Lloyd’s Burns Off Cyber Fog
I admit it: I am excited about cyber, the first new, big, risk class to come along since D&O. Demand is enormous—clients actually ask for it—and the peril is dynamic, changing as fast as technology.
Cyber crosses the tangibility barrier that divides property and casualty risks, as well as the geographical boundaries that subdivide risk portfolios. The manageability of cyber risk, alongside most insureds’ lack of preparedness, has driven an unprecedented entry of carriers and brokerages into active risk management. Cyber even presents genuine catastrophic potential, a perceived peril so great that talk of state-backed risk pools has been circulating for years. A market-loss index alongside fascinating work on parametric triggers could change the landscape. What’s not to like?
Plenty, apparently. Modeling is in its infancy, given the paucity of data and the ever-evolving threat. But since WannaCry and NotPetya, no model has been needed to see significant aggregation risk. It has made most reinsurers shy of cyber, especially those who’ve had their fingers burned. Their reluctance caused cyber reinsurance capacity constraints during recent renewals. Given the current, cyclical renaissance of attractive opportunities in more mature classes, the shortage looks set to continue.
On the primary side, the frenzy to provide cover in this all-new risk class has led to a complexity and divergence of coverage and wordings. Product overload has made it extraordinarily difficult for brokers, let alone their clients, to understand what coverages are available and which specific types of cyber risk ought to be covered.
They’re not the only ones confused. The cross-class nature of the risk has caused a measure of havoc. Conventional property, casualty, and business interruption policies have been called upon to indemnify cyber-triggered losses that were not considered at the time of underwriting and, therefore, were not priced during the process. Regulators have reacted with firm demands to end the unintentional coverage giveaway under “silent cyber” exposure. Underwriting associations in London have responded with a variety of clauses, and Lloyd’s has gone a step further by insisting that its policies either exclude cyber clearly or cover it explicitly.
The Lloyd’s diktat has been in force since Jan. 1 for most first-party property coverage—including, take note, for policies issued under binding authority agreements—and will roll into place over time for the potentially more complex claims in other classes. With a nod to the challenge (particularly in marine excess of loss and casualty treaty, med mal, workers comp, and marine war, which have until July 1, 2021, to comply), a January market bulletin declared: “Lloyd’s recognises that achieving full clarity of cyber coverage will continue to require a significant commitment of resource by managing agents and brokers.”
Meanwhile, the “affirmative” cyber market—which expects much new business to come its way as exclusions are implemented—has gained enormous ground. However, its margins have eroded faster than naïve capital in a hardening market. Large, high-profile loss events (“spikey” is the preferred term), combined with the relatively rapid rise of attritional losses claimed against policies priced and structured in an increasingly competitive environment, have transformed cyber from a cash cow into yet another line where shirts can be lost like laundry from the line in high winds. Cyber is new, big and exciting, but on the whole the industry has a long way to go to get to grips with understanding, pricing and managing the risk adequately.
The best underwriting minds are getting down to the job. Consider, for example, war exclusions. Property policies typically deploy phrases such as “armed conflict” and “extreme violence” to describe and exclude losses caused by war. Cyber warfare, however, might not be accompanied by troops in boots but could still cause extreme civilian suffering and death (for example, by taking down a city’s power grid). Must a state of war exist between the relevant countries for an insurance company to avoid a claim based on a war exclusion? Today the answer to this prickly question is: “Who knows?”
The dedicated cyber market has pointed to recent legal action over war-excluded claims made under property policies as a good reason to choose “affirmative” cyber coverage rather than relying on a cyber write-back. In truth, however, the cyber market has similarly failed to reach consensus on what constitutes an act of cyber war.
Other real-time uncertainties continue to worry risk carriers. Under the world’s recent wave of privacy legislation, many regulators have been empowered to levy enormous fines against companies they deem to have recklessly breached new regulations. The insurability of these expenses remains in question, which is of particular concern to risk carriers that are on-risk with policyholders who have already been fined. Hundreds of millions of dollars are at stake.
It is admirable and even expected that bold underwriters will leap toward new risks, giving clients the protection they need even before all the implications and details can be worked out. The tradition goes back to the first-ever aviation insurance, written by an enterprising Lloyd’s man who simply struck the word “driver” from an auto policy and inserted “pilot.” Insurers have been similarly responsive to the very real and unpredictable peril that lurks in silicon and fiber. Enormous effort and resources have been expended across the market to meet demand.
But it’s time to work out the bugs. The market needs to reach mutual consensus over coverage, then get the wording sorted out. Many individual efforts are laudable, but a dose of cohesion would make a world of difference. Underwriters need to get the pricing right, and reinsurers need to bring their considerable weight to the table and take part, lest their clients become unable to meet growing customer demand. Insureds are best served by responsive coverage that matches their real risk (no more and no less) provided at a sustainable price. Lloyd’s has it spot on: if cyber is to live up to the excitement and fulfill its promise, a continued investment of significant intellect and resolve must be made.