Run Time: 30:31
EP. 30: Insurers Grapple With Uncertainty Around Catastrophic Cyber Risk
(+8 rating, 4 votes)
Loading...5032 views
Much uncertainty exists around catastrophic cyber threats, and for an industry so focused on analyzing risk, that’s a big challenge, experts say.
Some of the recent cyber attacks on supply chains and critical infrastructure may have insurers wondering if the threat of a catastrophic cyber event is closer than they think. But Michael Kessler, vice president of Chubb Group and division president of Chubb’s global cyber risk practice, said on this episode of The Insuring Cyber Podcast that catastrophic cyber threats are notoriously hard to predict.
“Catastrophic cyber risk is particularly hard to predict for a couple of reasons,” he said. “One is that cyber incidents, particularly malicious ones, involve human actors with different motivations and capabilities. So it's inherently more difficult to predict the frequency or severity of a catastrophic event compared to, say, a windstorm.”
Another reason he cited is that systemic cyber incidents aren't bound by geography or time.
“There's no warning of an impending event, and you're never certain that an event is over,” he said. “Incidentally, this aspect makes diversifying catastrophic cyber risk much more difficult compared to the other P&C lines.”
A large-scale cyber event that causes severe loss, injury or property damage could be considered a cyber catastrophe. Kessler said a cloud provider of critical software being down for an extended period of time due to a cyber incident, or a commonly used software that becomes an access vector for bad actors to deploy malware into victims’ networks, are both examples of this.
“Either of those scenarios has catastrophic loss potential,” he said.
However, ambiguity around understanding catastrophic cyber incidents remains part of the problem for insurers, said Darren Pain, insurance industry thinktank the Geneva Association’s director of cyber and evolving liability, later in the episode.
“Insuring cyber exposure is challenging due to two key reasons, really,” he said. “One is the risk of accumulation … The second one is to do with the terminological ambiguity surrounding cyber policy wording, especially in the context of war and terrorism.”
The Geneva Association and the International Forum of Terrorism Risk ReInsurance Pools recently collaborated on a series of three reports exploring the insurance industry’s ability to underwrite cyber risks. The reports aimed to define cyber crimes, cyber terror, hostile cyber activity, and cyber war in order to tackle the issue of ambiguity in policy wording and when discussing cyber incidents. Pain said tighter policy language can help insurers overcome two key uncertainties at the core of deciding the scope and validity of providing insurance for cyber events.
“The first one is attribution, determining who is responsible for an incident,” he said. “And the second key uncertainty has to do with characterization. Whether the cyber incident itself can be linked to a hostile or war-like activity, or if it reflects other aims, such as obtaining financial gain through criminal activity or is linked to industrial political espionage.”
With this in mind, The Geneva Association promoted the use of the term hostile cyber activity to differentiate attacks that are beyond the scope of cyber terrorism but fall short of outright cyber war, he said.
“The ambition with utilizing this terminology is that hopefully such policy language would enable insurers to better delineate acts of war from other state sponsored attacks and other malicious cyber incidents like cyber terrorism, or cyber crime for that matter,” he said. “And ultimately, that can assist insurers to track the types of events that have occurred, establish better, meaningful cover, assess the scale and likely occurrence of those events, and fundamentally improve the products they offer.”
However, tighter policy language still doesn’t address the problem of quantifying catastrophic cyber risk.
“Even with better language, you still have this problem that you are not going to be able to really quantify the risk,” he said. “And in particular, the potential for large accumulated loss remains a particularly serious challenge.”
Kessler said borrowing from property insurers’ playbooks could be one solution.
“You don't have the same ability to diversify systemic cyber risks that you do with property, so a different approach is needed,” he said. “That approach, coincidentally, is to take a page from the property insurance playbook.”
He said this means providing broad coverage for events that impact a relatively small number of firms, and then providing coverage for widespread events with a separate set of terms specific to those systemic exposures. The widespread event coverage would be transparently underwritten, priced and monitored separately, similar to the way property insurance covers floods and earthquakes.
“This approach is familiar to buyers, scalable to small, medium, and large clients, and could be set up to benefit practically everyone,” he said. “Businesses get more certainty of coverage for catastrophic cyber events and a more stable insurance industry that will still be there to pay its claims when an event inevitably occurs.”
In addition, he said clients will be able to focus on the broader value proposition from insurers, including services, rather than getting lost in confusing nuances in coverage exclusions related to catastrophic events.
While Pain and Kessler said tightening policy language and adapting approaches to coverage are two ways insurers can get a better handle on the uncertainty surrounding catastrophic cyber risk, that still doesn’t answer the big question: What is the potential that a catastrophic cyber incident will actually occur?
“I would argue the potential for a truly catastrophic cyber incident has always been there,” Pain said. “The recent attacks and the underlying conditions that have fomented them speak to an increased threat, I'll put it that way, of a system wide disruption that previously might have either been ignored or downplayed. And I don't think we can do that anymore.”
Check out the rest of the episode to see what else Kessler and Pain had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
