Grappling with the fifth theatre of warfare
“It is only a matter of time before the Chinese or the Russians decide to take down a major energy grid or cloud server, or hit a major city or even a whole country. That is when the true fallout from cyber risk will become apparent to the industry and we will understand just how exposed we all are to this threat.”
That is how one Bermuda-based re/insurance executive describes the threat of so-called ‘silent’ cyber risk, a menace now very close to topping the list of industry concerns.
It is a big talking point in executive forums from Bermuda to London to Singapore, and it might be described as the elephant in the room—but that would imply everyone is ignoring it. The reality is that the industry can see the threat, but tackling it is not easy.
Jurgen Reinhart, Munich Re’s chief underwriter for cyber, agrees that silent cyber risks are the subject of intense discussion and the industry has a big task on its hands to identify the scale of the risk—never mind solve it.
“There is cyber exposure hidden within existing traditional policies in which cyber risks are not mentioned, or are not explicitly included or excluded, and this may therefore lead to exposure in such portfolios,” Reinhart says.
“Some policies do define cyber risks, others are silent on cyber risks. NotPetya (the ransomware virus that downed many networks in 2017) has been an eye-opener regarding silent cyber as it showed the exposure from cyber in traditional policies.
“This kind of hidden cyber exposure is in many cases neither identified nor adequately assessed.”
Mark Synnott, global cyber practice leader at Willis Re, agrees. “The biggest risk for silent cyber for insurers is not knowing how much cyber coverage they are providing from policies with non-affirmative cyber coverage, or silent cyber policies,” he says.
“This is a new emerging risk, but the policies were drafted in an era when no-one knew about this exposure. That gives this risk an opaque nature—it’s something that was never considered when the policies were drafted.”
The problem for the industry, as another executive puts it, is that the “dark consequences of a cyber attack are as varied and scary as a terrorist’s imagination”.
Imagine a shipping giant with no control over thousands of its vessels around the world; imagine a nuclear reactor or submarine losing control of its systems due to a hack; imagine large-scale key infrastructure systems such as energy or the internet being brought to a standstill; imagine one or several of the cloud servers that so many companies rely on being taken down—these are all potential scenarios.
A cyber hurricane
The phrase ‘cyber hurricane’ has now been coined to describe a loss on a scale never before seen as a result of cyber risk—but one which is increasingly considered an inevitability.
Some companies have attempted to quantify what this might look like. A report, produced by AIR and Lloyd’s earlier this year, called Cloud Down: Impacts on the US economy, examines some worst-case scenarios for a cyber loss, including cyber incidents causing disruptions to businesses that depend on cloud computing.
The report examined the fact that given so many businesses are now connected to cloud servers, and just a handful of service providers dominate the market, a very extreme event, defined by AIR as one that results in cloud downtime from five-and-a-half to 11 days, could affect up to 12.4 million businesses in the US economy
alone.
Losses for an incident that takes one of the top three cloud service providers offline for three to six days would be between $5.3 billion and $19 billion, with insured losses totalling between $1.1 billion and $3.5 billion, the AIR report said.
These are the risks the industry can attempt to quantify. Some of the recent attacks have given an indication of what might be possible—but the risks could be a whole lot worse and the losses much bigger.
An awareness of the danger is clearly growing. Regulators and rating agencies are increasingly factoring the cyber threat into their thinking while investors are probing the resilience of the companies they invest in to this threat.
This does seem to have triggered a shift in companies whereby they are taking the threat seriously and making moves to
negate the risk.
The rating agencies have indicated they are factoring silent cyber into their ratings assessment process, the implication being that re/insurers that fail to get a handle on this issue could face downgrades.
As far back as 2017, Fitch explicitly warned that non-life insurers could face action if they do not prepare for such
a scenario.
“In the near term, Fitch views cyber underwriting as a risk that may exert downward pressure on some non-life insurer ratings if larger loss scenarios emerge.
“Ultimately, insurers that lack underwriting expertise, poorly manage cyber risk accumulations, or fail to recognise loss potential from silent cyber exposure within their traditional commercial insurance products are most vulnerable to ratings downgrades,” the rating agency said.
In August 2018, AM Best conducted stress tests around the potential impact of a big cyber event, concluding that a single-event cyber catastrophe would generate meaningful to significant gross losses for three of the top 20 cyber insurance providers, ranging from 15 percent to 119 percent of these companies’ estimated 2022 policyholder surplus under a stress-test scenario.
