Cyber insurance remains a relatively immature although still-growing market in most industrialised countries.
The insurance industry has yet to encounter a truly catastrophic cyber attack – that is, an event which triggers claims across multiple policies or lines of business. According Lloyd`s Report “Shifting powers: physical cyber risk in a changing geopolitical landscape“, cybersecurity and Insurance sits at the top of the agenda for business.
Cyber has a short history, and so far there have been no stand-out loss events stemming from a single trigger.
The threat is also fast-evolving, which means that historic trends are sometimes not always useful for predicting the pattern of future shocks.
As the cyber threat has grown more tangible and impactful, risk holders have adapted to the circumstances. Demand for cover has grown, as have the number of increasingly specialist policies as the industry has responded.
Despite this, insurance penetration remains low even in industrialised countries, with the OECD estimating that the share of global cyber losses that are uninsured is likely above 70% and potentially high as 85% to 90% of all cyber losses incurred.
There are around 20 different types of cover for cyber losses currently available in the global insurance market, amounting to around $6 billion in total affirmative cover. Around 20% of this is insured at Lloyd’s.
The vast majority of cyber products provide cover for triggers such as data exfiltration, contagious malware, distributed denial of service, and financial thefts, but specifications differ from market to market. Key loss processes may also include the failure of counterparties, or of suppliers who rely on networked systems and are vulnerable to outages and software failures.
These account for roughly 90% of all business damage as a result of cyber attack, technological failure, and other malicious digital interference.
Cyber physical insurance
The vast majority of cyber losses, and thus the protection provided by most coverages, concern non-physical damage and disruption. The existing market for cyber physical insurance is small and specialised. Cover for physical asset damage may either be purchased be purchased as part of an inclusive cyber policy or considered as a ‘silent’ cyber coverage.
Lloyd’s does not support the provision of silent cyber risk and cover now needs to be purchased separately in most markets. It is now more likely that customers are not covered unless they have bought affirmative cover.
Most cyber policy specifically exclude cover for physical damage and related business interruption (BI) stemming from digital interference. In recent years, however, some insurers have developed specialty, or ‘enhanced’ coverage types for physical damage from cyber triggers, which are marketed directly to technology or manufacturing firms.
These coverages have strict limits and only apply to first parties, meaning that contingent business interruption (CBI) provisions are not made. Notably, the limits for these policies are much higher than typical cyber policies applied to non-physical impacts, reflecting insurers’ understanding that attacks on these systems are far less likely but much more severe.
In the case of a cyber physical attack on a key piece of machinery, like a hydropower turbine or a power grid transformer, there may be no protection for firms indirectly affected by disruption. There are also no specific insurance provisions for bodily injuries or deaths caused by cyber attacks.
Key considerations for insurers
Affirmative and non-affirmative cyber physical cover Cyber insurance policies are either “affirmative” – meaning they explicitly cover cyber risk and specific losses associated – or “non-affirmative”, meaning coverage is non-explicit.
Another term for non-affirmative cover, “silent cyber” refers to the ambiguous coverage for cyber attacks in pre-existing policies and is an issue of unknown exposure for insurers. It is particularly relevant in aviation, aerospace, transport, marine and property lines, where business interruption losses or physical damage resulting from digital interference may be claimed under traditional, all-risk policies. While property and contents damage insurance may not specifically exclude cyber as a trigger, the lack of specificity can leave businesses exposed in scenarios like those described.
“Silent” exposure also has the potential to aggregate significantly. Policies with no explicit exclusion, an implicit coverage grant, or where language was ambiguous could be triggered by losses.
Insurers should therefore monitor product coverages carefully across classes for relevance to the cyber-physical peril. This requires an active strategy to consider different potential cyber physical scenarios, and where the losses may fall from these. As part of this, attaining coverage clarity across traditional classes is key.
Direct premiums written in the cyber liability insurance market continued to grow in 2021-2022, seeing a 75% increase, far outpacing that of the overall property/casualty insurance industry.
