Cyber coverage narrows as insurers look to limit cat exposures

Cyber insurers are increasingly applying coverage restrictions in a bid to reduce their exposure to catastrophic and systemic risks but there is a lack of consensus on how this is best achieved, experts have told Commercial Risk.

But the comments were made as cyber insurer Coalition rolled out an aggregate risk model that it says undermines “ill- and uninformed” arguments that large and systemic cyberattacks are uninsurable.

From April, cyber insurers in the Lloyd’s market will be required to exclude losses arising from state-sponsored cyberattacks. The move is part of a wider trend for cyber insurers to limit coverage for risks that could generate systemic or large aggregate losses, such as a cloud outage or a self-propagating virus.

According to Jean Bayon de La Tour, head of Cyber in Europe at Marsh, there is a growing concern in the insurance industry that the “pervasive digitisation and hyper-connectivity of the digital age” greatly increases the likelihood of a catastrophic cyber event. “Such an event could have a global economic impact, potentially overwhelming the cyber insurance marketplace, individual insurers and perhaps even entire insurance markets,” he told Commercial Risk.

“No such event has ever occurred and the probability, or even feasibility, of such a catastrophe is unknown and may be unprovable. Insurers, however, are both challenging themselves and are in turn being challenged by their regulators, shareholders and other stakeholders to demonstrate clarity and competency in their management of this potential catastrophic risk,” added Bayon de La Tour.

While some insurers are managing these concerns with internal tools like risk modelling and underwriting controls, others have introduced new policy wordings and strategies to address their perceived exposure to potential catastrophic cyber loss, he continued.

“Greater clarity around what systemic risks an insurer wants to solve, and how, is important. Taking a blanket approach via broad exclusionary language should not be the first path of pursuit. We have seen that a focus on underwriting, which results in a rising tide of insurability and lifts all boats, does not only have an impact on attritional losses, it also helps reduce the potential of a large accumulation event as well,” he said.

Insurers are typically looking to limit systemic and aggregated cyber losses in one of two ways, both in terms of scale of loss or type of peril, explained Julian Miller, partner at law firm DACB. Lloyd’s, for example, has taken a peril approach, such as with the state-backed cyber exclusion. Chubb, on the other hand, has chosen to constrain cover to systemic or aggregated losses through policy limits and retentions, although it explicitly excludes cyber war.

“There is a divergence in the market when it comes to systemic and aggregate cyber exposures. There is no single answer to this, and I think the market will struggle with this issue for some time to come,” said Miller.

He believes cyber insurers’ moves to limit exposure to potentially ruinous losses are justified. “The market is introducing new restrictions on cover, but then it does have to deal with systemic risks one way or another. It cannot write systemic risks on an unlimited basis. So there does need to be a sensible debate on how to constrain exposure to systemic risks. There is no one-size-fits-all solution to this but there is considerable scope for innovation,” he continued.

Following the silent cyber project at Lloyd’s, the main area of focus for cyber exclusions is state-sponsored cyberattacks, explained Miller. The Lloyd’s Market Association has played a prominent role in devising market clauses to constrain exposure, which have recently been updated to take account of feedback from syndicates and brokers, he said.

“Lloyd’s has signalled a willingness to consider a range of approaches to this issue and a number of carriers are investing in innovative solutions. This should be welcomed across the market as there is a common interest in making this work for insureds and insurers alike,” Miller said.

There have been concerns in the London market that Lloyd’s risks missing out on cyber business due to its stance on state-backed cyberattacks. However, Lloyd’s must act to protect the market’s capital and address regulatory concerns over systemic and aggregated risks, said Miller.

“In the medium to long term, it is exactly right to constrain exposure to state-backed cyberattacks. One way or another these exposures must be limited because insurers are not in a position to underwrite a state-backed cyber campaign that could disrupt financial systems around the world. There is a lot at stake. Cyber is one of the biggest, if not the most, rapidly growing book of business. A great new opportunity for insurers. But it cannot be written on a free-for-all basis,” Miller said.

The debate around catastrophic or aggregate exposures in the cyber market has centred on state-backed cyberattacks, however insurers have also introduced infrastructure exclusions that seek to limit exposure to disruption or outages of internet or cloud services. When addressing such exposures insurers face a delicate balancing act, limiting exposure to aggregate losses on the one hand, yet providing meaningful risk transfer on the other, explained Miller.

“From an insured’s perspective, [an infrastructure outage] is exactly the time they need protection. These are the incidents that disrupt an insureds business, and insurers are writing them out. So I do have sympathy with that position, which is why the debate needs to be had sensitively and take into account the needs of insureds,” Miller said.

In addition to coverage restrictions, reinsurance and capital markets will need to be part of the solution for systemic and aggregate losses, according to Miller. Earlier this year, Hannover Re and Beazley both tapped insurance-linked securities markets to buy cyber catastrophe reinsurance and retro protection.

State-backed or market-based solutions may also be required for the most challenging cyber risks to ensure a balance is maintained between meaningful risk transfer for policyholders and protecting insurers’ solvency, he explained. Last year Pool Re CEO Tom Clementi told Commercial Risk that the UK’s terrorism pool aims to tackle the protection gap for systemic risks, such as cyber. Pool Re has since held talks with government to extend the terrorism backstop’s remit to cover state-sponsored and war-related cyberattacks.

In a recent commentary, AM Best said that insurers and reinsurers are starting to incorporate catastrophe loads into pricing models. Like the property insurance market, cyber insurers are increasingly differentiating between attritional and catastrophe losses.

“Given the apprehension around the severity of a large systemic loss, insurers are looking to limit their individual risks,” said Sridhar Manyem, senior director of industry research and analytics at AM Best. “However, another aspect of risk management is through reinsurance, whereby insurers could have a quota share and reinsurers share losses proportionally with insurers, and insurers would have excess of loss reinsurance to try to prevent their cyber book running away with an extraordinary loss ratio that could erode significant part of their earnings or capital,” he said.


Back to top button