Insurtech insights: the threat of cyber
Downsides to the digital age?
Our new digital age means we are all more connected and reliant on technology – be it with the sensors in our homes, the phones in our pocket or the new (fintech enhanced!) systems managing and recording the global markets. This has, undoubtedly, led to many benefits to society generally, including more accessible and user-friendly insurance products and services as highlighted in previous Insurtech Insight briefings).
However, this greater reliance on technology means the risk of cyber-attacks continues to grow, as criminals look to monetize our dependence on digital technology, and even state actors use cyber-attacks more frequently for political or other motives. Aon’s 2019 Global Risk Management Survey ranked “Cyber attacks / data breach” as the sixth top risk or challenge that organisations are facing in today’s volatile world (and indicated that this risk is only partially insurable).
Insurtech companies have a key role to play in helping guide the insurance industry to find a way to properly price and mitigate against cyber-risk and assist insureds in the event of suffering a cyber-attack.
Why is cyber risk so difficult for the insurance industry?
As a line of business, cyber is still relatively new and experience is still growing, and this is for a range of reasons including:
1. What is cyber? – there is no standard definition across the industry for what a “cyber” event is, and so how can an insurer price and manage a risk that is not fully understood (see “silent” cyber below). There is little (but increasing) claims history or data to base underwriting decisions on.
2. Pricing – the insurance industry knows how to price home or car insurance as the policies cover a physical asset that can easily be replaced or rebuilt. The same is not true for cyber insurance – it is more difficult to quantify the monetary value of a digital asset, or the loss caused in the event a digital asset or system is compromised as a result of cyber-event.
3. Constantly changing – the types of cyber-attacks are always changing as the world becomes more connected and motivations to launch cyber-attacks alter - cyber is a man-made peril so the exposure landscape is constantly evolving. It is often difficult to determine the source of any cyber-attack adding to the complexities of understanding and guarding against cyber-attacks.
The threat of “silent” cyber
Cyber insurance has the potential to overlap with traditional insurance products sold, where cyber-events may be inadvertently (and silently) covered. For example, would your home insurance cover the loss of data suffered as a result of a cyber-attack on your smart home systems? It is unlikely the policy would have been priced for such a cyber related loss.
Until recently, general insurance policies were drafted without anticipating the digital impact of perils covered. Assessing whether silent cyber coverage exists in existing policies presents its own problems, especially in the absence of a strong body of case law to determine what is and is not covered in the event of a cyber-related loss. As long ago as November 2016 the PRA sent out a directive that advised:
“It is the PRA’s view that the potential for a significant ‘silent’ cyber insurance loss is increasing with time. As both ‘silent’ cyber insurance awareness and the frequency of cyberattacks grow, so does the potential from ‘silent’ cyber exposures. Insurance firms may find it increasingly challenging to argue that all risks or other liability policies did not intend to cover this type of risk given the publicity and awareness of the issue.”
Even if cyber-events are covered by the policy terms, given the man-made nature and potential motivations for use of cyber-attacks the question can arise as to whether exclusions under policy terms should apply. Recently, Zurich refused to pay out on a Mondelez policy that explicitly stated it covered "all risks of physical loss or damage" as well as "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction”. Zurich claimed an exclusion for "hostile or warlike action in time of peace or war" by a "government or sovereign power." In effect, it argued that the losses had been suffered through a Russian government hostile action – an act of war.
What are Insurtech companies offering?
Insurtech companies are developing a range of services – particularly aimed at quantifying and pricing cyber risk. For example, some Insurtechs are developing their own underwriting models that incorporate a range of cyber related variables, and others are looking to help insurers assess the risk of “silent” cyber coverage in existing policy terms.
Cyber risk is an area that offers great opportunity for Insurtechs to partner with larger carriers - the more nimble (arguably more tech savvy) smaller firms can help create a better insurance market for customers, where cyber risk can be defined, priced and mitigated with greater confidence. See our recent “Insurtech Insights: the do’s and don’ts of insurtech M&A” for considerations when entering into commercial partnerships.
What should firms do?
Given the risk of “silent” cyber, we would recommend reviewing policy terms to try and understand potential cyber related exposure. In an ideal world, all insurers would update policy language to provide clarity of coverage. For example, should the distinction be that generally a policy would cover physical damage and bodily injury arising from a cyber-event, but if the event caused only “pure financial loss” this would require a specific cyber policy? Similar considerations apply to generally accepted exclusions to policies in a cyber world as evidenced by the Zurich example.
If an insurer is looking to provide specific cyber line coverage it should be thinking about how best to support its customers going forward. This could be through “war games” simulating a cyber-event and how to respond in the first 24/48 hours or simply ensuring the insured has sought the advice of an appropriate cyber security firm. Some of these security firms also provide data and security ratings to help insurers assess exposure and price risk, and a number of insurers have developed their own expertise in this area as part of their risk mitigation consultancy services.
We at Freshfields have a strong cyber practice, having acted on a number of cyber related mandates ranging from large scale data loss to FCA enforcement actions for cyber fraud, and would love to hear from you as to your key concerns with regard to the threat of cyber. We can also help with planning any mitigation and/or response strategies, including the legal implications and the required notifications to regulators. Insurers need to be thinking about cyber as not only a risk for their customers but also as organisations that hold and use a large amount of data and rely on technology and information systems.
We’d love to discuss with you
We’d love to discuss the insurtech space with you or your team - please do get in touch.