Lloyd’s and Regulators are therefore aligned in their goal to insurance sustainability
Lloyd’s and global regulators are therefore aligned in their goal to safeguard the sustainability of the insurance market by requiring contract certainty for clients and driving innovation of new cyber products to fill the evolving needs of clients. In 2019, Lloyd’s issued requirements for all managing agents to review policy wordings to make clear statements of affirmed or excluded cyber cover by mid-2021.
As we look back cyber insurance marketplace, we see all the hallmarks of a hardening market, with no signs of relief as we move into 2022. We are in a place and time where difficult questions are being asked about systemic cyber risk, cyber underwriting practices and where hackers may hit next.
This process has reduced ambiguity over “silent cyber” coverages in the Lloyd’s market, limiting industry exposure and clarifying levels of cover to customers. There is therefore now an opportunity to develop bespoke insurance products for the industries and businesses most at risk from cyber physical disruption and destruction.
In 2018, the US Terrorism Reinsurance Act (TRIA) was updated to clarify that standalone cyber insurance policies classed under cyber liability codes would be considered valid “property and casualty insurance” under the stipulations of the act. In the UK, the national terrorism reinsurer, Pool Re, began to extend cover to include physical damage, direct business interruption and non- damage business interruption for policyholders from 2018 onwards – thus providing protection from acts of physically damaging cyber terrorism.
These provisions have triggered a wider conversation in global terrorism pools over how to assess and mitigate the risk from non-state cyber activity, given the scale of potential impacts from a systemic physical cyber event or a targeted attack against critical national infrastructure.
The challenge is that the triggering of a relevant clause or wording around, for example, a “cyber-terrorist” event, is highly dependent on the confident attribution of an attack. This can only rarely be determined.
In many cases, official attribution may never be made because of the geopolitical repercussions of identifying a specific state or actor as responsible for the damage.
As the cyber class matures, it is likely that the coverage in place on insurance policies will be limited by increasingly sophisticated exclusions of acts of war and systemic risk, with cover bought back separately where there is appetite. This approach is important to ensure that aggregate risks are properly understood, controlled, and priced for, and that customers are clear about what risk they will be protected for and what risk they will retain.
The insurance industry has yet to encounter a truly catastrophic cyber attack – that is, an event which triggers claims across multiple policies or lines of business. All parties really do need to plan for the realities of a cyber catastrophe before any real world examples occur. This is not just because of the impact on human lives, but also to ensure capital is in place to manage and fund the rebuilding of the infrastructure, companies and national organisations that could be damaged.
Whilst an imminent mass-scale cyberphysical attack may be unlikely, the threat is evolving very rapidly. Precedents strongly point to continual targeting of strategic industrial sectors.
Risk managers and insurers should review the ways in which industries and multinationals have been susceptible to strategic disruption or other forms of political reprisal in the past.
They can, at least in part, use this to understand their insureds’ vulnerability to sophisticated cyber disruption and damage in future.
Those states which maintain long-running tensions and competition with other states are, for instance, at far higher risk of cyber attacks affecting their critical infrastructure than those which do not. A review of the geopolitical risk landscape will help risk managers to gain clarity on possible sources of the next major cyber event to threaten national economies.
Scenarios like the ones detailed in this report provide a powerful tool for insurers and risk owners looking for data on potential cyber physical attacks and the findings of this report can be used to aid the development of bespoke qualitative and quantitatively imagined hypothetical scenarios to assess potential upper limits for massive loss events stemming from cyber attacks.
The relative increase in claims across the insurance industry by class of business under each of the scenarios described in this report is summarised in the following table. As part of a risk mitigation strategy, insurers also need to monitor the correlation potential, which could be a particular concern for portfolios with concentrations of comparable large industrial risks. Removing ambiguity over silent cyber cover, as required at Lloyd’s, can also help insurers appropriately assess and manage potential losses.
