While many insurers are signing up to the cyber race in pursuit of much-needed premiums, some say the aggregation exposures faced by cyber insurers are the elephant in the room. Andrew Schütte and Andrew Hill consider whether this is the case.

What would a cyber catastrophe look like?

Imagine a cloud-computing platform is hacked or taken down by a denial of service attack. Of course the insurer of the cloud provider would expect to be hit with countless claims, but less obvious perhaps are claims from insureds who may have had client data stored in the cloud exposed.

The wider application of the technology, the greater the aggregate risk. An often quoted example would be a disruption of a GPS satellite, which could result in ships and other vehicles going off course causing collisions, late deliveries of goods, business interruption and potentially other losses. Another example might be a computer system controlling oil rig production. If a virus destroyed such a system, it could result in blowouts, suspension of operations and some very large claims indeed.

Has the cyber market yet seen a true catastrophe loss?

In 2011, Sony PlayStation Network was hacked and the personal data of some 77 million of its customers was exposed. In 2014, hackers stole the records of 83 million JP Morgan customers. There have been several other data breaches on a similar scale in recent years. These ‘mega’ breaches are perhaps the closest the cyber market has come to seeing a ‘catastrophe’ loss.

The ultimate cyber catastrophe loss could be ‘taking down’ the internet. While it is rumoured there have been unsuccessful attempts, the internet has thus far been very resilient.

Should such an attack be successful, however, a significant multi-line CAT loss is foreseeable.

Which lines of insurance business could be affected by cyber exposures?

Cyber exposures, just like the term ‘cyber’ itself, are not easy to pin down. They all generally arise from computer networks or sensitive information, but the exposures are incredibly broad. Several lines of ‘non-cyber’ business could be faced with cyber-related claims. A property insurer might pick up a business interruption claim arising out of a ‘Stuxnet’ type attack designed to destroy hardware by introducing a virus into an operating programme. A financial institution’s insurer might get a claim for fraud under a computer crime policy. A D&O insurer could be faced with a claim where proceedings are commenced by shareholders against the directors for failing to protect the company’s IT security following a data breach. There are many more examples. Cyber exposures do not exist in vacuum and arguably should not only concern specialist cyber underwriters.

How much overlap is there between cyber and other lines of business?

One might be forgiven for thinking that the insurance market is in the midst of a cyber ‘land grab’. As well as specialist cyber entrants, there has also been a trend in recent years for ‘traditional’ lines to write incidental cyber business.

Whether cyber insurance is best written by specialists on a standalone basis or, because it is so all pervasive, as an extension to ‘traditional’ lines of business, is a burning issue in the cyber market. There is no clear consensus at present, although policyholders’ requirements may be the decisive factor and may incline towards incorporating cyber into standard commercial policies.

What should insurers do?

The uncertainties surrounding aggregation should prompt insurers to consider how their client portfolio is structured and in particular how resilient their book of business across all lines might be in the event of significant cyber loss. This requires an understanding of what insurers’ cyber exposures really are and that, in turn, requires a structured approach.

The Lloyd’s market has set out its stall with the introduction of specialist ‘CY’ codes for cyber, which are aimed at giving underwriters visibility on their aggregate exposures in this area.

There is no one easy solution to minimising exposure to potential aggregated losses in what is an incredibly fluid area of risk. The tried and tested principles of good underwriting remain relevant, however; understanding the risk that is being taken on and ensuring that the policy language is sufficiently tight that losses not accounted for in the premium are not covered.