Cyber – a new type of risk or more of the same?
by Alex Marcuson
This question occurred to me at a seminar I attended recently. The speaker was arguing that cyber was a new category of insurance, distinct from traditional property and casualty insurance classes.
On reflection, I felt unconvinced, but I thought it was worth setting out some of the arguments both ways.
Why is cyber a different type of risk?
- The exposure is different: (i) there are both property and liability elements affected; (ii) there is cross-over: non-cyber policies are exposed to cyber risks, and cyber policies are exposed to non-cyber risks; and (iii) Information assets are intangible and correspondingly harder to value.
- Physical loss exposures can correlate without being geographically co-located. As a result, a portfolio of physical assets may not be diversified and the risk therefore much greater.
- The legal position for a mega-loss event may be unclear and not tested until after the event. And what will happen if it is unclear whether an event-trigger was even cyber.
- The pace of change in technology and interconnectedness is rapid. Common vulnerabilities are emerging and may be unknown until a large loss event happens.
Why is it more of the same?
- Fundamentally, insurance is about protecting the things that you own (first party property damage) or your liability for damage caused to others (third party liability). The result of a cyber event is ultimately one or both.
- Evolving and emerging risks are not a new challenge for insurers; nor are new aggregations (think of the 11th September 2001 attacks) or unexpected interconnectedness (e.g.: the 2010 Thai Floods). On its own, this makes underwriting, pricing, reserving and managing the risk of cyber hard, but that of itself doesn’t seem to make this a new type of risk.
- There are many aspects of cyber that mirror challenges previously faced in other complex classes of business: look at contingent business interruption for interconnectedness, product liability for date of loss definitions, or D&O for valuation of intangible asset valuation.
- It is undoubtably true that losses from a common cyber cause can be very large indeed for an insurer. The challenge for underwriters is the understand which risks share common peril exposures and which provide diversification.
- And, remember, specialist insurance markets exist because they have a genuine appetite for the new and unusual. Lloyd’s has been writing such risks for over 300 years, and cyber for over 10 years.
So what matters?
Just because cyber isn’t a new area of insurance doesn’t mean that no change is required. We think there are a few things to consider when developing an approach to cyber:
- Think creatively about how exposures aggregate, and how you can identify and quantify them.
- Consider loss substitution – as we get better at risk management, physical accidents, crimes and known liabilities reduce, but new forms of cyber-related accidents, crimes and liabilities are inevitably emerging.
- Pre and post loss event service provision by insurers complements the pure financial offering of insurance and reinsurance products.
- The ongoing interaction between insurance professionals and technology providers keeps cyber insurance abreast of the rapid changes.
So, I’m not yet convinced that cyber is a new class of risk that ranks with property and casualty; but its new, rapidly changing characteristics mean that we can’t be complacent and assume that our existing systems and processes will be sufficient.