A letter from AIG to its brokers highlights new connectivity between two risks previously thought about very differently, writes David Benyon, Strategic Risk’s editor in Europe
Read any reputable reports from a risk management consultancy, law firm or insurance company and a common theme is evident: risk boundaries are blurring and complexifying. Isolating and assessing risks in silos or stovepipes is seen as backward thinking and the antithesis of good risk management.
Take the global risk report published by the World Economic Forum (WEF) each January. Connectivity between myriad risk types, globalised supply chains, borderless cyberspace, between cause and effect, and between detonator risks, chain reactions and their explosive consequences – these are the WEF’s recurring themes.
For the banking sector, the financial crisis provided the unplanned schooling. Years of counting capital in neat piles for credit risk, market risk and (more recently) operational risk were abruptly swept aside by Black Swans and unknown unknowns that suddenly formed frightening linkages – most famously liquidity risk – and culminated in systemic risk.
Cyber risk is increasingly acknowledged as the new systemic risk. Its ability to make traditional silos irrelevant – and siloed thinking dangerous – is the topic of great concern in the risk management community. Borders and geography are meaningless. Open doors and threats of contagion exist where borders or barriers previously prevented correlations.
The rush to cash in on concurrent tech trends such as Big Data Analytics, Artificial Intelligence, and The Internet of Things will only add to the connectivity of risks. How long until the servers go down because the toaster caught a virus?
That connectivity is mirrored among risk managers’ traditional partners in the insurance world. They too have dealt in silos. “Silent cyber” has crept into the lexicon within the past year – the notion that insurers have underwritten a lot – i.e. aggregation – of cyber risk within their dusty old liability books, not to mention correlations with property risk, now that physical damage and cyber risks are being seriously linked.
Following this fear right to the top of the risk transfer chain, even the big global reinsurers are getting skittish: Munich Re embraces cyber risk, partnering with insurer Beazley, for example; but Swiss Re’s CEO has gone on record saying he’s trying to limit the scenario of a cyber catastrophe that causes simultaneous losses in Berlin and Beijing by avoiding writing cyber risk altogether.
Data breach has been portrayed as the core cyber risk companies face. Most of the treasure spent by companies’ risk management, ant-fraud, and information security teams, has gone into combating the risk of massive data losses. Breach is the focus of information privacy rules in Europe and globally such as General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS), respectively.
Cyber-attacks of 2017 showed up convergence between two very different – historically, at least – classes of risk. WannaCry and NotPetya were both blamed on Russian state-backed hybrid warfare. They were not examples of data breaches. They were ransomware. And they have thrown together cyber risk with kidnap and ransom (K&R) because ransomware is an example of a new risk with attributes that transcend traditional boundaries.
In both cases, the cyber intruders demanded payments having gained access to their victims’ computer networks. They locked companies out of their own systems, denying access and denying service. Systems were hijacked, rather than airliners, ships, passengers and crew. These attacks were examples of cyber extortion, including demanding ransoms.
Insurance firm AIG wrote a letter to its K&R brokers on 24 January 2018, in response to the cyber-K&R risk link highlighted by recent attacks, “to clarify their position to provide direction for brokers and contract certainty for customers”, including: what is covered; what isn’t; impact on terms and conditions; the insurer’s claims approach; and what has changed amid evolving risks.
As for what is covered, AIG offered two endorsements for its K&R risk “crisis solutions” business: one for cyber extortion incident response; and another for network interruption arising from any such cyber extortion incident.
The insurer said its cyber extortion incident response endorsement would cover a ransom payment, as well as legal costs, IT forensic investigations, crisis management fees, and the costs of public relations services. Meanwhile, AIG said its cyber extortion network interruption endorsement provides cover for loss of profits due to business interruption, as well as extra expenses incurred to mitigate business interruption.
What cannot be covered under K&R? AIG had this to say: “We will not provide coverage for the costs of notification, defence costs, legal liability, fines and penalties, data restoration, credit and ID monitoring services or post event system upgrades.”
However, if you want to buy “a comprehensive solution to cyber risk” – providing more well-rounded coverage – AIG’s advice was a familiar refrain: buy a standalone cyber insurance product anyway.
What is also interesting is that these risks – cyber and K&R – are historically thought about very differently. Cyber risk is evolving fast, which the insurer acknowledges in its letter, in direct response to the ransomware attacks. The reach of cyber risk is now seen as systemic and the variety of attacks – and their myriad consequences – is broadening fast.
By David Benyon
Editor – StrategicRISK Europe