In the Shadows

Cyber risk, clearly, is top of mind for many businesses. The Allianz Risk Barometer 2015, conducted by Allianz Global Corporate & Specialty (AGCS), shows that cyber-related risks have jumped by 37% year over year to rank fifth compared with the previous year’s eight-position jump from 2013’s ranking of 15.

The latest barometer, based on corporate and insurance industry responses from a total of 500 enterprises located in 44 different countries, places cyber risk in second place in Canada versus the overall North American ranking of fifth place, observes Terri Mason, head of professional indemnity at AGCS Canada.

Mason notes that a significant number of insurance companies are currently investing and researching specific product development pertaining to cyber attacks, and exposures they might find themselves in should a major loss occur. “Insurers definitely need to stay on top of this [development of cyber risks] growing risk,” she recommends.

Comparing the United States to Canada, Mason says she does not believe there is a lower cyber risk exposure here at home, if only due to the close proximity of the two countries. She also points out that with the U.S. being Canada’s biggest trade partner, cyber attack-related losses on either side of the border resulting from business interruption, or breakdown of supply chain, could have significant economic consequences.

Matthew Davies, director of professional, media and cyber liability at Chubb Insurance Company of Canada, says industry-wide cyber terrorism and cyber attacks continue to be a top emerging risk from a cyber security perspective. “The motivation for a cyber terrorism attack can range from political, ideological and religious reasons to financial and business competition desires.”

A recent survey of 111 insurance and reinsurance attendees of the 2014 Property Casualty Insurers Association of America Annual Meeting, conducted by reinsurance broker Guy Carpenter, projected cyber exposure/risk in terms of attacks, combined with cyber terrorism, as being the leading reinsurance risk exposure likely to emerge in 2015.

“We would not, especially in North America, call it [cyber risk] an ’emerging risk’,” says Andreas Schlayer, senior underwriter, property at reinsurer Munich Re. Cyber liability insurance is a well-established line of business, Schlayer notes, with Munich Re’s annual premium volume in the U.S. market having grown to about US$2 billion.

Overall, there are currently approximately 40 U.S. insurers who sell products covering the financial costs of a hacker attack, he reports. “One of the biggest challenges for reinsurers will be the management of aggregation exposures tied to present and new products.”

CYBER WHAT?

Determining a definition, or what form of a “cyber attack” incurred, can have significant ramifications for insurers and insureds related to coverage wordings, clauses and exclusions, note risk managers and insurance industry commentators. For instance, insurers typically exclude “acts of terrorism” from standard commercial coverages as well as stand-alone cyber policies.

“Insurers are still trying to avoid risk exposure from terrorism by implementing specific clauses/wordings in their policies. It remains to be seen how this will develop going forward,” says Mason.

But based on numerous international reports and surveys, a definition of cyber risk would likely fall into the following five categories:

• individual hackers with the intent of causing disruption and loss to organizations and public services as a way of expressing their “prowess”;

• groups of hackers working together and known as “anonymous” who look to bring about disruption and loss to a specific entity as a means of making a “social statement”;

• so-called “Jihad cyber attackers,” who mainly focus their attention on causing loss within a country’s critical public and private services (this could range from electricity outages, water services, nuclear and other power plants to capital market exchanges);

• criminal enterprises looking for financial gain; and

• professional hackers who make their skills available for a fee without personal objectives – this often involves intelligence agencies and criminal organizations (a report released by Munich Re, Cyber Risks, Challenges, Strategies and Solutions for Insurers, notes many cyber crimes/attacks are not committed by particularly tech-savvy groups, but they have bought or rented access to online tools such as malware, robo-bots, worms and viruses).

“It’s extremely difficult to determine whether a cyber-related loss is criminal, social or terrorism-driven,” says Steve Pottle, a member of the Board of Directors for RIMS, the risk management society (RIMS), and director of risk management services at York University in Toronto. “Most cyber terrorists don’t say, ‘Hey, that was me!’ Cyber attackers generally prefer to keep in the shadows,” Pottle says.

Carol Fox, director of strategic and enterprise risk practice at RIMS, concurs that there is a great deal of confusion among risk management professionals with regard to “cyber terrorism” and what impact this might have on existing liability and property coverages. “We really need to get clarity to what hacking, or a security system breach, is, as defined under different policy terms,” Fox says.

