Canadian Underwriter
News

Insurers increasingly concerned about “silent cyber” exposure: Willis Re poll


September 12, 2017   by Canadian Underwriter


Print this page

About half of polled insurance industry practitioners see the risk of “silent cyber” exposure – potential cyber-related losses due to silent coverage from insurance policies not specifically designed to cover cyber risk – as growing over the coming year, according to a recent survey from Willis Re.

The Silent cyber risk outlook poll consisted of a sample of nearly 750 participants: “leaders and experts at more than 70 insurance companies and groups around the world as well as within Willis Towers Watson,” the report noted. The focus for the survey was four insurance lines of business: first-party property, third-party auto liability, third-party other liability and workers compensation.

Examples of silent cyber exposure could include a cyberattack on an industrial plant’s control system that causes a boiler explosion, leading to extensive property damage and business interruption, or malware causing an elevator to fail, resulting in multiple casualties. “While a policy pay-out will depend on the specifics of individual wordings and occurrences, such examples illustrate how silent cyber events can push up loss ratios on policies not specifically mentioned to cover cyber risk,” the release said.

For the survey, respondents were asked to assess the extent to which, over the next 12 months, the cyber aspect of exposure would increase the likelihood of a covered loss, Willis Re explained in a press release from Sept. 10. About half of respondents felt that the risk of a silent cyber loss from property or other liability was greater than 1 in 100, while close to a quarter considered the risk to be greater than 1 in 10, illustrating the degree of uncertainty surrounding potential exposure.

By line of business, for both auto liability and workers compensation policies, more than 75% estimated the risk factor as 1.01 or less (one cyber-related loss for every 100 non-cyber-related losses). “For the auto liability line, this may reflect a sense that accidents linked to vulnerability in technology would become product liability losses,” the report said. “The reason for such a low level of perceived vulnerability for workers compensation is less clear.”

By industry group, auto liability and workers comp showed “little variation in estimated risk across industries – probably because the risk was perceived as low overall,” the report said. However, there were significant industry differences for property and other liability policies. The Construction/Engineering and Industrial/Manufacturing/Natural Resources industry groupings were seen as relatively low risk for other liability losses, perhaps reflecting that these industries accumulate less personal information from members of the public and so are less exposed to data breach liability, the report suggested, adding that “it might be that there is a perception that the silent cyber risk is linked to the data breach risk.”

Industry grouping that consistently handle consumer information – Hospitals/Medical Facilities/Life Sciences; IT/Utilities/Telecom; and Financial Services – were seen as higher risk. And “despite several large data breaches in recent years, the Retail/Hospitality industry group was seen as lower risk,” the report noted.

“Buyers of insurance have to consider the exposure that they have in relation to the rising prominence of cyber-related incidents,” Anthony Dagostino, head of global cyber risk at Willis Towers Watson, said in the release. “The results of the survey have reinforced the need for a holistic cyber risk insurance strategy and tailored insurance policies to address the risk adequately.”

Willis Re reported that over the coming months, it will be calibrating survey results for practical deployment in the measurement, management and mitigation of silent cyber risk. The company also plans to extend the reach and scope of the survey with a follow-up in early 2018.

“The survey was conducted before the WannaCry and NotPetya attacks, and it will be interesting to see how assessments have changed in light of these and other recent events,” the report concluded.