January 4, 2017
Urgent Need on ‘Silent’ Cyber Risks
by James Evans and Judy Selby
Are current risk management systems adequate if a “Cyber Andrew” hits? Insurers face unprecedented risks.
This is an unprecedented time for insurers. As margins associated with conventional lines of coverage continue to tighten, pressure is increasing to offer new forms of coverage to respond to the emerging cyber threats facing insureds in today’s digital economy. At the same time, insurers are compelled to make certain that those risks are effectively excluded from coverage under many other “traditional” policy forms.
Unfortunately for underwriters of both traditional and newer policy forms, emerging cyber threats can be difficult, if not impossible, to predict and factor into underwriting and policy drafting processes. But as we’ve already seen in the context of cyber incidents, today’s unknown cyber threat can become tomorrow’s front-page news and unanticipated limits payout. And if that threat is spread across multiple insureds in an insurer’s coverage portfolio, the bottom-line effect of the aggregated losses could be devastating. Making matters worse — as recently recognized by the Bank of England’s Prudential Regulation Authority (PRA) — these “silent” cyber exposures can simultaneously affect multiple lines of coverage, (including casualty, marine, aviation and transport), affecting both direct and facultative coverages.
See also: A Revolution in Risk Management
Imagine this scenario:
Company A manufactures components used in the Wi-Fi systems of commercial airliners. Mr. X, a disgruntled employee of Company A, purposely inserts a software coding vulnerability into the components, which were then sold to Company B, a leading manufacturer of commercial jetliners. Company B incorporates Company A’s components into its jetliners and then sells 30 of them to three major U.S. commercial airlines. Company A also sells the affected components to Company C, which manufactures and sells private charter jets. Company C sells 15 jets containing Company A’s vulnerable components to various private individuals and corporations.
Once the planes are in operation, Mr. X remotely exploits the vulnerability in the aircraft, causing three in-flight planes to go down in populated areas. Plane 1 crashes into a medical center in Small Town. Plane 2 destroys an electrical power station in Mega City, plunging half of the city into darkness. Plane 3, a private corporate jet, causes serious damage to a bridge that is heavily used by a commuter rail service in Sunny City, rendering it unusable and making it virtually impossible for thousands of commuters to get to work.
Widespread panic immediately ensues after the crashes. All U.S. air traffic is halted pending an investigation of the cause. There are numerous traffic accidents and looting incidents following the blackout in Mega City, and many organizations are forced to close indefinitely. Mr. X then contacts Company C and the three airlines that purchased the affected jetliners and demands $1 billion in exchange for revealing the vulnerability.
This obviously is an unlikely scenario, but as technology continues to be used in novel ways, it is important to recognize what will be possible. This scenario was created to highlight a complex casualty catastrophe initiated from a technological weakness in an increasingly connected world. While crashing planes are terrifying, the bigger takeaway is that this was not a possible scenario prior to recent technological developments. It isn’t difficult to see how the multiple insurance coverages triggered from the above scenario could result in insured losses well in excess of $20 billion. Individual company losses could be disastrous, given the previously uncorrelated nature of individual lines of businesses that would be affected. While technology forges new connections among businesses and individuals, the connections have ushered in the new risk of technology initiated catastrophe scenarios, recently labeled as a “Cyber Andrew” scenario, in reference to Hurricane Andrew, which resulted in losses few insurers previously believed possible.
The continued expansion of loss causes, courtesy of new technology, will have implications for both legacy insurance and new cyber insurance contracts. This means that insurers must assimilate expanding possibilities into risk management processes including Probable Maximum Loss (“PML”), risk aggregations and risk appetites. At the core of the silent cyber hurdle is: Do current risk management systems capture all possible risks today, and will they capture what can happen tomorrow, before a “Cyber Andrew” hits?
See also: Can Risk Management Even Be Effective?
This challenge, if the PRA is to be believed, is currently not being met. As the conversations continue to escalate to the C-suite, risk managers need access to a team with specialized skill sets to better understand and calculate the impact of new technology into their enterprise risk management plans. At the same time, this added focus on technology will continue to expand reporting requirements. Providing detailed yet clear reporting to the board that highlights the full impact of current technologies on the comprehensive insurance portfolio will be a minimum standard.
As technology continues to advance, insurers’ risk management tools and resources must evolve. Each organization will face its own distinct hurdles based on individual characteristics of its insurance portfolio, and its solution should be just as individualized. There will not be one magic bullet that ends cyber risk. The keys to meeting this challenge will be understanding new and emerging risks and assembling a team of professionals with the prerequisite skills to address the issues.