Furthermore, she points out data is regarded as intellectual property, so the potential for property- versus liability-related exposures within an enterprise are about equal. “You [risk managers] have to look at all your policies to what is covered,” she advises.

Pottle agrees, emphasizing that risk managers must look at all general policies as well as specific coverages such as directors and officers, and errors and omissions. A lot of companies assume that their general liability or property policies will cover losses caused by a cyber attack, but wake up to a nasty surprise when submitting a claim, he says.

“It’s important to evaluate an insurance policy’s exclusions, in particular the breadth of the ‘war’ exclusion. Some insurance companies may choose to define cyber terrorism coverage and modify the policy’s war exclusion with an affirmative exception for cyber terrorism,” Davies reports.

REGULATORY LANDSCAPE

With 47 U.S. states having adopted privacy and protection of data regulations, in addition to federal laws, the legal and regulatory pond has become increasingly murky – particularly for enterprises that operate globally or in multiple regions, Fox says. There is a definite need for greater clarity and standardization with regard to regulations and laws across countries pertaining to cyber breach/attack risk, she contends.

Davies says that he believes there will be further and ongoing development of regulations globally as the extent of cyber risk grows. “Without uniformity of data security and privacy requirements globally, organizations will have to navigate through various regulatory expectations carefully,” he suggests.

The Munich Re report observes that, based on the current inconsistency in international laws and regulations relating to data privacy and protection, there remains legal uncertainty for companies operating globally, despite efforts to comply with partly contradictory regulations. In fact, it states, “The basic legal conditions in the U.S. and Europe, in particular, can diverge so widely that companies are left with no other option than to decide which of the legal requirements they will violate.”

The report also points out that the differing national regulatory frameworks also affect insurers and their coverage concepts for IT risks. “Since a uniform worldwide approach is impossible, products must be individually adapted.”

Schlayer adopts a slightly different perspective to the mushrooming growth of international cyber risk regulations in that he sees opportunity for insurers to “expand their product landscape” and develop new business.

But he acknowledges that the evolving regulatory environment also introduces challenges for insurers as underwriting cyber liability insurance will become more complex.

HEALTHCARE EXPOSURE

Various cyber surveys suggest healthcare providers in the U.S. seem to be particularly attractive targets for cyber hackers. An A.M. Best report released in December notes cyber liability risk is far greater in the healthcare sector as a result of privacy laws and regulations represented by the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic Clinical Health Act.

“These laws mandate strict compliance around preventing privacy violations, and are coupled with state and federal notification regulations surrounding privacy protection. These laws not only pertain to larger hospitals and healthcare networks, but are also relevant to smaller physician groups and solo practitioners.”

Yet, despite the heightened awareness of cyber loss exposure in the healthcare sector, the Identity Theft Resource Center indicates that 51 medical/healthcare data breaches occurred during the first two months of 2014, observes Fred Eslami, author of the A.M. Best report (see graph on page 53).

Despite the heightened scrutiny of cyber exposures in the healthcare sector, the recent data breach involving U.S.-based healthcare insurer Anthem, (which was revealed in early February despite having been initiated almost a month earlier) created a furor south of the border. As of mid-February, the breach had exposed information of almost 80 million of the insurer’s customers.

Anthem notes in a statement that “these attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members, such as their names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data.”

In addition to loss of reputation, the insurer faces costs that could run into millions of dollars in providing free credit monitoring and identity protection service fees, regulatory fines and, perhaps, longer-term fallout of liability class actions.

FINANCIAL SERVICES

When broken down into industry-specific responses, cyber terrorism/risk emerges as the top concern of financial service organizations (stock markets and other capital market exchanges have been cited as prime targets for cyber attackers).

In this respect, Canadian banks and financial institutions are acutely aware of the potential exposure of cyber attacks, says Craig Alexander, senior vice president and chief economist at TD Bank Group. Alexander reports the item of greatest value to a bank is its reputation.

Should a bank’s customers be unable to access their funds as a result of a cyber breach, the reputational cost would be enormous. “Canadian banks are spending a remarkable amount of money investing in technology to prevent cyber attacks – you could say this is the one area where there is no budget limit.”