The EU’s new General Data Protection Regulation (GDPR) is raising questions among cyber underwriters about whether the directive’s harsh penalties are insurable.
Most law firms, when speaking off the record, will say they think GDPR fines are uninsurable,” said Lyons.
“They’re not willing to put that in writing, of course, but they are waiting for a test case,” he added.
There are still considerable “grey areas” about using insurance for GDPR fines, suggested Mark Camillo, American International Group’s (AIG) head of cyber in Europe and head of its CyberEdge product, but that across Europe it looks unlikely that penalties could be insured – particularly if criminal proceedings can be brought against those accused.
From May 2018 regulators in the EU – including the UK, which will adopt equivalent rules – will be able to impose penalties of up to €20m or 4% of a company’s worldwide annual turnover for a data breach which might arise from a cyber-attack.
Lyons suggested that Bermuda as a jurisdiction able to underwrite some cyber risk GDPR coverage but that the territory’s cyber risk market was simply too small to cope.
“How much cyber capacity is there in Bermuda? If you’re only able to get a $50-100m limit, then that is not even going to touch the sides
GDPR is raising new compliance issues for how insurers do business, as well as their clients, noted Matthew Webb, group head of cyber at Hiscox. “GDPR puts new focus on obtaining consent for using client data for the purposes that you’re going to use that data for,” said Webb.
Systemic & silent cyber
Systemic risk for cyber business is real, stressed Andrew Coburn, senior vice president of emerging risks at Risk Management Solutions (RMS), albeit that most of the world done into it so far has been theoretical.
The cyber-attack on the Swift banking messaging systems had affected dozens of banks, Coburn noted, while the Panama Papers also demonstrated global exposure to sensitive information held by law firms being hacked and disclosed.
Systemic cyber risk is “out there”, echoed Lyons at JLT, even if recent warnings – in the form of the WannaCry virus and other attacks – had not led to systemic scale insurance losses.
“Three out of six of the
While the magnitude of re/insurance losses from recent events was far less than in the scenarios gamed by Hiscox, Webb suggested the sheer number of attacks being reported shows the threat, of more and bigger attacks to come, is growing.
Whether or not suppliers and infrastructure business is included within cyber policies would be critical in plotting a claims event that could go systemic, Lyons suggested.
Coburn noted that of those hacking attacks tracked by the US Department of Home Security, some 30% were directed against the US energy sector or the country’s power grid.
AIG’s Camillo noted: “It is getting very difficult to tell where the virtual world ends and the real world begins”.
Coburn said that a cyber-attack on an oil and gas facility might mean putting its security system out of order, allowing damage to its physical systems or at least causing an outage or stoppage in production while the problem was being being rectified.
Product development is moving “towards addressing niche market needs” rather than what is becoming the traditional cyber market for insuring data losses, suggested Lyons.
Coburn said that the cyber insurance market still differs widely in the types and breadth of covers offered.
Of a framework that risk modelling firm RMS put together, in some 20 coverage types, and around 50 firms offering cyber covers, “no two products had the same coverage characteristics”, noted Coburn.
“There’s a very large number of products, and a number of components being evolved,” said Coburn.
“The key thing is diversification,” he continued. “Can you build a diversified book, when the clients are disproportionately drawn from the financial, technology and retail sectors?” he asked.
In response, Coburn said the product design needed to keep evolving to help the cyber book diversify properly.
Lyons cited the example of a property management firm, which had much more to fear from outages to its management systems caused by hacking, than from lost or stolen data.
He also spoke out on the topic of so-called silent cyber risk, residing within traditional property and casualty insurance policies, some of which do not contain cyber exclusions, and could be used for cyber claims by insureds lacking standalone covers.
“I think what they should be doing is to exclude cyber and then write it back as standalone policies,” said Lyons.
Webb suggested that there was enough cyber risk capacity available in the market right now.
“Looking towards physical damage coverage, now that I think is more of a problem,” he added.
More capacity would be available as needed, Webb suggested, particularly in the domestic US market, as well as the excess of loss covers used internationally.
Cyber insurers have so far been able to source adequate reinsurance covers for the business they underwrite, Webb said, although reinsurers’ would be keeping an eye on cyber aggregation risk – for large or systemic attacks – for treaty business.
Camillo noted that the largest standalone cyber policy placed by AIG in Europe amounted to a £400m limit.
“The established cyber insurers are going to continue to get reinsurance backing,” said Webb.
“New players may struggle,” he suggested.