Anticipated claims impact of the three cyber physical scenarios described in this report, by class of business
Many scenarios have already been developed to help quantify the likely maximum losses for types of cyber attack. Among these, several focus directly on cyber physical attacks and their direct and indirect economic and insurance impacts. Examples of available cyber physical catastrophe scenarios are listed in the following table.
Published PML scenarios and hypothetical stress test scenarios used by the insurance industry to assess impacts and risk appetite adjustment for extreme cyber physical attacks
Cyber risk pooling
Since the mid-2010s there has been regular discussion over the necessity of establishing a commercial pool or public-private partnership in order to provide protection from cyber catastrophes that prove too costly for the insurance industry to cover. Pool schemes covering losses from acts of terrorism exist in more than twelve countries.
As the class matures, it is important that insureds, brokers, insurers, governments and regulators work together to define and understand what is covered and not covered by traditional and emerging policies. This can lead to an informed debate about whether governments choose to take proactive or preventative steps to organise a pooling mechanism. Historically however, such a debate has tended to follow a major loss rather than precede one. As cyber remains a relatively immature class with a short history, the development of new solutions is likely to be determined as much by public policy priorities as pure risk based economics.
Cyber risk hits the top spot in Risk Barometer, with a series of high-profile ransomware attacks, combined with problems caused by accelerating digitalization and remote working, pushing it up from third in 2021, when it finished behind the closely related risks of business interruption and the Covid-19 pandemic.
Product innovation opportunities
This opportunity presents itself in two major avenues for development:
1. Affirmative physical asset damage offerings
Insurers could look to create new affirmative physical asset damage cover, scalable to the size and value of each policyholder and adapted to their operational infrastructure. This kind of cover can sit alongside the provision of expert IT guidance, whilst evidence of consistent cyber security risk management practices could also be used to discount policy premiums. This type of cover is already offered to a limited market, but could be expanded and advertised further.
When assessing the feasibility of underwriting cyber physical risk in a new sector, insurers will need to consult with industrial engineers and security experts to create a technical risk assessment and suitable exposure estimate. This is necessary in order to reveal all the ways in which a particular type of system may be abused to cause damage, and also protects insurers from claim mismanagement. The exposure estimate should ultimately take into account both the vulnerability and the attractiveness of the industry or network as a target and use this to determine appropriate policy wordings and limits for new cyber policies or add-ons.
In practice: Cyber marine and affirmative physical asset cyber cover
Since the NotPetya attack led to more than $200 million in uninsured losses for shipping giant A.P. Moller-Maersk, the Lloyd’s market has developed a range of affirmative cyber solutions for the maritime industry worldwide. The new policies address a growing demand from financial indemnity stemming from cyber events, including any potential physical damage to vessels themselves. Protections of this kind can protect global supply chains in times of increased cyber risk, particularly when disruption may contribute to destructive circumstances, such as radar spoofing or ballast manipulation, as well as damage to freight or spoilage.
2. Business interruption and contingent business interruption products for losses resulting from cyber physical attacks
Clear and simple wording in business interruption (BI) and contingent business interruption (CBI) products is critical to ensuring mutual security in times of increased risk. Wording assessments for any new coverages are essential in the cyber insurance field, and coverage caps will need to be specified.
In practice: Third party BI and contingent business interruption cover from cyber physical triggers
A significant opportunity for innovation in cyber physical protections is likely to be the extension of third-party coverage from BI and CBI. As with primary party offerings, BI and CBI policies require either add-on products, or a review and revision of policy wordings to both manage the losses from a major event and provide security to policyholders that the risk is acknowledged and covered.
Without clear exclusions and affirmative cover, the industry risks silent exposure to cyber physical perils which cause power outages, transport disruption, communication outages, and other damages to business infrastructure. Where there is no specificity regarding the cause of this damage there is a risk that aggregating losses in a destructive cyber catastrophe event could be significant. Risk scenario exercises, such as those outlined in this report, can be helpful in determining the potential size of third-party losses from a major attack on a power grid or transport network.