PHILADELPHIA – Silence is decidedly not golden when it comes to cyber risk, Scott Stransky, assistant vice president and principal scientist for AIR Worldwide, suggested to Canadian Underwriter in advance of the RIMS 2017 Annual Conference & Exhibition.
Silent cyber occurs when the risk for a cyber event impacts a non-affirmative cyber policy (an affirmative cyber policy is written specifically for cyber, with limits and terms), explained Stransky, who is presenting at the conference Tuesday.
Although not intended to cover cyber, the policy ends up being used because cyber is what caused the loss, he pointed out. Consider, for example, a directors and officers (D&O) policy being used after a director opted not to pay for installing software recommended by IT staff and the company then gets hacked, Stransky said.
“You can imagine the D&O policy having to pay out because the director knew about the issue, they were made aware of it and they decided against potentially rectifying it.”
Perhaps even “scarier,” Stransky suggested, is what he calls silent, silent cyber.
Citing the 2014 hack on the U.S. National Weather Service, he noted that some satellite imagery of weather was not available for a time.
“Had there been a hurricane – luckily there wasn’t – during the time of the hack, people may not have prepared as much, the models wouldn’t have been as accurate, there could have been extra property loss or more lives lost,” he said.
“You wouldn’t be able to associate that directly with the cyber attack because it was very, very indirect,” he suggested.
“Silent cyber and what we call silent, silent cyber are very big deals and they lead us to believe that most insurance policies today contain some exposure to cyber risk,” Stransky told CU. “If you have an insurance book of business and you don’t explicitly exclude cyber from your policies, you probably have cyber and you should probably start managing it properly. One way to manage it is to run models.”
Stransky made the comments in advance of Monday’s release of a new cyber risk application from AIR Worldwide, a Verisk Analytics business.
The Analytics of Risk from Cyber (ARC) – designed to provide underwriters and risk managers with a variety of cyber analytics – is meant as a comprehensive cyber risk modelling application for both the insurance and reinsurance markets.
AIR Worldwide reports that ARC can evaluate any commercial policy, measure and monitor aggregations of cyber risk within a portfolio, and estimate potential insured cyber losses for portfolios.
Taking aggregation into account is key, Stransky told CU. “Looking at individual risk is great and it’s a very important part of the underwriting process,” he said, but added having one company breached or hacked is unlikely to ruin an insurer’s business.
“On the other hand, if you have a book of a thousand companies, and 600 of them all rely on the same third-party provider or service, and that service gets breached or hacked or goes down, now you’re talking about a major issue. You’re going to potentially have to pay out 600 claims at the same time,” Stransky pointed out.
If a company has a certain insurance book, it is important to know the points of aggregation and what happens if they go down, he said. “What would the financial consequences on my book be if these things were to fail?”
Specifically, policies that can be evaluated with ARC include the following:
- stand-alone cyber – policies that affirmatively cover damages resulting from cyber security incidents;
- cyber endorsements – supplemental cyber coverage added to existing commercial policies, such as D&O and errors and omissions (E&O) coverage, general liability or property; and
- silent cyber – any policy that does not explicitly include or exclude cyber.
“Insurers typically have very little information about the cyber risk characteristics of the companies they insure and, instead, rely on a crude market-share approach,” Stransky says in a company statement.
ARC takes advantage of the detailed information that AIR Worldwide “has compiled on companies to help insurers identify their sources of aggregation risk and to determine with greater certainty which of their insureds would be affected by various aggregation scenarios,” he explains.
Stransky told CU that knowing client exposures is essential. The attack that saw Dyn – which connects IT addresses with website names – go down for a few hours last October resulted in almost no insurance loss because the service was unavailable “for less time than most insurance waiting periods or deductibles,” he explained.
However, had the service been down for a full day – far longer than was the case, but still plausible – AIR Worldwide modelling has determined the estimated loss would be US$0.5 billion for the Fortune 1000 alone (1,000 largest firms in the United States).
Does an insurance company know how many clients in its book uses Dyn? If the answer is no, Stransky said, “there certainly is no way for them to understand the potential financial consequences” of such an attack.
With the Amazon web services issue earlier this year, which “took down quite a bit of the Amazon Cloud for a couple of hours,” a full day of down time would produce a loss estimate of about US$3 billion for the thousand largest companies south of the border.
“That’s just the Fortune 1000. So once you start branching out to all of the smaller companies, the losses will increase even more,” Stransky told CU.
“Understanding an insured’s virtual supply chain is a critical first step toward managing systemic cyber risk within a portfolio,” Laili Khudairi, underwriter for Tokio Marine Kiln, suggests in the AIR Worldwide statement.
As part of the new application, AIR Worldwide offers cyber scenarios to help estimate the financial impact of a defined event on a company or portfolio. They can be used by risk managers to implement their own view of the risk, test the sensitivity of portfolios to different event circumstances, and explore the impact of adjusting cyber policy terms.
As well, insurers can add their own specific information about a particular issue, but if that information is not available, there are data-driven and data-informed model assumptions that can populate the fields, Stansky told CU.
Industry of the company and its revenue are the only mandatory fields that need to be entered, he reported. “The more you put in, the better. The fewer assumptions you have to make, the more you know,” he suggested.
Information used for populating fields that have not yet entered include from AIR Worldwide’s partnerships with some technology, information and risk companies, as well as government sources and several primary carriers of cyber insurance, he said.
“For a reinsurer, they may have multiple insurers books,” Stransky pointed out.
“So they can run all those through at the same time and see how their various insurer clients are correlated to really understand their risk as a reinsurer,” he told CU.
Noting that “cyber is probably the fastest-growing space,” Stransky said companies getting into the area are after analytics so they can better understand their risks.
“Cyber has been a bit of a Wild West, so to speak. By having models and by having analytics, it kind of gives people at least a post in the ground of where they can start to anchor their risk tolerances.”
More coverage of the RIMS 2017 Annual Conference & Exhibition
Common language holds promise of advancing risk management efforts: Seaman
Risk professionals should move to fill the understanding gap around disruptive technologies
Investments to fight cyber breaches must include technology, people and risk transfer: WTW cyber head
Damage to reputation/brand gets social, cyber jumps higher on risk list: Aon survey
RIMS supports charity in its fight against childhood cancer