of risk to all industries in both lines of business.
Furthermore, the largest number of respondents now see Other Liability posing the biggest silent cyber risk (greater than 1.10) in two industries: hospitals/medical facilities/life sciences and financial services. Over a third of respondents believe the silent cyber risk factor in medical fields is 1.10 or greater, a sharp increase from 19% in 2017. Meanwhile, the perceived threats associated with critical infrastructure has meant that the information technology (IT)/utilities/telecom sector continues to be seen as the biggest risk for silent cyber under property coverages, with 42% judging the risk factor as 1.10 or higher.
Industry-based risk perceptions in two new lines of business added in 2018 — Errors and Omissions (E&O) and D&O — were almost universally high: Over 30% of respondents assigned an overall silent cyber risk factor of over 1.10 for both. Forty-four percent of respondents viewed the financial services risk factor for D&O as 1.10 or greater. In E&O, perceived exposure was even higher. Financial services led the way with 47%, with commercial and professional services joining IT/utilities/telecom and hospital/medical facilities/life sciences at around the 40% mark.
A new normal for cyber events
Recent experience has clearly left many more insurers on their guard, and most don’t expect any letup in larger incidents that could test their silent cyber readiness. Between 60% and 70% expect events similar to recent headline losses to occur at least every five years or less.
According to other research conducted by the Economist Intelligence Unit and sponsored by Willis Towers Watson, a third of the companies surveyed had experienced a serious cyber incident — one that had disrupted operations, impaired financials and damaged reputations — in the past year. And significantly, most placed high odds on another one occurring within a year.
Many insurers are wary of the correlation among business lines that can be caused by large cyber events. Indeed, it seems quite possible that because of this correlation, a large cyber event could present a broader threat to insurers than, say, a natural catastrophe, which has a limited impact on liability policies. Insurers expect E&O and D&O to have the most significant correlations. Based on survey responses, there’s the potential for an extreme cyber event to result in a simultaneous increase in claim frequency of up to 40%.
How to manage this new normal
The EIU/Willis Towers Watson study found that only 13% of companies rated themselves as good at applying lessons from past security incidents. Linked to this, most of the senior executives questioned also felt they still had a long way to go in filling cyber-talent gaps and in creating a cyber-savvy workforce. As supported by our own analysis, the biggest threat to most companies’ cybersecurity remains their own employees who can fall prey to lapses such as opening phishing emails.
What can be done to manage the longer-term threat of silent cyber risks that this new normal brings?
First, insureds can buy appropriate cyber insurance and take preventive action to bolster their cyber resilience and minimise the vulnerability to, and impact of, breaches or malicious attacks on their businesses. Another step is to clarify policy language that was often written in the pre-digital era and is ill-suited to address many of today’s cyber-related risks. A third strategy for insurers is to assess the downside risk posed by silent cyber and create transfer facilities to manage the excess risk.
As the industry’s experience of the sources and causes of cyber risk further develops, we can expect more action and initiatives from all dimensions.