orangeblock
Menu

Making a noise about “silent” cyber

03 April 2019 | Non-life | General | Allianz
  • So-called “silent" cyber exposures in traditional P/C policies create uncertainty for clients, brokers and insurers
  • The nature of cyber risk is ever-evolving with hacker attacks becoming more sophisticated, targeted and far-reaching
  • Most traditional policies were designed when cyber wasn’t a major risk and don’t explicitly mention or even consider cyber risk
  • Allianz Global Corporate & Specialty (AGCS) has been named the Center for Competence for Cyber ensuring a consistent underwriting approach for cyber risks for Allianz Group, worldwide. 

Hackers snag a transit system’s controls causing a train derailment. Malware snakes through a GPS-linked navigation system steering a ship into a bridge. Cyber risks can easily cause physical damages or claims. So-called “silent" cyber exposures in traditional property-casualty (P/C) insurance policies create uncertainty for clients, brokers and insurers alike. Allianz is one of the first insurers to rethink established modes of underwriting in order to clarify cyber risks. It was just a pre-taste of what a real global “cyber hurricane scenario” could look like – and still the impact was disastrous for many companies globally.

In 2017, large cyber-attacks like Petya and NotPetya or WannaCry caused significant losses for businesses – insured losses for the former are estimated to be $3.3bn. Global conglomerates like Merck and Maersk suffered severe disruption of their systems and businesses during that attack. Pharmaceutical giant, Merck, by far the most severely hit, is reportedly receiving about $2bn in cyber insurance coverage; losses for shipping giant, Maersk, exceeded $300mn[1].

According to US claims analyst, PCS, nearly 90% of the total industry loss of Petya and NotPetya was attributed to so-called “silent cyber exposures”, which are potential cyber-related losses stemming from traditional property and liability policies not specifically designed to cover cyber risks. As these incidents demonstrate, cyber loss events can impact multiple lines of business beyond specialist cyber cover such as property, business interruption (BI), errors and omissions (E&O) or kidnap and ransom (K&R).

“The 2017 WannaCry and NotPetya attacks highlighted the risks and potential damage across all business areas causing significant concern around cyber risks in traditional property-casualty (P/C) policies,” says Emy Donavan, Global Head of Cyber and Tech PI, AGCS.

In the past few years, cyber risks have gone mainstream. For the first time in the eight-year survey, cyber incidents is the top global risk in the Allianz Risk Barometer 2019, tied with BI. Cyber incidents topped businesses risks in South Africa for the past three years until being overtaken by BI in 2018. Cyber incidents can trigger not only extensive financial or disruptive losses but, potentially, physical damage, BI, product recall, bodily injury or even have caused life-threatening consequences.

“The nature of cyber risk is evolving rapidly and constantly with hacker attacks becoming more sophisticated, targeted and far-reaching,” Donavan says.

Companies increasingly are exposed to “large-scale, multi-vector mega attacks using advanced attack tools”, often outpacing the maturity level of corporate IT security systems[2]. Besides cyber-crime, often it is technical failure, IT glitches or human failure which causes massive system outages or data losses.

“Silent” cyber scenarios could include a hacker attack on a transit system causing a train derailment or a malware-infected, GPS-linked navigation system incorrectly guiding a ship[3]. Another silent risk might include a hacker creating significant disruption by opening the floodgates at a hydroelectric dam, likely causing significant downstream flood damage[4] and potentially triggering property policies.

In such cyber- or tech-driven incident scenarios, it is often unclear whether or not traditional policies would cover the potential losses, as most don’t intend to cover cyber risk. 

“Most traditional policies were designed when cyber hadn’t yet emerged as a major risk and don’t even explicitly mention or consider cyber risk,” Donavan explains. 

Such “silent,” or “non-affirmative,” cyber exposures lead to inadequate protection of customers with a lack of certainty and transparency for all parties involved – customers, brokers and insurers. “A new insurance approach is required to effectively counter new risks posed by cyber and to remove coverage uncertainty for customers,” says Donavan. 

New Allianz Underwriting Strategy for Cyber

Group-wide, Allianz is reviewing cyber risks in P/C policies in commercial, corporate and specialty insurance segments and has developed a new underwriting strategy to address “silent” cyber exposures, ensuring that all P/C policies will be updated and clarified in regard to cyber risks. It has nominated AGCS to establish a Center for Competence for Cyber for the entire company. 

“We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed,” Donavan says. The new strategy also responds to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios. 

AGCS has already implemented the strategy for new business and will do so for renewal business, subject to regulatory and filing requirements in certain jurisdictions, in April. Other Allianz P/C companies will apply the strategy by January 1, 2020, latest.

What changes?

