The Cost of Silent Cyber and the Insurance digital lacuna

Damaged reputation. Financial loss. Punitive capital adequacy provision. Silent cyber is one of the biggest issues facing the insurance industry. Yet despite the Prudential Regulatory Authority’s (PRA) demands robust action plans, few firms have put in place the document digitisation required to truly understand the level of risk. 

Further, it is somewhat ironic that an industry predicated on pricing risk is failing to assess and understand this risk that exists today in its back catalogue. From determining the current silent cyber position to identifying policy wording changes and analysing the legacy book, it is important to highlight the need to digitise policy documents.

Non Affirmative Loss

“Silent Cyber” is the term given to cyber-related losses that may/or may not fall under traditional property and liability policies that were not designed for that purpose.

The concerns of silent cyber first came to the fore in 2017, though the shock waves created by the Mondelez International/Zurich American Insurance case continue to reverberate around the market and show how nascent the insurance industry is in truly addressing the risk posed by silent cyber. 

In an industry predicated on a strong reputation, the decision initially by Zurich to reject a claim from a client whose business had been devastated by the NotPetya cyber-attack in 2017 - a destructive attack that masqueraded as ransomware - made headlines around the world – not least for citing exclusion for ‘hostile or warlike action in time of peace or war’ by a ’government or sovereign power’. 

The case between the two was complex because Mondelez had not taken out an explicit cyber insurance policy but a property policy that it argued covered cyberattacks. The insurer had initially refused to cover the damage to Mondelez, which in court documents attested it lost more than 1,700 servers and 24,000 laptops to the malware.  The final settlement has not been disclosed. However, NotPetya has left the whole market feeling the war exclusions included in most policies were not fit for purpose. 

Lloyds of London's reaction 

Lloyds of London recently led an effort to revamp these exclusions and find some kind of solution that balanced the needs of the customers and the insurance market. Lloyd’s of London has introduced cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023. In a market bulletin published on August 16, 2022, Lloyd’s stated that whilst it “remains strongly supportive of the writing of cyberattack cover” it recognises that “cyber-related business continues to be an evolving risk.” 

Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack per several requirements. Those exclusions involving “state-backed cyberattacks” must be as of March 31, 2023:

1. Exclude losses arising from a war (whether declared or not), where the policy does not have a separate war exclusion;
2. (Subject to 3) exclude losses arising from state-backed cyberattacks that

• significantly impair the ability of a state to function or

• that significantly impair the security capabilities of a state;

1. Be clear as to whether cover excludes computer systems that are located outside any state which is affected in the manner outlined in 2(a) & (b) above, by the state-backed cyberattack;
2. Set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states;
3. Ensure all key terms are clearly defined.

NotPetya highlighted the risks that a catastrophic cyberattack could pose for the insurance industry, which could find itself without the capital to support claims. Yet as the cost of such attacks is being counted, for NotPetya $10 billion in global damages, the impact of silent cyber on the industry as a whole is becoming painfully apparent. PCS Global Cyber has recently attributed 90% of the insurance industry’s losses relating to the NotPetya cyberattack to non-affirmative (silent) cyber, and the rest to affirmative losses. 

Certainly, the PRA believes the UK insurance industry can do more to ensure the effective management of affirmative and non-affirmative cyber risk exposures. It has ordered firms to develop an action plan, with clear milestones and dates by which action will be taken. Cyberattacks are on the rise. Whilst modern technology presents many conveniences and benefits, some people misuse it which poses a threat to businesses and data privacy globally.

When data breaches happen, they can have a far-reaching impact not just on the company. It goes beyond the target, affecting customers, suppliers, and more. Experts believe the true cost of cybercrime will reach around $10.5 trillion by 2025.

Divergent Attitudes

Despite the cost to the industry, there remains a concerning lack of consistency in terms of risk awareness and planning, as well as risk appetite and understanding. PRA surveys reveal significant divergence in firms’ views of the potential exposure to silent cyber. Within Marine, Aviation, and Transport (MAT), Property, and Miscellaneous lines, exposure was rated at anywhere between zero and the full limits.

With PCS Global Cyber believing the cost to the industry of NotPetya-associated claims has now exceeded $10 billion, there is an ever greater focus on insurance companies’ cyber stress tests. Fears that gross losses could run into the multiples of annual cyber premiums are very real. However, to date such exercises are based on minimal fact: firms lack robust or reliable claims data relating to silent cyber. 

As a result, models are immature and there is little faith in the resultant capital adequacy calculations. Just how much capital should the regulator demand firms set aside against possible exposures when the silent cyber risk is so poorly understood?

In addition to the model and assessment demanded by the PRA, firms need to look closely at existing policy documentation to gain better insight into risk. What is the current position? Does the wording need to be amended to address silent cyber risk? How can the legacy book be analysed and key data and wording from the contracts extracted to assess the potential silent cyber exposure going forward? 

Document Digitisation

In many ways, the insurance industry is better placed than many for the challenges ahead. No insurance company has yet to complete a digital transformation, one that fully harnesses the power of digital technology to rethink every aspect of the organisation. But several carriers are making remarkable progress, indicating the direction others should take. 

Document digitisation has been on the agenda for some time and the industry has already created clause libraries to make it easier for firms to gain access to vetted policy wordings and regularly used clauses. However, the low take-up of these libraries is disappointing. Not only do firms have a somewhat confusing choice – between the Lloyd’s Wording Repository, the IUA (International Underwriting Association) Clauses Document Library, and the Xchanging Model Wordings Library, but the checklist structure is not providing the required solution. 

Insurance companies and brokers need to better understand how to use these clause libraries within current business models, preferably in tandem with a document generation tool to improve data management. The goal is to create data-driven contracts, where documents are drafted based on known outlooks. But to get to that point, firms need to actively embrace document digitisation to gain a better handle on the current risk position and create a foundation for rapidly changing the wording to avoid any ambiguity regarding silent cyber. Moreover, we need the link wordings in clause libraries to classify business outcomes, and then derive business intelligence from policy portfolios. 

The future of insurance will be digital. That much is definite. The industry might have been slow to feel digital technology’s impact, protected by regulation, the size of companies’ in-force portfolios, and customers’ tendency to stay put with their insurers. But the pressure is mounting. Distribution channels, products, underwriting technology, competitors, and even business models will shift as technology attacks market inefficiencies and customer expectations evolve. 

Most insurers are responding to a certain degree, albeit often cautiously. Some see digital technology will transform pieces of the business, but find it harder to envisage how the entire value chain and business model might change. They, therefore, satisfied themselves by investing in a new sales channel, launching a service app, or automating a few processes. 

At other carriers, executives believe a transformation will not be completed on their watch, because the magnitude of change required will leave no part of the organisation untouched and could take up to a decade. So why bet on an uncertain future and risk disassembling existing profits or estranging distributors when they face more demanding issues, such as regulatory obedience?

No firm wants to risk the reputational damage associated with refusing a high-profile claim – nor endure the huge losses associated with attacks such as NotPetya. With the rise in cyberattacks, this is an issue that has to be addressed immediately: firms need to act now and embrace the opportunity of digitisation strategies within policy documentation to mitigate the potentially devastating silent cyber risk.

About the author

Akber Datoo is the Founder and CEO of D2 Legal Technology, a legal data consultancy assisting firms to unlock business value through legal change. With 18+ years of experience in investment banking, Datoo is a thought leader at the intersections of fintech, legaltech, and insurtech. A member of the Law Society’s Technology Reform Committee since 2016, Datoo is the author of the textbook, ‘Legal Data – Banking & Finance’.