IUA Response Shows Need for Real Solutions
Update 7/4/2019: Lloyd’s of London announced that it will require underwriters to clarify cyber coverage or exclusion within property policies starting January 1st, 2020, following the PRA & IUA actions listed below.
Addressing "Silent Cyber" Risk
Cyber risk isn’t going away. Even if it’s excluded.
With news from the International Underwriting Association of two new exclusion clauses for the reinsurers to handle cyber risks, we are clearly seeing a response to a regulatory body, the PRA, which in January directed insurers to come up with a plan by June to address “silent cyber” risk. But it is also a long-time-coming response to an issue that has been looming over the industry since long before the PRA’s missive.
"These two new model clauses provide broad policy exclusions which may be utilized as a starting or reference point for underwriters offering cover for traditional business classes that may include an element of cyber risk."
- Chris Jones,
Director of Legal and Market Services at the IUA
The exclusions are a natural response by the underwriting body to a risk class that has proven in the past 5 years to be not just a major factor in overall enterprise risk, but even a catastrophic risk, as the industry saw when the Wannacry and NotPetya attacks of 2017 impacted multiple multinational businesses and led to billions of dollars in losses. In one sense, the IUA announcement is welcome: with an issue as stubborn as “silent cyber” risk has been, any action is better than no action. (Corvus CEO Phil Edmundson has previously written about why the industry has been so slow to develop solutions). But excluding cyber does nothing to advance the issues faced by the policyholders and their brokers.
What Does This Mean for Insurance Brokers?
Risk managers at insured businesses will benefit from the clearer underwriting that will result from the IUA guidance. But excluding losses from cyber perils simply means they will have to look for other solutions for coverage. Already the spread of monoline Cyber Insurance policies has offered some coverage for many businesses, but those businesses also rely upon the broad (and ambiguous) coverage within P/C and other lines to complete their coverage — in theory — in addition to their primary cyber policies.
When that gray area becomes black and white, the coverage gaps for cyber perils will be laid bare. Primary cyber policies won’t be enough without a drastic change in how they are written. In the near term, affirmative cyber endorsements to other commercial policies will become the only viable route to close the coverage gap.
And as we’ve noted before at Corvus, brokers, in particular, are caught in the middle of an issue that puts them at risk. They cannot control the actions of the carriers whose policies they sell, but they have a duty to provide proper coverage to their clients. Failing to do so could put them at risk of errors and omissions claims. Brokers will be at the forefront of the new world of affirmative endorsements.
“Silent cyber” risk won’t go away overnight. Exclusions will merely open the door to the affirmative policies the industry ultimately will need. Insurers and MGAs now need to step in to provide those solutions.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.