While ransomware was the hot topic at 2021 midyear insurance industry conferences, discussions of the broader topic of systemic risk—spurred on by recent hacks of SolarWinds and Microsoft Exchange—had underwriters talking about fixes beyond rate hikes.

One session on cyber insurance trends at the Casualty Actuarial Society Seminar on Reinsurance in June, coincidentally, took place on the same day that an edge cloud platform called Fastly went offline for an hour, taking client sites ranging from news outlets to the U.K. government down in the process. (See related article, “Explaining Just How Fastly Problems Happen“)

“Before this morning, had you ever heard of Fastly?” asked Brad Gow, global cyber product leader for Sompo International. “The fact that you had a large number of news and financial and e-commerce websites dependent on this common provider that failed, impacting all of them simultaneously, just speaks to a lot of the challenges,” he said.

Panel moderator Alex Podmore, assistant vice president and cyber underwriter for Swiss Re, introduced the topic, pointing to the growth of cloud infrastructure and the increasing interdependency between businesses and software service providers, turning to panelists Gow and Annamaria Landaverde, senior vice president and cyber practice lead for the Reinsurance Division of Munich Re, US, to offer their assessments of systemic exposures.

Landaverde noted that the earlier media reports about the SolarWinds and Microsoft Exchange hacking events indicated that their clients of those companies numbered in the thousands, sparking reinsurers’ concerns about risk aggregations. Surprisingly, “we’re not seeing the level of systemic events coming out of those that we were expecting,” she reported, adding, however, that there could be a lag in those claims, which therefore merit continued monitoring.

Also warranting attention is the contingent business interruption coverage part—”very common these days”—as the use of software-as-a-service and third-party cloud providers magnifies interdependencies. “There needs to be a whole new look at this coverage. We need to understand how these third-party providers are being vetted,” she said. Distinguishing between coverage for “Tier 1” providers that have direct relationships with insured vs. “the whole supply chain,” she said that “the systemic risk associated with supply chain providers [is] something that’s not quite quantifiable. And if it’s not quantifiable, it shouldn’t be insurable.”

“The coverage needs to be tailored to the exposure that we can quantify,” she said, noting that while some cedents are adding sublimits around contingent business interruption, it’s not as widespread as she’d like to see it.

Separately, S&P Global Ratings 37th Annual Insurance Conference, Turab Hussain, chief risk and actuarial officer for PartnerRe, said, “Some of the buzz we’re hearing these days is more around the hourly retention on business interruptions being pushed up by the primaries, which then flows into coverage we provide from a reinsurance perspective.”

Meanwhile, back at the CAS session, Gow focused on the growing complexity of the risks to be underwritten. “A modern corporate network touches hundreds of clouds. There are so many third parties involved in different parts of the operation. Over the next five years, it’s going to become even more difficult as the Internet of Things gets wind its sails, driven by the 5G technology. And then the real integration of operational technology and information technology is going to just make things more complex. It’s going to expand the network surface area vulnerable to attack.”

“Ask any network security person, and they’ll tell you invariably that complexity is the enemy of security,” he stated.

Norman Niami, vice president and actuary for the APCIA, also painted a grim picture of potential events, starting his assessment with the fact that cyber attacks are man-made events. “When you have a hurricane in Florida, the chance of getting a major earthquake in California tomorrow or the next day, or in a few hours, is quite unlikely. But when you have a major cyber vulnerability and an attack, that might end up creating the opportunity for more attacks.”

Turning to questions about cloud, Niami said, “At the beginning, the cloud services were sold as foolproof and 600 percent secure. But now, as we can see every day, there are issues around it. The nature of the security of the cloud services themselves is not very clear and sometimes hidden.”

Picking up on Gow’s reference to growing interest in IoT services, Niami contemplated technology applications in the heavy industrial manufacturing settings. “This is not like us sitting in an office, where an IT message pops up that your system has been upgraded. You might not be able to shut down a major industrial heavy industry site for 10 minutes to upgrade the software.”

Niami and Podmore both referred to talk about government backstops to deal with the potential scale of damage posed by systemic cyber risks. But apart from working with public policy makers, Podmore asked what they thought insurers and reinsurers could do to improve their understanding of these interconnectivities. “Are we doing enough? Are we asking the right questions? Are we getting the right data to understand where the single points of failure can exist? And can we underwrite in a portfolio to manage accumulations the potential single points of failure—for example, cloud service provider, or a software-as-a-service provider in different regions.”

Landaverde said, “Collaboration throughout the industry is critical, and the collection of that data that we’re getting is really important to develop more sophisticated models and really help us understand what the potential worst case scenario will be.”

“I’m a believer that the sky is not falling and the Internet is not going to shut down,” she added. “There are many companies out there that have really sophisticated, layered approaches to cybersecurity. Where we need to get to is a place where all organizations have a minimum set of requirements, a minimum set of best practices—where they’re not easily susceptible to suffering income loss at the moment that one of their suppliers has an outage,” she said, referring to layers of backup and redundancies.

As an example, she referenced early morning media reports stating that Target’s website was taken down by the Fastly problem. Easy enough to check. She typed in Target.com, which was operating normally. “That just goes to show that there is a layered approach to security at some of these organizations. But I think that it needs to become more commonplace—whether that’s something that’s encouraged by the public sector [or] by the insurance sector.”

