Interconnected and intangible risk threats, such as cyber attacks, pandemics, reputational crises and supply chain events, should be on insurers’ horizons – as correlated risk exposures, as well as new product opportunities.
Once upon a time, Donald Rumsfeld, a big beast of American defence policy, foggily mused on the risks facing his intelligence analysts, dividing a plethora of security threats looked at by Pentagon spooks into knowns and unknowns – with the haziest edge of this risk horizon stretching out to (what Rumsfeld called) the unknown unknowns.
For those White House correspondents following Rummy’s train of thought, he was referring to the most unforeseen threats, for which not just the risk frequency or severity is unknown, but the peril itself lies beyond the scope of contemporary comprehension.
Unforeseen risks are insurance’s raison d’être. But while insurance likes to consider itself the industry of risk taking, it has some luxuries compared to the scope of problems faced by Rumsfeld’s equally fallible analysts. Underwriters choose risk. They select, box up and package risks into products and opportunities. And if they’re worried about unforeseen consequences; well then, that’s what exclusion clauses, limits and T&Cs are there for.
“Emerging risks typically come from one of two directions: either a supply side aspect, excluded from underlying insurance products because they’re unknown or the underwriters aren’t comfortable taking them on; or you get the demand side when clients look at uninsured or underinsured risks within their portfolio,” says Dan Trueman, head of cyber underwriting at London market insurer and reinsurer, Novae Group.
Michael Hosking, head of risk at Marketform, a Lloyd’s managing agency, adds: “One of the roles risk teams need to adopt is to try to minimise the ‘unknowns’ by actively seeking potential risks or loss trends before they occur. There will be policies currently in force that already provide unintentional cover for the unknown risks, especially where developing technology or a changing environment is involved.”
For insurance risk watchers in 2015, there is no risk shortage to consider: escalating war in Europe; fiscal crisis; currency collapse; or chaos and terror radiating from the Middle East. Take your pick. Or look at the nexus of risks mapped within the pages of the World Economic Forum (WEF) Global Risks 2015 report, timed for its Davos get-together. The “interconnections map” of perils within that report (see charts) highlights that the risks – from water crises to bank runs – are ever closer linked.
“For any risk – so long as you can come up with a framework for understanding it and quantifying that risk, in severity and frequency, then it is possible to develop a pricing framework, and, generally speaking, create a product,” says Chris Klein, reinsurance broker Guy Carpenter’s head of strategy management for Europe, the Middle East and Africa. “In the early days, that can be expensive, because you lack the experience with which to build models and underwriting assumptions.”
It is notable that among those insurance-focused organisations crafting products around the buzz of WEF and Davos, cyber risk is prominent. It is just one of the myriad risks in the WEF report, but the outstanding emerging threat around which insurers smell opportunity. For example, Aon Risk Solutions and Willis Re both announced in February that they were developing cyber risk modelling platforms, for corporate clients and insurers’ accumulated risks, respectively.
“Cyber-crime now costs the global economy around $450bn annually and is increasingly high on the agenda for national governments and corporate boards,” said Mark Synnott, executive vice president at Willis Re, commenting for the launch of the firm’s Prism-Re cyber model. With recent high-profile data breaches including those of Sony, Target and Home Depot, it is an area that is seeing a huge upsurge in demand. In a largely mature and static insurance market, cyber represents one of the key avenues for growth.”
Beazley has been active in providing stand-alone cyber insurance cover. In October last year the insurer handled its 1,500th case of a data breach, and the number of policyholders doubled in 2014. While the bulk of claims still arise from initial physical losses – such as a lost laptop containing sensitive data – rather than malware or spyware viruses, or high profile online hacktivism.
“We’ve seen a huge amount of activity,” says Dan Hopkinson, UK cyber underwriter at Beazley. “We have recently hit 2,000 breaches, so that’s 500 breaches within four months. More people are buying the cover, so the number is only going to rise. Our product is about dealing with data breaches and we’ve handled more of that than anyone else in the market.”
In terms of who is buying the cover, the market’s origins are the US, where legislation as well as litigation trends are most developed. Healthcare, retail and consumer financial sectors have been heavily hit, with academic institutions also big buyers.