The report also noted that gross losses under the 1-in-50 and 1-in-200 scenarios do not take into consideration ceded reinsurance arrangements or companies’ silent cyber exposure—when perils are neither specifically included nor excluded—which potentially could be significant.
The rating agency suggested that under certain circumstances, “a handful of companies could lose a significant amount of surplus, which potentially could create ratings pressure or even trigger a downgrade”.
The willingness of the rating agencies to act was recently proved—albeit in a case not related to insurance—when data analytics company Equifax became the first company to have its outlook downgraded due to cyber-related issues.
In the case of Equifax, the issues related to a huge breach of data at the company in 2017. In May this year, Moody’s slashed its rating to negative from stable, explicitly citing cybersecurity as a key factor in the change of outlook.
The company bore a big first quarter charge related to class actions and regulatory fines relating to the breach. It seems it will only be a matter of time before a re/insurer becomes the subject of a ratings action for reasons that could well be more complex, relating to cyber exposure.
Regulatory expectations
It is not just the rating agencies that are piling the pressure on re/insurers to get a handle on this risk. Regulators have also been getting in on the act.
A big part of the game-changer for regulators seems to have been the WannaCry and NotPetya attacks in 2017, which debilitated a number of high-profile networks including the National Health Service in the UK and a number of global companies.
Multinational organisations across a broad range of industries and sectors were directly affected, including pharmaceutical giant Merck, law firm DLA Piper, the world’s largest advertising firm WPP, and TNT Express, a division of Fedex.
A.P. Møller-Maersk, the global shipping and logistics business, estimated that NotPetya cost it in excess of $500 million in lost business and cleanup.
These events demonstrated the speed at which a cyber attack can spread and the catastrophic potential of silent cyber. PCS Global Cyber estimates that the insurance losses from the NotPetya attack alone have exceeded $3 billion but, importantly, attributes around 90 percent of the insurance industry’s loss from NotPetya-related cyber
attacks to silent cyber.
The systemic damages shifted the conversation from data breaches, notification costs and third-party liability to first-party liability and business interruption claims.
The European Insurance and Occupational Pensions Authority was prompted to start assessing companies after these events.
In its first attempt to quantify silent cyber, it surveyed 13 re/insurers across Europe based on their expertise and cyber exposures.
It later surveyed insurers on IT governance, their own system landscape and measures to respond to cyber attacks.
In Bermuda, the Cyber Report 2018, published by the Bermuda Monetary Authority (BMA) late last year, outlines the regulator’s expectations for how companies should tackle this threat.
This followed a notice the BMA issued in February 2018 outlining some expectations of licensed entities regarding the management and reporting of cybersecurity risks and incidents.
The regulator noted that, while most re/insurers have made efforts to enhance technology risk resilience, much work remains to be done before the BMA can achieve a level of assurance that the possibility of large-scale cyber attacks and financial and reputational loss is effectively mitigated.
It outlined what was in effect a checklist of things re/insurers must focus on and improve, and stressed that this was a responsibility borne by an entire company, which should be led from the top.
Kerr Kennedy, associate partner, financial services, EY Bermuda, says that most re/insurers have taken this on board and implemented change.
“As this risk has grown in stature, sophistication and potential impact, we have seen this responsibility move—quite rightly—away from just the IT teams, to a broader and shared ownership between the business and IT,” Kennedy told sister publication Bermuda:Re+ILS.
“Nowadays we recommend, and are seeing, that ultimate responsibility for cyber has to sit with the board, as it is imperative that cyber risk is not viewed as some sort of IT risk or issue, but is in fact an entity-wide business issue.
“The board needs to set and drive the strategy for managing cyber risk in the organisation and we are seeing a continued uptick in levels of understanding and awareness of this topic.”
It is not just Bermuda’s regulator that is taking such a prescriptive approach.
The New York State Department of Financial Services will now require a chief information security officer (CISO) to oversee and implement a company’s cybersecurity programme.
“This CISO role is becoming an increasingly vital role for organisations, and we are seeing a number of these CISOs being given a seat at the board level as well, which many security experts believe should be the case,” Kennedy explains.
Meanwhile, in the UK, the Prudential Regulation Authority (PRA) is asking re/insurers to specifically develop a silent cyber action plan by the middle of 2019. PRA will assess select firms in the second half of the year to establish whether they are meeting expectations.
The PRA will then further assess affirmative cyber risk via an exploratory stress test.