The way forward starts with a focus on best practices for cybersecurity at client companies. And from an insurance standpoint, there should be a focus on real-time underwriting and alerting clients to vulnerabilities when they exist. Moving to the next layer of coverage protection, she said reinsurers should continue paying attention to the systemic risk, managing it with underwriting appetite, pricing, and event limits.

Gow suggested that insurers and reinsurers may not yet be vigilant enough. “The cyber market has not yet had its Hurricane Andrew….Hurricane Andrew struck in 1992 and wiped out every bit of profit, I think, that property underwriters had made since the Lloyd’s Coffee Shop days. It forced carriers to really go back to the drawing board, and say, ‘Yes, it looks like we really need to begin to model this a lot more carefully, because we didn’t see that coming.'”

“Until we get one of those events, the industry very well may whistle past the graveyard, and hope we’re going to continue to get lucky.”

“But I don’t think we’re going to be given that opportunity by the regulators and rating agencies who are beginning to look at carriers who write a lot of this and have tens of billions of dollars in aggregate first-party exposure that is subject to some degree to the types of systemic losses” being described. “We’ve got outages of public cloud providers. We’ve got mass malware events. We’ve got critical vulnerabilities in commonly used software or hardware, like routers and switches. [While] the history we’ve had to date would support [Landaverde’s] contention that things might be a little bit more robust than some people may think, [Niami] made the point that the whole environment is so dynamic that it’s impossible to say for sure.”

“Carriers would be well-served to do as much as they can to begin to model these realistic disaster scenarios out and overlay their affirmative cyber portfolios on these to get a better idea of how much they potentially have to lose,” Gow concluded.

Niami agreed, but noted one wrinkle in that plan. “It is hard to do accumulation and risk management when you don’t know how many third-party service providers or connected dependencies a large company might have. Sometimes they don’t even know.”

A Dog’s Breakfast

In addition to describing the growing complexity of the risks they are insuring, panelists honed in on the growing complexity of insurance coverages being offered, suggesting that it’s an area ripe for change.

Did He Say Bricking?

During a session about cyber insurance at the CAS Seminar on Reinsurance last month, Sompo International’s Brad Gow mentioned coverage endorsements for bricking. So, what exactly is bricking?

The website techopedia.com says that “bricking refers to a consumer electronic device that has been damaged beyond repair, making it utterly unusable, often because of damaged firmware. The use of the term stems from the brick-like shape of many consumer gadgets, and the fact that once they are rendered inoperative, they are virtually useless except as a paperweight or a doorstop.”

Expert commentary posted on the International Risk Management Institute website notes that cyber policies historically excluded coverage for damaged computer hardware. As the result of a hacking event, even after malicious software has been removed, hardware may still be considered untrustworthy and require replacement. Bricking coverage provides for the cost to replace such affected hardware (Author Jeffrey Smith, Cyber Risk Underwriters, March 2019).

Similarly, a November 2020 insight posted on the Woodruff Sawyer website (by Cyber Practice Leader Dan Burke) reports that the bricking enhancement covers the replacement cost of technology equipment that is rendered useless by a malware attack. “If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.”

“These insurance policies today are a dog’s breakfast of eight or nine coverage grants, and more is being added by endorsement for reputation loss, or bricking, or crime coverage for social engineering every day,” Gow said.

Given this coverage mishmash, “the limits that are thrown out there on these cyber policies can be tapped in so many different ways that it has made it extremely, extremely difficult to price, which is something that should be certainly on the radars of everybody on the presentation today.”

“I certainly don’t have the answer, [but] we just have to sort out whether we’re going to break this into smaller pieces or address first party and third party separately,” Gow suggested. “It’s something I believe the industry has to examine.”

Niami noted a related data challenge. “The limits are hit so fast by just one or two of the coverages. Even though the insured might incur a lot more damage, the policy doesn’t cover that,” making it hard to capture all the data that the incident has caused for input into future pricing models.

At a separate session of the CAS seminar focused broadly on insurance and reinsurance market, Elizabeth Geary, chief underwriting officer for TransRe in North America, spoke about the rapid growth of cyber coverage for business interruption and contingent business interruption during a discussion of systemic cyber risk. Distinguishing the cyber insurance offerings from property insurance, Geary said, “We don’t provide full limit CBI in property, right? And property, we can at least diversify. Cyber it’s very, very hard to diversify.”

“As an industry, we have to get better about asking what the dependencies are and what impact those dependencies have as respects business interruption. That’s a change that has to happen” in cyber insurance underwriting, she said.

Drawing another parallel to property insurance and the risk of a systemic cyber hurricane, Geary expressed concerns about cyber insurance policies for small businesses that put loss adjustment expenses outside the limits of coverage. “We really need to be mindful that it takes a very specialized person to adjust these claims,” she said, referring to cyber business interruption. “As we all saw in Hurricane Harvey, all the claims adjusters go out to Texas, and then Irma comes up in Florida and our loss adjustment expense shot up to 30 percent. With cyber, [if] you’ve got that outside the limits, that’s a huge concern. I think we’re just going to be writing checks all day long,” she said.