Surveys of risk managers routinely rate cyber risk or cyber liability among the top ten risks facing companies today. And not surprisingly, options for managing and mitigating various cyber risks are currently an ongoing topic of discussion in the press, in Lloyd’s, in the boardroom, or indeed within this very forum. So far, however, most of the focus has been from an insurance perspective. But reinsurance clearly has a significant part to play in confronting this evolving and escalating risk. An Evolving Reinsurance Market Most direct insurers will be familiar with the client that wants cyber insurance, but often with limited knowledge of their specific cyber risks or the solutions that would be best suited to their needs. Do they understand the range of coverages available? Do they need cyber coverage in the first place? Is it first-party exposures, third-party or both which are of primary concern? These same questions are relevant to reinsurers. Expert writers of the class know how to manage their portfolios, avoiding saturation in a particular segment or territory, and making sure there is adequate risk management in place via encryption and internal governance. They are also aware of the importance of response times, crisis management and the potential costs involved. These writers will often purchase reinsurance on a traditional risk or clash basis to mitigate volatility and smooth their underwriting results. More concerning are direct insurers that want to dip a toe into the cyber arena, often through facilities where they don’t control the underwriting; this can be seen as a way to diversify the portfolio and achieve rate on what is perceived to be historically loss free business. We also see increased interest from direct insurers to provide cover for cyber in the retail and healthcare sectors; some high profile breaches in these sectors led to significant rate increases, and also improved risk management and controls. Some direct insurers seek cyber opportunities in the open market while others elect to access this business via MGA’s or consortiums. We are regularly approached by clients in London and internationally who are looking to get into cyber. They are usually looking to cover first-party elements like business interruption, data restoration and cyber extortion, as well as third-party exposures such as security and multimedia liability along with the costs associated with breach response including notification, credit monitoring and privacy liability. Our response is entirely consistent. We want to know if the client has: a dedicated cyber underwriter (rather than a PI underwriter dabbling in the class); their own Policy Wording and Prop Form; an understanding of the notification requirements and laws in the territories they are targeting; and sufficient claims capabilities including credit monitoring and data forensics. We are also working to enable clients’ to white-label our offering by packaging the form, application and rating model together with crisis and claims management. What is Covered? Cyber-attacks are a relatively new phenomenon and the (re)insurance markets are still developing robust solutions for managing and mitigating the various risks. As a result, an issue for reinsurers is cyber-related claims filed under a Commercial GL or other “traditional” policy. A prime target for claiming cover under GL could be the personal and advertising injury section. While cyber claims brought under a Commercial GL treaty have been defended in the U.S., this has not been tested in the UK courts. Also, while an element of cyber exposure has been present in FI language through the Electronic Computer Crime provisions, there are some protections here from “hacktivists” whose objective is to disrupt operations and perhaps make a statement but are not in it for personal gain. And with these coverages, if there is no improper personal gain, there is no insurable loss.
An exclusion crafted today could be obsolete in six months.
We are also seeing Bankers Blanket Bond and Crime forms being extended to clarify cyber exposures. While cyber is not excluded on PI policies (although we see the coverage sublimited), it almost certainly would be indemnified as the original wording is written on a civil liability basis. In terms of D&O, since there is no perceived first-party exposure a claim would have to rely on D&O negligence or a class action alleging that proper security procedures were not in place. Some suits along these lines have been filed, but so far none has been successful. For example, after a major U.S. retailer experienced a massive breach, a class action was filed alleging that the board had contravened its fiduciary duties by not having the necessary defences in place to protect the company from a cyber-attack and its consequences. This suit was dismissed in July after an independent Special Litigation Committee investigation advised that it was not in the company’s best interest to pursue derivative claims against the officers and directors. Another challenge is that reinsurance treaties currently lack appropriate exclusions for cyber risks. The CL380, for example, is standard in Marine and Energy treaties, and on original policies, but competitive pressures are pushing some brokers and clients to insist it be removed. However, by just deleting an exclusion are we providing the appropriate coverage in a very technical class? The Lloyd’s Market Association and International Underwriting Association are both keen to develop reasonable exclusionary language, but if we exclude it now are we positively affirming there was coverage in the past? Also, in a challenging reinsurance market clients and brokers are unwilling to accept exclusions, and given the evolving nature of cyber-crime, an exclusion crafted today could be obsolete in six months. In this case, it seems likely that the cyber market will develop in a fashion similar to the terrorism market after September 11th. That is, as more tailored cyber coverages are developed and the market matures, reinsurers should be able to incorporate suitable cyber exclusions into the coverages for traditional classes. Expertise and Monitoring Are Critical If aggregation control is under the spotlight in insurance, the concerns are magnified in reinsurance. However, risk coding within Lloyd’s is improving, as is how we apply our exposures to Realistic Disaster Scenarios. And our in-house software enables us to monitor our exposure to individual risks on an original client basis. It will be some time, however, before we can fully monitor exposures to third-party service providers, cloud users and owners. In the meantime, we have regular meetings with our clients to understand how they assess risk, and conduct regular audits to ensure original policy forms are not broadening. There is also the potential for aggregation from cedants backing consortiums and MGA’s. From the client’s perspective, this can be a great way to access the business without incurring expensive setup costs. For a reinsurer, however, that could mean more exposure collectively to the consortium than the exposure individual consortia members face if they back multiple partners. And in these instances, clients also need to consider carefully whether they are comfortable ceding underwriting control in such a complex and high profile class. So where does that leave reinsurance? Our clients’ expertise is crucial. Direct insurers regularly work with clients to improve their risk management capabilities and practices. As reinsurers are a step removed from the original policy, our focus is ensuring we back experts rather than follow capacity and without proper underwriting controls for pricing, aggregation and portfolio construction. Reinsurers also need to be conscious of the constantly changing legal landscape including data protection/privacy laws and breach notification requirements in the territories where our clients are operating. And while upcoming changes to EU regulations could encourage more clients to buy cyber cover, it could take some time for the markets to respond. For reinsurers, the opportunity – and challenge – is to create solutions to help manage and mitigate even the most complex risks. And that certainly includes cyber risks where our immediate challenge is to help clients grow responsibly and without compromising this evolving and increasingly important class of business.- Share This Article:
-
-
Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.
US- and Canada-Issued Insurance Policies
In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.