Aon: The Outlook for Cyber Risk
Why cybersecurity has become a bigger issue for (re)insurers and how they can address it.
Cybersecurity threats and actual incidents have escalated dramatically over the past two years, putting extra pressure on (re)insurers and the sector.
Increased working from home is an obvious example of how any company’s security could become easier to penetrate. However, certain high-profile events that have happened in the past few months are forcing (re)insurers to rethink their working practices.
Firstly, claims handling. Insurers should really be able to gather information about claims notices, demands, payments, specific to major events as reinsurers will ask for an increasing amount of detail following such an incident. It's also helpful to have a conversation about claims handling philosophy with your lead reinsurance partners before any specific issue arises to ensure you’re both on the same page.
Secondly, there are the underwriting actions that are specific to these events. A good example is the Microsoft Exchange Server incident. The insurers were able to approach it, getting answers to just a few quick questions, and the underwriter could determine whether an insured was exposed using that information. Then, the insurer could respond accordingly, on a risk-by-risk basis.
Reinsurers might ask for a known event exclusion or some other restriction – so the execution of those strategies is really important. A subset of this is underwriting of specialty coverage, a recent example of which is contingent business interruption. Tracking of that coverage is an important element of an insurer’s strategy. Reinsurers are asking for detail: how often it's deployed, at what limit, how it's priced. There are many moving parts to consider.
Not all ransomware events are high profile, but we’re looking at this area closely as it’s a trend that's impacting attritional loss ratios. It's important to understand that all the major ransomware attacks that have hit the headlines have had some really basic underlying causes. This is good news both for the sector and individual carriers, as attention to core cyber hygiene will go a long way in mitigating the potential impact of ransomware.
Not all ransomware events are high profile, but it’s a trend impacting attritional loss ratios.
Furthermore, insurers are approaching ransomware with increased underwriting discipline. They're using supplemental applications along with technology tools to assess the cyber security posture of insurance relative to ransomware – then they're acting based on that information. This might include putting up rates: we’re seeing hikes anywhere from 20% to more than 100%, depending on the mix of business.
The last action could mean not renewing or declining a risk if the original insured is missing essential controls. It's going to take some time to see the impact on portfolios of these underwriting actions, but the changes have been in motion for many months now, starting with rate changes in the middle of last year, which should have a positive impact on results.
Some important things are happening to support differentiation of rate, such as improved technology tools to assess individual risk exposure and help make more risk-specific pricing decisions. This can be both proprietary in-house technology and third-party tools. There are also portfolio management tools to support the high-level view.
Additionally, the insurance industry has been talking for several years about how a pool of loss information – on attack vectors or emerging trends, for example – would help improve underwriters’ approach to portfolio management, including pricing.
Seven insurers took the lead in June of this year, forming a coalition called CyberAcuView, which will analyse trends and causes of loss, among other things. This will really support the industry and the underwriting and pricing of risk.
Governments are becoming increasingly involved in addressing cyber risks as they realise the need to defend their countries’ critical infrastructure. For example, the Cyber Solarium Commission, published in 2020 by the US government, made several recommendations to improve the nation's cybersecurity defences.
A specific subset of that is government contractors and suppliers. The Biden administration issued an executive order with certain requirements on government technology suppliers’ cyber security, which must be in place before they enter into new contracts.
There is also the question of how to disrupt the infrastructure of ransomware bad actors. These groups can be hampered through international and public-private sector cooperation, as there is both a structure and process around how to organise or disrupt payment.
Another key area is the capital that might be needed to support the cyber insurance industry. Aon called for a US cyber study in relation to the renewal of the Terrorism Risk Insurance Act a couple of years ago. Looking at the potential scope of a systemic event and being able to decide what capital need might be there as a backstop is important to support the cyber insurance market in the long term.
In the short term, we’ll still have to work through the impact of ransomware, so we're going to see the market hardening while those underwriting actions are executed. But it’s important to keep an eye on long-term stable capacity and new ways to develop more.