“In the US, people are buying this across all industries, big and small organisations. We’ve handled six of the ten biggest breaches out there. The laws and regulation are years ahead of those in the UK and Europe, although we have new EU legislation coming,” says Hopkinson.
“In the UK, retail and financial institutions are the ones really driving this forward. I don’t think there are any that aren’t looking at this risk seriously now. There is the public sector, too: anyone who holds large quantities of personal data, we’re seeing come forward. So we are on similar train tracks,” he says.
Pricing cyber risk is a big problem, because modelling the risk is still in its infancy. “Modelling aggregates is a key challenge with cyber risk; geographical locations and physical assets are not the only drivers at work, and uncertainty regarding contracts not yet tested by cyber losses makes this more difficult,” says Hosking. “There are modelling options starting to come online, such as Prism Re at Willis, and we expect to see more options in this area as companies try to understand the breadth of their exposure.”
While there is little historical data to call upon, Seth Berman, executive managing director at Stroz Friedberg, a consultant active within the cyber security sector, suspects that using the limited historical data will prove misleading when trying to predict the frequency or severity of future events.
“I am 100% unequivocally confident that there are new kinds of breaches that we haven’t yet seen that will come to light,” he says. “What we certainly also see is that different types of breaches tend to go in waves, because the hackers are innovative and discover a weakness for how to exploit something, and the thing they want to grab, and then they go for it.”
Whereas a company looking for fire insurance cover could expect to get insurance quotes around a similar mark for policy limits and costs, asking for a range of cyber quotes might yield much more sporadic results, with little agreement over the scale of cover needed or ratios between pay out limits and the cost of policies.
“Underwriters are taking risks and buying opportunities to learn, because the data isn’t there,” says Phil Huggins, vice president for security science at Stroz Friedberg. “You could range from 100:1 or 10:1, and are starting to cluster around 10:1 ratio, but I have yet to hear of a policy which has an upper limit of more than $300m. That is a lot of money, but there are financial services companies for whom an event of that magnitude would barely be noticed at board level.”
Emerging risk vs emerging exposures
Why does cyber risk deserve a prominent emerging risk rank, versus other large-scale perils? The WEF has identified flooding, in particularly urban flooding, as the most serious natural catastrophe peril in the world. As climate change continues to show itself, and urbanisation continues in coastal cities across Asia and the Pacific, insurance exposure to that risk will certainly rise. A slow burn on the industry, it may be, for insurers and reinsurers fixated by yearly performance, but these long-term risks are well known already.
There are other man-made expanding risks, too. 2014 was unusual as a year in which man-made disasters killed as many people as natural catastrophes. There is an increasing build-up of geopolitical, economic and strategic risks, caused by crises such as Ukraine’s conflict in Europe, European sovereign debt, and risks from ISIS and Al-Qaeda within the Islamic World, and like-minded Jihadi terrorism in Western countries. None of those risks are new on the radar, and potential for spread and escalation, are reasonably well defined and understood by now.
Looking at cyber, while there have been plenty of individual cyber events already – as listed by Willis – it is the threat of barely understood interconnectivity and correlations within and between cyber risks, which suggests that the risk could spell something more dangerous – into the unknown – than just isolated insurance loss events.
“One of the risks facing the insurance industry today is the potential for a cyber-hurricane, an event which could impact multiple lines of business, geographies and industry sectors,” said Stephen Cross, chief innovation officer at Aon Risk Solutions, launching the broking firm’s “cyber value-at-risk” strategy, developed alongside the WEF. Aon noted that a great majority of firms feel vulnerable to cyber attacks “increasing in velocity and intensity”.
It is this potential for unknown correlations – interconnecting across lines or territories – that make cyber a potentially dangerous risk for insurers and reinsurers otherwise considered well diversified while many also actively pursue cyber opportunities.
“One of the complications is that cyber seems to add the catastrophic severity that terrorism or war insurance might face, with a level of frequency that they don’t,” says Berman. “The likelihood of any particular business falling prey to terrorism is extremely low, but the likelihood that someone gets hacked is pretty high. I don’t think there’s much else like that in the market.”
The correlations could also strike across unforeseen directions, hitting blind spots through suppliers and service providers for corporate insurance clients, creating unpredictable exposures that weren’t known to exist. Nobody can say where.
“I suspect that for cyber there is a lot more correlation of risk. There is a lot of businesses outsourcing and shared infrastructure,” says Huggins. “The internet is somewhat regional but very interconnected, so there is a risk for underwriters that as they move across multiple sectors and players, events could hit them much harder than they’d expected.”
The Sony Pictures attack in November 2014 was a hack that resulted in the release of sensitive and personal data concerning the company and its employees. Sony has since revealed that it was insured for the breach.
“Sony had previously had a massive breach, when they weren’t fully covered for it, so they went back to the market and bought a bigger limit and broader coverage after the earlier leak,” says one insurance market source.
The 2014 Sony hack also included demands from hackers not to release a comedy movie, The Interview, the story for which involved a plot to kill North Korea’s leader, Kim Jong Un, who comes in for a deal of mockery in the movie. In December, in a widening spat about freedom of speech, US government security agencies publicly blamed the attack on North Korea itself.
Accusation of state backing for cyber attacks is not new. China has repeatedly been accused by the US government of sponsoring online espionage and theft of sensitive technology, business and defence data. American and Israeli intelligence bodies have both in turn been blamed for the so-called Stuxnet virus, discovered in 2010, which reportedly crippled Iranian computer-controlled centrifuges, vital for Iran’s disputed nuclear ambitions. Russia was accused of using cyber attacks to aid its 2008 invasion of neighbouring Georgia, and was also named as a suspect in paralysing denial of service attacks against Estonia’s government and banking infrastructure in 2007.
“I was at an event recently where a speaker was debating placing cyber risk within a traditional Clausewitzian definition of warfare, which is interesting from an insurance context,” says Novae’s Trueman. “The advantage of being a cyber criminal or malicious actor is that one doesn’t have to be physically present and it is easy to hide your tracks.”
The first casualty in war is usually truth. For all the examples listed, trying to demist the fog of war to get enough evidence to attribute blame for a cyber attack – whether to a foreign government, a corporate rival, or a malicious individual – is usually impossible.
“The reality is that those kinds of attributions are very difficult to prove, in the sense of proving things in court. When you’re dealing with that kind of adversary, you can’t usually trace it back beyond suspicions. Even if you knew the location of the attacker, you especially won’t know if it was a government, or someone working on behalf of one, or a sympathetic freelancer or even somebody acting privately for their own benefit,” says Berman at Stroz Friedberg. However, who is responsible for an attack can matter from a claims perspective, because depending on who the attacker is, it may or may not be covered. “If it’s an insider or an external attack by a criminal, it probably is covered. If it was a foreign government, it very well might not be,” he says.
One insurance market source says: “There is a great deal of work going on to clarify what should be included and what shouldn’t be included, and where the onus of proof lies in those instances. We haven’t had anything traceable like that, luckily.”
According to Huggins at Stroz Friedberg, there is “considerable confusion” among insureds about what is excluded within cyber policies. “There are some things excluded by assumption rather than by statement,” he says. “In the US, D&O insurance and cyber were covering the same risks, and companies were claiming on both policies.”
Exclusions in cyber will create further uninsured risk problems, as well as some consequent opportunities. One such example is the old school marine insurance business. Klein points to the example of the International Underwriting Association (IUA) clause 380: a standardised cyber exclusion clause drafted for marine contracts.
“Cyber has rightly been identified in the marine sector that is a particular issue because of the standard IUA exclusion. That shows an increasingly acute awareness of cyber as a material risk in the marine segment. If people want cover, they are going to have to arrange it separately,” says Klein.
Stroz Friedberg is among those service firms offering technical and consultancy expertise within the space, in demand because like many similar intangible risks, responsive insurance products can only be partly based on claims payments, but with considerable onus on a crisis response package to help fix the problem – hiring investigators as well as crisis PR consultants and the like. These services are increasingly bundled with specialty insurance products, and for intangible risks such as cyber in particular.
“You often can’t tell at the start of a case whether a breach is covered or not covered,” says Berman. “The exclusions are written in a way that covers certain types of breaches and excludes others. The only way to figure that out is to spend a lot of money on an investigation.”
The longstanding conservatism of the insurance sector stands against embracing intangible threats where possible within traditional policies, thereby adding to the demand for standalone products.
“The risks this industry is comfortable with are 19th and 20th century risks: ships, buildings, planes; and generally tangible,” says Klein. “Generally it is quite easy to value the cost of replacing them, so you can price it.”
However, underwriting indiscipline in soft market conditions could actually result in fewer cyber exclusions in some cases, as underwriters loosen the small print of policies as part of broader pricing negotiations.
“A substantial number of policies have cyber exclusions, for example in the physical damage market,” says Trueman. “In a soft market, it will be interesting to see whether some underwriters would be willing, for example, to include cyber within business interruption policies.”
The internet is international, huge amounts of crucial data are kept online, and the interconnecting strands of globalisation are most pronounced online. This echoes other intangible risk claims experienced by the insurance market within recent memory. The Thai floods in summer 2011 created unanticipated ripples in the globalised economy, hitting logistics claims and contingent business interruption claims for superficially unrelated companies and industries across oceans and continents.
“Suddenly the supply chain is interrupted, particularly hi-tech industries, where they need a continual uninterrupted supply of components,” says Klein at Guy Carpenter. “It works so long as everything in the chain holds together. If there is a break in the chain, there is a loss of some description.”
So it probably helps to think of cyber risk as the poster child for a broader type of emerging threat: intangible risks. The internet represents perhaps the greatest expression of thinly understood complex interconnectivity, combined with vast intangible value. It is better to see cyber as just one facet of a broader intangible risk trend for insurers more comfortable with more concrete 19th and 20th century risk concepts.
“The world is changing, and these are the newer, less tangible risks. You can’t see them; you can’t touch them; you can’t quantify the values so easily. How do you quantify the value for a company’s reputation?” asks Klein. “A lot of the risks people and businesses are facing now, in particular businesses, are intangible: franchise risk; reputational risk; and business interruption risk.”
Reputational risk is a much discussed intangible risk. Its interconnectivities are difficult to define. Like contingent business interruption, it can be an unforeseen but outrageously costly consequence of other, more traditional perils.
The insurer’s response to an event when it happens can also link cyber and reputational risk elements closely together. “With cyber, because we’re insuring an intangible about an intangible, what we’ve had to do is put a lot of our analysis into the front end, and look for some physical evidence of what that process might look like,” says Trueman.
“It might be reputation, crisis management and consultancy, or bringing in forensic accountants. When they have an event, how do they talk about it; how do they put plans into place to react properly; and that’s where we’re seeing the advent and growth of reputational risk type policies,” he says.
A reputational hit resulting from an inept response by a company that has fallen victim to cyber attack might result in a far bigger exposure – and in there is a lack of reliable data to quantify the exposures.
“The worst thing you can do for your organisation is to mishandle a data breach. We’ve seen examples of that in the media,” says Hopkinson at Beazley. “If you get the response correct, you can come out of it very positively, with the brand intact, and a lot of this is about brand.”
Klein at Guy Carpenter points to pandemic risk as yet another source of unpredictable intangible risk. The Ebola epidemic in West Africa which began in December 2013 provides a potentially useful example. Within an international insurance risk context, the crisis has been largely confined to a poor region of low insurance exposure. However, much like outbreaks of avian flu in the past decade, isolated cases of people facilitating the spread of disease via international air travel have led to fears that Ebola, and potential future pandemics, could spread more globally. Like contingent business interruption, it could also throw up unexpected insurance exposures.
“The Ebola crisis has been a reminder that pandemic risk remains an issue,” says Klein. “Pandemic can affect any number of things. Clearly there is mortality risk, in the life side of the business; there may be personal accident aspects to add to that; and there may be a business interruption facet to it, too.”
“Suddenly firms have large numbers of staff who are unable to come into work. So it’s one of those examples where you have to look beyond the initial aspect of people dying from the disease, to all sorts of other issues and cost implications to take into account,” adds Klein.
By David Benyon – firstname.lastname@example.org