Insuring the world’s central nervous system

The global influence and importance of the internet has grown to the extent that it has become like a ‘central nervous system’ conjoining people on the different continents and delivering information worldwide. Beyond whether it is a threat or an opportunity, cyber risk is now ubiquitous to our very existence.

That is the view of Konrad Rentrup, chief executive of Hannover Re (Bermuda), who argues that a change of this magnitude leads to challenges, and cyber risk is one of them.
“Is there a way we as the insurance industry could avoid this risk? It’s virtually impossible,” Rentrup says.

“The traditional lines of business including auto, property, marine & energy, liability—essentially the whole gamut of the insurance industry—is exposed to the cyber risk. Unfortunately the industry has not been diligent enough to either exclude or price for such risks under these lines of business.”

The industry is adjusting. Cyber risk insurance, which has enjoyed phenomenal growth, can do a good job of protecting clients against the negative economic effects of data breaches. But he stresses that in reality this is also just a small slice of the overall cyber risk pie.

“It is still a work in progress and there is significant ground to be covered to address risk modelling, data collection, product standardisation, and ironing out the so called ‘coverage gap’ in insurance and reinsurance markets,” Rentrup says.

“With connected cars, the internet of things, smart grid, big data and artificial intelligence there is potential for explosive growth in cyber risk-related products.”

Unknown unknowns

Rentrup argues that the true nature of cyber risk is similar to that of many other manmade risks as in essence it is an ‘unknown unknown’ compared with natural catastrophes which are governed by physical laws.

The risk is systemic in nature to the extent that it sits behind every network structure and corporate relationships which are private information and hence difficult to map. Since threat and vulnerabilities are constantly changing our traditional approach to risk assessment and insurance is challenged.

“The adversaries find weaknesses in certain software, or in an industry segment or use insiders to infiltrate into the networks and in a short timeframe use the same methods on a number of clients using the same standards,” he says.

“With our capabilities it is difficult to precisely quantify and understand the risk to the full extent. Evaluating a client’s measures to protect itself against a cyber attack and the evaluation of probability that a client will be attacked are driving factors within the underwriting process.

“Quite often a client’s industry will be a major determining factor in pricing. Risk classes might be defined based on the similarities in network architecture, vendors, data classification, corporate governance and propensity to be attacked.”

For reinsurance, Rentrup says, a lot of consequential exposures slip in due to vague contract wordings for property, auto, marine & energy and liability covers. He argues that there seems to be significant ambiguity in the language of some of the exclusions currently used, such as NMA 2912, which was written in the backdrop of Y2K for a different purpose and is still used to date.

“The exclusions have not been tested in court, but reinsurers should be diligent while writing a contract or sell a separate coverage gap to the cedant,” he says.

Another yet-to-be-resolved dimension is a legal definition of ‘cyber war’ where a nation state backs a cyber attack. With the use of anonymisers, and with present technology, it is virtually impossible to resolve attribution to a nation state adversary with certainty.

For example, Rentrup says, the Sony loss in 2014 was paid although it was believed to have been perpetrated by North Korea—it is very difficult to prove the state sponsorship with evidence in a court of law.

“We have fortunately not seen any cyber attacks that caused both actual physical destruction and loss of life. Without both we have to set different standards for a general definition of war which would also describe cyber war,” Rentrup says.

“An implied problem from the above is a definition of cyber event. So far we have only seen uncapped quota share (QS) and aggregate excess of loss (XL) placements; event XLs are rare and confined to the London Market.

“The situation is far from ideal since both QS and aggregate XL placements require a fair bit of balance in the portfolio which prohibits growth in large line capacity. At the same time we as reinsurers are exposed to unlimited risk emanating out of one event. One way to get around this problem is to use different characteristics of cyber attack to connect the dots rather than the attributing it to a specific group.”

Approach with caution

Rentrup stresses that while Hannover Re acknowledges the opportunity, the company is cautious in its approach to underwriting cyber risk. He says the reinsurer has developed in-house realistic disaster scenarios (RDS) scenarios to constantly monitor the risks group-wide, which includes consequential cyber risks.

Thus far, he thinks the company has seen a large percentage of the cyber reinsurance market and obtained a good understanding of the products and processes in place at different cyber insurers.

“During the past few years we have invested significantly to build standards regarding cyber reinsurance contracts and are constantly in discussions with brokers and cedants on the wordings,” he adds.

“Pricing for reinsurance products so far has held mainly firm and unlike other segments the placements are not significantly oversubscribed.”

Beyond North America, the reinsurer is observing increased interest from European and Australian clients for cyber products. Very often new privacy regulations are the backdrop for the growing demand, he says.

“While we support more experienced underwriters with a good track record, we are also happy to assist new entrants across the globe to help them shape their cyber insurance offering. The group is extending its support to cedants in the Asia-Pacific region where cyber insurance is in its infancy, to shape the industry there. Overall we are satisfied with the progress in the cyber insurance markets.”

So far the cyber reinsurance placements underwritten by Hannover Re have been on QS and aggregate XL covers rather than on a per-occurrence basis. Over recent years, he says, it has noticed elevated interests around a cyber event definition which would be the requirement for an occurrence, or cyber catastrophe XL cover.

“There has been demand for such a product but the market was stuck due to a lack of cyber event definition and lack of clarification on how to settle claims,” he says.

“Being the low frequency-high severity hub for the group, we at Hannover Re Bermuda are working on the development of a cyber catastrophe coverage which will solve a key issue for the insurance and reinsurance market.”

Since 2015 the cyber insurance market shows not only improving take-up rates, but the existing insureds are requesting larger limits, he says. Insurance placements are growing vertically and the excess markets are seeing good growth opportunities. He hopes that a cyber event reinsurance coverage will enable primary companies to provide the capacity and to spread the risk through the worldwide reinsurance market. Contract certainty for both insurers and reinsurers would facilitate capacity growth and innovation.

“More recently we have seen demand for cyber terrorism-specific covers where the motivation behind the attack is destructive and disruptive rather than a data breach. Earlier this year we saw a cyber attack on the Ukrainian power grid and the resulting outage affected 225,000 customers for up to two days.

“The existing terror pools across the globe do not provide cyber terrorism cover which means there is a coverage gap which needs to be addressed. Besides we are not certain if the terror pools will be able to address this gap effectively given the current attribution problem that blurs the gap between cyber terror and cyber war.”

Just the beginning

For all the work that has already gone into understanding and attempting to price cyber risk by the industry, Rentrup stresses that the industry and society more generally are very much at ‘day one’ regarding cyber insurance, and still at the beginning of the overall learning process.

In the US take-up rates for cyber insurance are nearing 20 percent, while in most parts of the world it is still in the single digits.

“Recent legislation changes in Europe might lead to further growth in the cyber insurance market, but due to the nature of the risk and its uncertainties we would advise any new entrants into this insurance sector to move with extreme caution and with a highly experienced and specialised team only,” he says.

He reiterates that the pace of change in society is extraordinary and the industry can only attempt to keep up.

“With the way the world is moving it is likely that internet of things, connected cars and even autonomous cars, drones, smart grids, smart homes, and artificial intelligence will be the new norm within a decade.

“At present there are in excess of six billion devices connected to the internet and there will be multiples of that by 2020. Keep in mind that manufacturers do not have security as the primary concern when designing these devices. As the adoption of such devices increases the interconnectivity will grow and as a result, unfortunately, cyber risk will be even more significant,” says Rentrup.

“With the way cyber insurance is developing I have full faith that the insurance and reinsurance industry will provide solutions to cope with the exposure and the potential financial impacts. Innovation will be the key to the market development.”