Cyber – a new type of risk or more of the same?

by Alex Marcuson

This question occurred to me at a seminar I attended recently. The speaker was arguing that cyber was a new category of insurance, distinct from traditional property and casualty insurance classes.

On reflection, I felt unconvinced, but I thought it was worth setting out some of the arguments both ways.

Why is cyber a different type of risk?

  • The exposure is different: (i) there are both property and liability elements affected; (ii) there is cross-over: non-cyber policies are exposed to cyber risks, and cyber policies are exposed to non-cyber risks; and (iii) Information assets are intangible and correspondingly harder to value.
  • Physical loss exposures can correlate without being geographically co-located. As a result, a portfolio of physical assets may not be diversified and the risk therefore much greater.
  • The legal position for a mega-loss event may be unclear and not tested until after the event. And what will happen if it is unclear whether an event-trigger was even cyber.
  • The pace of change in technology and interconnectedness is rapid. Common vulnerabilities are emerging and may be unknown until a large loss event happens.

Why is it more of the same?

  • Fundamentally, insurance is about protecting the things that you own (first party property damage) or your liability for damage caused to others (third party liability). The result of a cyber event is ultimately one or both.
  • Evolving and emerging risks are not a new challenge for insurers; nor are new aggregations (think of the 11th September 2001 attacks) or unexpected interconnectedness (e.g.: the 2010 Thai Floods). On its own, this makes underwriting, pricing, reserving and managing the risk of cyber hard, but that of itself doesn’t seem to make this a new type of risk.
  • There are many aspects of cyber that mirror challenges previously faced in other complex classes of business: look at contingent business interruption for interconnectedness, product liability for date of loss definitions, or D&O for valuation of intangible asset valuation.
  • It is undoubtably true that losses from a common cyber cause can be very large indeed for an insurer. The challenge for underwriters is the understand which risks share common peril exposures and which provide diversification.
  • And, remember, specialist insurance markets exist because they have a genuine appetite for the new and unusual. Lloyd’s has been writing such risks for over 300 years, and cyber for over 10 years.

So what matters?

Just because cyber isn’t a new area of insurance doesn’t mean that no change is required. We think there are a few things to consider when developing an approach to cyber:

  • Think creatively about how exposures aggregate, and how you can identify and quantify them.
  • Consider loss substitution – as we get better at risk management, physical accidents, crimes and known liabilities reduce, but new forms of cyber-related accidents, crimes and liabilities are inevitably emerging.
  • Pre and post loss event service provision by insurers complements the pure financial offering of insurance and reinsurance products.
  • The ongoing interaction between insurance professionals and technology providers keeps cyber insurance abreast of the rapid changes.

So, I’m not yet convinced that cyber is a new class of risk that ranks with property and casualty; but its new, rapidly changing characteristics mean that we can’t be complacent and assume that our existing systems and processes will be sufficient.