Regulators have also started to pinpoint more at-risk sectors. In January, the PRA made the findings of an assessment it had done available to chief executives, which indicated a higher risk of silent cyber in casualty,financial, motor and A&H lines, although it also noted silent exposure within property, marine, aviation and transport and several other lines.
The unknown unknowns
The problem for re/insurers is the mindboggling complexity of the potential implications of cyber attacks and their potential to have implications the industry had never considered—‘unknown unknowns’, to coin a favourite industry phrase of recent years.
The industry is having to grasp the fact that a single incident can trigger many types of policy, ranging from business interruption to physical damage, depending on the nature of the attack.
The industry might learn something from an ongoing court case between Zurich and US food giant Mondelez, which is suing the insurer for refusing to pay a $100 million (£76 million) claim filed after the NotPetya attack.
The company, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptops as the ransomware swept through its systems.
However, Zurich says, because the UK and US governments have blamed the attack on Russian state- sponsored hackers operating in relation to the country’s feud with the Ukraine, the damage was an “an act of war”, which is not covered in the policy.
The outcome of the case could have important ramifications for the industry.
Most re/insurers are already evaluating their policies with this case in mind and considering just how hard it could be to prove that a cyber attack is indeed an act of war, given the shadowy nature of such attacks and the perpetrators.
This opens yet another can of worms for re/insurers. Closely linked to the risk of cybersecurity is the issue of data security and the implicit way in which data can be maliciously used if it falls into the wrong hands.
This is also an area in which state-sponsored attacks can play a key role—the reality is we are entering a new age where battles for power will take place in cyberspace.
The implications for insurers will be complex, says George Thomas, a senior adviser at PwC Bermuda. He argues that long-accepted industry norms are being tested on several fronts including in the Zurich lawsuit—and the case could also have much wider implications.
“The court’s ruling, in favour of either party, may substantially shape the insurance landscape.
Understanding how insurance carriers and companies need cybersecurity cover can be informed by putting cyberspace and cybersecurity in a broader context: military history,” says Thomas.
“The history of warfare across the globe has directly shaped the political and economic fortunes of continents, nation states and cities.
Throughout most of human history, warfare has been confined to three theatres: land, sea, and air, with a fourth theatre of space evolving out of the Cold War and the development of intercontinental ballistic missiles.
“Cyberspace represents the fifth theatre of warfare, and military forces around the world have developed offensive and defensive capabilities.
Nation states have engaged in offensive cyber attacks for a variety of sharply targeted reasons ranging from North Korea’s hacking of Sony Pictures in response to movie content, and Russia’s crippling utility grids and influencing elections in Ukraine.
“While there is substantial circumstantial evidence and reports of attribution from credible authorities, neither North Korea or Russia has claimed responsibility for these actions.”
The problem is actually potentially even more complex than that. Much has been made in recent months of the risk posed by Chinese companies having access to large swathes of data.
The Chinese mobile phone giant Huawei has been hit hard by a ban by the US government on US companies using the telecoms giant for networking equipment or using any US equipment.
The implication is that Chinese companies can be forced to share information with the Chinese government if asked.
Indeed, a number of Chinese laws state that companies and individuals in China must, if asked, cooperate with intelligence work in the country.
The Chinese government has insisted that this does not apply to the overseas arms of companies which, instead,must comply with the laws and regulations where they operate.
But this has ramifications which are starting to reach further.
The US government has decided the popular gay dating app Grindr represents a national security risk—because it is under Chinese ownership.
The implication is that the personal details of US military and intelligence personnel may be on the app, making them potentially vulnerable if the data were accessed by malicious individuals or states.
Closer to the insurance sector, a related scenario unfolded after China’s Fosun International acquired Ironshore in 2015 for $1.84 billion, only for officials at the Committee on Foreign Investment in the US (CFIUS), a government unit that oversees deals over national security concerns, to raise concerns over how Fosun would operate Ironshore’s Wright & Co, which provides professional liability coverage to US government employees including those of the Central Intelligence Agency.
That problem was solved when Starr Companies stepped in to acquire Wright & Co but the saga delayed a planned initial public offering of Ironshore. Some 18 months later Fosun ended up selling the business again—to Liberty Mutual Insurance for some $3 billion.
“The fact is that since the issue with Wright & Co more and more clients got nervous about the Chinese ownership,” says one source.
Act now or stay silent
Taking all these interrelated threats and devising a plan not only to avoid potential large losses but also to stay on the right side of regulators and the rating agencies is no easy task.
Reinhart at Munich Re notes that as almost every conventional non-life policy is exposed to cyber risk, the silent cyber exposure is potentially significant.
