In 2017, WannaCry infected computers in over 150 countries across the globe, taking out critical functions such as the National Health Service (NHS) in the U.K. One year later, the NotPetya cyberattack brought many household names to a standstill. The pharmaceutical giant, Merck, was reportedly the source of US$1.3 billion of total impact to (re)insurers from the NotPetya attack, 87 percent of which was considered silent exposure. These two major cyberattacks highlighted to insurance carriers the risk of being exposed to silent cyber events and the need to start quantifying and managing that risk.
Regulators have started to take notice. Since summer 2017, the U.K. Prudential Regulatory Authority (PRA) is asking insurance firms to provide action plans on how they plan to address their silent cyber risk. In November 2018, Moody’s announced it will soon start evaluating organizations on their risk to a major impact from a cyberattack. Following this, in July 2019, Lloyd’s announced a deadline of January 1, 2020 for all syndicates to start to address their silent cyber risk where “… all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.”
NotPetya and WannaCry were just two examples of costly silent cyber events. As pressure from regulators mounts and cyberattacks become more common, it is imperative to understand where silent cyber exposure can be found, and how much it could cost you.Continue reading