For policyholders, the set-up will be different depending on the specific line of business, as well as the market and regulatory environment. If unclarified, cyber exposures will be specified in policy wordings. Clear definitions of when cyber risks are covered under traditional policies, as well as for which scenarios a dedicated cyber insurance solution is required, will be written-in.

“There is no one-size-fits-all approach,” says Marek Stanislawski, Deputy Global Head of Cyber, AGCS. “Local underwriting teams will adapt the strategy as best fits their markets. Changes to actual policy language will vary across products and countries, depending on the regulatory framework.”

AGCS policyholders will choose among several options to tailor cyber risk coverage to their individual needs and risk profiles – ranging from “now-affirmative” coverage in a traditional P/C policy to an endorsement embedded into a traditional policy to a specialist cyber insurance policy. In many cases, cyber event definitions will be added to existing wordings. Certain product lines have market-standard wordings to address cyber risks, used by AGCS when they are available and adequate. Many lines will provide cyber risk extensions or endorsements to traditional products (e.g. property offers a dedicated cyber BI extension).

“A comprehensive solution for all products – while extremely challenging to create – is in the best interest of customers and brokers,” explains Stanislawski. “This keeps expertise around specific cyber exposures in the lines of business where they’ve traditionally been underwritten and also gives customers a greater degree of certainty and benefit from the products they already purchase.”

What doesn’t change?

Under updated wordings in Allianz P/C policies, physical damage and bodily injury arising from cyber events will generally continue to be covered. Cyber-related “pure financial losses” without physical damage or injury, however, will be covered in affirmative cyber insurance solutions only. 

Affirmative coverage: Two scenarios

Affirmative coverage in a traditional policy: A hacker attack on industrial software causes an explosion at a factory; physical damage and subsequent BI loss would be covered in a standard Allianz P/C policy.

Affirmative coverage through cyber policy or endorsement: Malware leads to a disruption of production or service delivery and loss of revenues for a company without physical damage; such “pure financial losses” may require a dedicated cyber insurance policy, or a cyber-specific endorsement to traditional policies.

While the global market is beginning to address “silent” cyber exposures, Allianz is a “first-mover” insurer and is engaged in market information and education.

“Our underwriters and staff are in constant customer and broker contact, explaining what silent cyber exposures are, what we’re aiming for and what the individual policy impact will be. Most understand that it’s in everyone’s mutual interest to address ‘silent’ exposures and appreciate the certainty and clarity in our updated wordings,” says Donavan.

The new strategy helps Allianz better measure its cyber exposure and respond to regulators and rating agencies by effectively managing cyber underwriting risks. With these efforts, Allianz aims to be able to better manage the cyber aggregation risk in its P/C portfolios and make adequate capital provisions to deal with large-scale cyber loss scenarios that could potentially affect multiple policyholders at the same time.

Regulators and reinsurance responds

Financial supervision increasingly warns of significant “silent” cyber risk in insurers’ portfolios. The German supervisory authority, Bafin, has announced that it will be more attentive to insurance “silent” cyber exposures in 2019. The UK’s Prudential Regulatory Authority urged insurers and brokers in 2017 to address cyber risks, so the move is on by regulators globally to raise awareness on a general scale. The London market has responded to regulatory pressure to clarify cyber cover under traditional policies; specialty products, in particular, have seen an increasing number of exclusions written into contracts.

Reinsurers have increasingly put “silent” cyber on the agenda, as well. Munich Re Board Member, Doris Hoepke, says: “Insurers have to address ‘silent’ cyber exposures in their traditional policies”[5].

The topic is also increasingly on brokers’ agendas. Aon’s reinsurance division has announced a silent cyber facility, while catastrophe modeling firm, AIR Worldwide, collaborated with reinsurance broker, Capsicum Re, to identify which non-cyber lines of business are exposed to cyber-related losses. Willis Towers Watson’s 2018 Silent Cyber Outlook Survey highlights growing concerns about “silent” cyber exposures.

“I would expect 2019 to be definitely noisier around ‘silent’ cyber exposures,” Donavan says. “The industry has to get a grip on these challenges in one way or another and we are expected to provide attractive solutions around cyber – as today’s key business risk.”

 

 

[1] Artemis, Merck & silent cyber impacts drove Petya industry loss: PCS, November 7, 2018

[2] Check Point, Achieving fifth generation cyber security: A survey research report of IT and security professionals, March 2018

[3] Willis Towers Watson, Silent cyber outlook: Is silent cyber risk creeping up on insurers?, September 11, 2017

[4] Guidewire, Aon and Guidewire launch cyber scenario for a US dam attack, October 25, 2018

[5] Baden-Baden Reinsurance Conference in 2018

 

Making a noise about “silent” cyber
quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations