[BreachExchange] Physical damage element of cyber re/insurance needs clarity

[Audrey McNeil]

http://www.artemis.bm/blog/2016/05/23/physical-damage-element-of-cyber-reinsurance-needs-clarity/

The growing threat of cyber terror events across the world has seen a
concerted effort from governments and risk transfer counterparties to
provide solutions. Among the challenges is the added complexity of physical
damage from cyber terror events, according to industry experts.

The increased interconnectedness of the world today has resulted in a
substantial rise of cyber attacks in recent years and, with terror attacks
across many parts of the world intensifying also, the threat of cyber
terror events is a growing reality.

Coverage for cyber attacks is in its infancy, but insurance, reinsurance,
insurance-linked securities (ILS) players, and risk modellers are making a
concerted effort to innovate and provide adequate solutions.

However, the far-reaching impact of cyber events and further complexities
mean modelling and historical data is limited, and the general view among
the market is that the risk needs to be better understood so that the cyber
risk market can flourish.

One such complexity concerns the issue of physical damage as a result of a
terror event, as underlined by Luca Albertini, the Chief Executive Officer
(CEO) of insurance-linked investments specialists Leadenhall Capital
Partners.

“The biggest question for terrorism and cyber will be on of definition.
Let’s say a hacker opens the floodgates in the Netherlands causing
widespread destruction. So the damage is property and life, the motivation
is terrorism and the conduit is cyber. Which policy pays out?” said
Albertini.

The limited data and modelling capacity of cyber terror events means that
insurance and reinsurance providers are reluctant to offer large limits,
and as highlighted by Albertini uncertainty surrounding which policy pays
out under different scenarios is likely hindering growth and progression.

Cyber Underwriter and Beazley employee, Jimaan Sane, agreed that the cyber
attack threat “is very real,” adding that as technology evolves in areas
such as medicine, where equipment can be controlled remotely, the risks
become ever more real and possible.

“As all these things become easier to do, and the level of sophistication
of these attacks increases, you are going to have cyber events that either
lead to damage of property or to bodily injury. Some people have tried to
predict or model this or look at other events which happen at some
frequency with some severity, such as hurricanes,” said Sane.

The potential damages and vast reach of a cyber terror event will grow as
technology develops and, unlike natural disasters that repeat the same
thing over and over, hackers are intellectual and have the ability to learn
new systems, explained Sane.

This means cyber catastrophe events are likely to present unique
difficulties for insurance and reinsurance capacity providers and each
claim could be very different, depending on systems, or assets, involved
and the level of security in place.

So far few cyber events have resulted in physical damage, but the
expectation among these industry experts in a recent report on ILS and
cyber from BNY Mellon, is that this is a growing threat, and a rising
concern among governments and the risk transfer landscape.

Head of Cyber at AIG, Mark Camillo, commented on the physical damage aspect
of a cyber terror event, citing the incidents at a German steel mill and
Ukraine power grid in recent times.

“I vividly recall first having a discussion with an energy company that was
concerned about this a few years ago. For the property risk, underwriters
were sending out engineers to inspect the pipeline but there was not one
single question being asked about cyber risk.

“The concern was that there would be some sort of cyber event causing
physical damage and then a lack of clarity over whether that would be
picked up by an insurance policy. The real purpose of introducing the
CyberEdge policy two years ago was really to have that frank conversation.
So that for those companies that wanted to make sure they had coverage in
the event of bodily injury or property damage arising from a cyber event,
they had an option,” said Camillo.

However, despite the solution being available for roughly two years,
Camillo notes that interest has been pretty low, as most are seeking
protection for the intangible loss, data loss etc., rather than the
physical or bodily damage.

Products such as this are certainly a step in the right direction and could
help raise awareness of the growing threat of physical damage, but the
enormity of the task is sure to take a concerted effort from governments,
insurers, reinsurers, and the ILS market.

Physical damage from cyber attack, to control systems, discrete
electronically controlled parts of industrial and manufacturing complexes
and in industries such as power or energy, are seen as key opportunities
for the specialty insurance and reinsurance market, and are also seen as
attractive by some ILS fund managers.

Discrete systems can perhaps be better understood and the risks associated
with breach or penetration better modelled, with many now suggesting that a
parametric trigger approach may be appropriate for these types of coverages.

However, the claims process is where confusion could reign and clarity is
required, as defining what caused the physical damage or where a breach
emanated from, and answering questions such as how long a system had been
vulnerable for, all add uncertainty into the mix.

And uncertainty, when it comes to insurance or reinsurance contract claims,
can lead to disputes. This is making some capacity providers reluctant to
dive headlong into the world of cyber risk at this time.

Understanding the damages that can come from a cyber terror is challenging,
but in time, and unfortunately likely assisted by lessons learned from
future events, risk modeling and data will improve enabling new products to
become available.

And as advances are made in understanding, modelling and measuring cyber
risks, including for physical damage, the ability to increase clarity
around claims and where the responsibility should lie for payouts will get
easier.

However, it’s important to note that cyber risk will never be an easy line
of business to enter as an insurance or reinsurance market, as technology
is moving forwards so fast, threat profiles are changing rapidly and
understanding the true extent of the risk will always be a significant
challenge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160523/0fad32c3/attachment.html>