A review of almost 400 reinsurance contracts underwritten at Lloyd’s of London has revealed potentially significant vulnerabilities and exposures if a catastrophic cyber attack should occur.
Analysis of 392 property and casualty reinsurance policies underwritten by a trio of reinsurers at Lloyd’s revealed at least 40 percent did not contain a standard cyber exclusion in the wording, with one of the portfolios containing no reference to cyber terms in 68 percent of cases, according to Adsensa, the Newbury, England-headquartered firm, which specializes in document analysis and decision support, identifying embedded risks in policy wordings.
“The upshot is that in the event of a catastrophic cyber-attack, reinsurers could find themselves exposed to the full limits on their policies which were originally intended to cover property damage or casualty lines because a cyber ‘hack’ is found to be the proximate cause of loss,” said the company in a statement.
“These data are quite revealing, particularly as they follow the Lloyd’s Performance Management Directorate’s recent call for members to work within its ‘Oversight Framework for Cyber-Attack Exposure Monitoring,” says Laurie Davison, CEO at Adsensa.
“We used our QA Software to analyze the reinsurance contracts from three managing agents and found that as many as two thirds had no reference to cyber terms at all,” Davison added. (The names of the managing agents were not identified.)
“This was quite a surprise, and I imagine very different to how many in the market perceive things,” she said. “There are at least 20 standard market clause references to choose from and it seems that most would expect their policies to contain the appropriate exclusions so they are not covering unintended perils.”
In its statement, Adsensa noted that modeling company Risk Management Solutions provided a range of cyber catastrophe scenarios in their recent paper “Managing Insurance Accumulation Risk.” These scenarios “included mass coordinated data breaches and distributed denial of service (DDoS) attacks on a biblical scale, causing amongst other things, a global collapse in consumer confidence or the theft of billions in assets from financial institutions,” the company continued.
“Cyber attack is now quite rightly recognized as a potential cause for losses on property policies, business interruption, financial lines and many other types of insurance,” Davison noted. “Although only a small sample was taken for our analysis, subscription markets like Lloyd’s see underwriters sharing business on the same slip so when a minimum of 41 percent contain no cyber exclusions at all, it will be difficult to calculate probable maximum losses accurately.”
Adsensa provided a summary of the analysis it undertook of reinsurance contracts:
- The lowest percentage of contracts without any cyber terms was 41 percent, the highest 68 percent.
- Sub-limited coverage terms were very rare (2 percent).
- Non-standard exclusions varied from 15 percent of policies to 50 percent of policies.
- Where standard clauses were present, up to 88 percent were amended in some way, typically indicating the wordings had been provided by brokers and may include write-backs of coverage.