To avoid ambiguity, coverage gaps and unforeseen losses, Munich Re believes silent cyber should be turned into affirmative coverage, which means that it needs to be thoroughly assessed, properly measured and appropriately considered in the pricing.
“This can be achieved by increasing transparency on the silent cyber risks in the portfolio.
Only when we know where the cyber exposures seep into traditional books can the inherent accumulation exposure be properly managed,” he says.
“It has to be clarified which part of the cyber exposure silently covered by traditional policies and treaties should remain in the coverage but has to be adequately assessed and measured, and which part should be covered in the ‘cyber line of business’.
“This then also has to be correctly reflected in the corresponding policy and treaty wordings,” Reinhart says.
He explains that Munich Re helps clients identify these ambiguities.
“Our aim is to jointly implement a sustainable underwriting process that provides transparency to all parties and attractive coverages.
This includes thorough risk assessment, an adequate pricing approach and the consideration of accumulation aspects in order to eliminate uncertainties,” he says.
“The cyber growth potential is clear, as demand for adequate coverage as well as risk mitigation and assistance services continues to rise.
“Our approach is based on understanding risks, assessing them adequately and thus making them insurable.
This can only be done in close cooperation with experts from insurance and reinsurance, insureds and external partners, in order to develop a common understanding of how cyber risks should be dealt with.”
Synnott says it is tough for insurers to get a grip on these risks—and that there are no easy answers.
He suggests that a stop loss agreement could be one solution.
“That is because it is difficult to define the boundaries of a cyber event.
For example, while everybody has heard of the NotPetya attack, when did it start, when did it end and when do you cut the losses off?
“NotPetya was a distortion of a virus called Petya. When people caught on to Petya they created NotPetya to hack more effectively.
“When NotPetya was patched, Son of NotPetya was created, and so on. So, what is the event and what is covered? If you have losses coming out the woodwork five or six years down the line is that covered?
“If you do it on a stop loss basis all cyber events arising in one year get lumped together.
It’s a method of reinsurance that is viable for cyber. You don’t have to define your event.”
Synnott adds that there are other signs that insurers are starting to respond to recent events and be more proactive.
He notes that Allianz stated late last year that it was going to update its commercial insurance policies to clarify what cyber coverage is being included in standard lines—and therefore what requires separate coverage.
This could also be a double-edged sword for firms taking the initiative.
“The market is looking carefully at this because the received wisdom might suggest that Allianz’s competitors will see that as an opportunity to take business from Allianz,” Synnott says.
“Brokers may be minded to guide coverage to Allianz’s competitors.
Or equally, competitors could see it as an opportunity to say ‘actually it makes sense, we’ll try and do the same thing’.”
Indeed, the Zurich case is unusual. In many instances, anecdotally, insurers are agreeing to pay claims even when not explicitly covered in order to preserve their relationship with a client.
One senior executive with a specialist underwriter focused on cyber says such instances are commonplace in mainstream insurers.
“The reality is that companies are paying a lot of money to insurers.
When they have a large loss, they are not interested in attributing the exact cause of that, they just want it covered.
“If it is physical damage, they want that paid regardless of what caused that damage. You can see where they are coming from and why this is a problem for insurers,” he says.
He adds that a tension is starting to emerge between specialist players or departments within insurers specialising in cyber and mainstream players willing to pay such claims.
He says it is possible that some players will consider including cyber explicitly on some policies such as business interruption although he believes this is a mistake.
“The risk will not have been quantified, never mind priced correctly.
Where does that leave the standalone market then?” he asks.
“To put this in context, we have had several pretty bad cat years and there is already huge pressure on insurers.
To even think about covering cyber for no extra premium seems absolute madness.
“I know reinsurers are uneasy about this but the market needs to make a decision, grow up and start treating this
risk with the respect it deserves.”
The unprecedented global business interruption impact of the 2017 NotPetya cybersecurity attack and magnitude of claims paid by insurers has sharpened focus on cybersecurity and cybersecurity insurance.
As the internet of things (IoT) moves toward the core of digital business, the integration of security domains will likely introduce game-changing hazards.
Beyond security, many privacy issues related to the collection, storage and use of data flows of information acquired through the use of these devices are starting to come to the fore.
Add all this to a complex and testy geopolitical landscape in which cyber is the fifth theatre of warfare and insurers have a task on their hands. Whether they will “grow up” and address the problem rather than using it as a bargaining tool, however, remains to be seen.
