In 2017, WannaCry infected computers in over 150 countries across the globe, taking out critical functions such as the National Health Service (NHS) in the U.K. One year later, the NotPetya cyberattack brought many household names to a standstill. The pharmaceutical giant, Merck, was reportedly the source of US$1.3 billion of total impact to (re)insurers from the NotPetya attack, 87 percent of which was considered silent exposure. These two major cyberattacks highlighted to insurance carriers the risk of being exposed to silent cyber events and the need to start quantifying and managing that risk.
Regulators have started to take notice. Since summer 2017, the U.K. Prudential Regulatory Authority (PRA) is asking insurance firms to provide action plans on how they plan to address their silent cyber risk. In November 2018, Moody’s announced it will soon start evaluating organizations on their risk to a major impact from a cyberattack. Following this, in July 2019, Lloyd’s announced a deadline of January 1, 2020 for all syndicates to start to address their silent cyber risk where “… all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.”
NotPetya and WannaCry were just two examples of costly silent cyber events. As pressure from regulators mounts and cyberattacks become more common, it is imperative to understand where silent cyber exposure can be found, and how much it could cost you.
NotPetya infection screen. Image credit: Wikimedia Commons
The two key questions that all (re)insurers are trying to answer are:
- How big a risk is silent cyber to my business?
- What is driving that risk?
Although seemingly simple questions, getting to a robust answer is less so. So where do you start? To make this easier, the process can be condensed into three steps:
Step 1. What Exposure Do I Have That Could Cause a Silent Cyber Loss?
The first – and likely the most resource intensive step, is to work out what exposure you have to silent cyber. Every Line of Business could be liable, and it could be hidden in any policy. Could an industrial facility receive an attack on its control systems which causes a major explosion and property damage to your industrial book? Could a ransomware attack like NotPetya cause business interruption (BI) losses that pays out under a standard property policy?
There are a multitude of questions to answer here. Do you provide coverages that would trigger in a cyberattack? What exclusions are in place? What do the details of the policies look like? Are there sub-deductibles and sub-limits? What endorsements and extensions do you provide? How confident are you in the policy wording? Do you have other protective measures – such as reinsurance – that will protect you from paying out? What accumulation controls do you have in place?
After reviewing each Line of Business in turn, you can assess how much of each is at risk to cyber losses, where it is excluded from cyber losses and the uncertain bits in between where it’s unclear if cyber is covered or not.
Step 2. How Could This Exposure Be Attacked?
After step 1, you know how well protected a Line of Business is. In step 2, you want to answer how frequent and severe expected attacks would be. From this, you can understand which Lines of Business are the biggest threats to your portfolio.
Expert knowledge of the cyber threat landscape is required, as well as expertise in the “ins-and-outs” of your exposure. Knowledge of the type of assets you are insuring is key to understanding the riskiness of each Line of Business. For example, what does your property portfolio contain – are you insuring heavy industry and utilities firms, or mostly general commercial, or both? Combined with details of the cyber threat landscape, you can then determine the attack method relevant to each Line of Business and the potential scalability. The unpredictable and ever-changing nature of cyber results in new attack methods all the time. Not only must you consider the threats today, but you must also consider how they might change.
Once you have all this information, you can develop silent cyber scenarios that could impact your business. Again, specialist knowledge is required to develop the most likely scenario that will have the greatest effect on each Line of Business.
Step 3. What Would the Cost of Such an Attack Be?
The final step is to quantify the silent cyber risk. Before you can do this, you need to collect all the exposure data into one place. As cyber is such an aggregate risk and one attack could hit policies across multiple lines of business, an accurate measure of silent cyber risk must model losses across your entire portfolio. However, this data is usually stored in a wide range of places and formats.
Often the data required for standard non-cyber modeling is different to that needed for cyber, and this data can be missing. Using a flexible exposure data schema, such as the schema developed by RMS in partnership with the University of Cambridge Centre for Risk Studies, is beneficial as it allows exposure and policies from multiple lines to be accommodated in one place and modeled together.
Finally, with the data collated in one place, you can start to quantify the scenarios developed in step two. Existing models can be used, such as RMS Cyber Solutions, which has a range of information technology and cyber physical scenarios. Alternatively, bespoke scenarios specific to your book can be developed. However, any scenarios developed need to be continually reviewed and updated to ensure they are appropriate for the current cyber risk landscape.
Through thorough and quantitative investigation of your silent cyber exposure, you have now answered the two questions you set out to: how big of a risk is silent cyber to your business and what is driving that risk.
The benefits of quantifying your silent cyber risk are extensive. In the near term, you’ll be prepared to answer questions from your board and regulators in a clear, auditable and repeatable manner, and be able to develop plans for any silent cyber losses on the horizon. In the long term, you can remove the risk of silent cyber all together – either by intentionally including cyber as a peril and turning silent cyber into affirmative cyber or by specifically excluding it. Silent cyber is currently seen as a threat to insurers, but it is also an opportunity for growth.
At RMS, we have a team of experts with experience in performing all three steps with clients. With industry experience of exposure information and policies, expertise in the constantly evolving cyber threat landscape and a widely used cyber model, we are in prime position to help you quantify your exposure to silent cyber.
If you are interested in help conducting a silent cyber risk assessment, please contact: firstname.lastname@example.org
About RMS Consulting
We have worked with many of the largest (re)insurers providing Risk Strategy, Solution Design and Implementation services on catastrophe modeling related engagements over the last ten years. Our team has an unparalleled depth of catastrophe modeling experience coupled with insurance and technology expertise, which we utilize in order to solve unique challenges that provide measurable improvements for our clients.