Abstract

Abstract The (re)insurance industry is faced with a growing risk related to the development of information technology (IT). This growth is creating an increasingly digitally interconnected world with more and more dependence being placed on IT systems to manage processes. This is generating opportunities for new insurance products and coverages to directly address the risks that companies face. However, it is also changing the risk landscape of existing classes of business within non-life insurance where there is inherent risk of loss as a result of IT events that cannot be or have not been excluded in policy wordings or are changing the risk profile of traditional risks. This risk of losses to non-cyber classes of business resulting from cyber as a peril that has not been intentionally included (often by not clearly excluding it) is defined as non-affirmative cyber risk, and the level of understanding of this issue and the cyber peril exposure from non-cyber policies varies across the market. In contract wordings, the market has remained relatively “silent” across most lines of business about potential losses resulting from IT-related events, either by not addressing the potential issue or excluding via exclusions. Some classes of business recognise the exposure by use of write-backs. Depending on the line of business, the approach will vary as to how best to turn any “silent” exposure into a known quantity either by robust exclusionary language, pricing or exposure monitoring. This paper proposes a framework to help insurance companies address the issue of non-affirmative cyber risk across their portfolios. Whilst the framework is not intended to be an all-encompassing solution to the issue, it has been developed to help those tasked with addressing the issue to be able to perform a structured analysis of the issue. Each company’s analysis will need to tailor the basis of the framework to fit their structure and underwriting procedures. Ultimately, the framework should be used to help analysts engage with management on this issue so that the risk is understood, and any risk mitigation actions can be taken if required. In the appendix, we present a worked example to illustrate how companies could implement the framework. The example is entirely fictional, is focused on non-life specialty insurance, and is intended only to help demonstrate one possible way in which to apply the framework.

Highlights

  • 1.1 Aims and Terms of Reference The Cyber Risk Investigation Working Party sits under the Institute’s Risk Management Research and Thought Leadership Sub-Committee, which reports into the Risk Management Board of the Institute and Faculty of Actuaries (IFoA)

  • 1.3 Background Major cyber events continue to make international headlines on a regular, and increasingly frequent, basis. This has seen the topic of cyber security become a significant concern for company boards in recent years moving from an emerging risk to an active risk

  • Accumulations of risk could be managed predominantly by geography but, as was demonstrated by WannaCry (Symantec, 2017a) and NotPetya (Symantec, 2017b), cyber attacks transcend geographical regions (despite NotPetya being aimed at Ukraine (Marsh, 2018)) and can cause losses across any region and/or industry

Read more

Summary

Introduction

2. Non-affirmative cyber risk, i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk. In the case of affirmative cyber coverage, companies are able to manage (to an extent) the risk they are underwriting (UW) as this will have been defined within their risk appetite, intentionally covered within a policy and supported by capital. Following developments within the industry to monitor and manage affirmative cyber exposures over recent years, the insurance market’s focus has moved to address the potential of non-affirmative exposure in light of recent events and near misses. The growing awareness of non-affirmative cyber exposure is bringing the need to address the potential exposure to the forefront This is partly due to the increased awareness of the potential materiality of losses from the events, like those shown above, as well as the increased regulatory activity in this area requiring companies to address this

Non-Affirmative Cyber
Clauses
Overview
Exposure Assessment
Generate Silent Cyber Scenarios
10. Embed as BAU
Scenario Development
Define exposure
Findings
10 Embed as BAU
Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.