As hackers wreak havoc with depressing regularity, the insurance industry finds itself forced to contemplate a whole new set of risks.
They range from the theft of millions of credit-card numbers from American retailers to the disabling of the power grid, as happened in Ukraine last December. The dedicated “cyber-insurance” policies that companies offer against data breaches have become relatively routine. But the risks they insure under other policies are also affected by cyber-risks—and they are still struggling to understand this so-called “silent” cyber-exposure.
Insurance that protects firms who suffer data breaches has been on offer for around 15 years. It is much harder to put a precise value on, for example, stolen health records than on a property or car. Insurers sidestep the problem by covering only the direct costs that a company incurs from a hack. Typically, these include hiring a specialized forensics firm to work out exactly what was stolen, notifying affected customers (which 47 American states currently require), short-term business interruption and fines.
The industry will be shaken up by new EU data-protection rules, which come into force in 2018 and will impose stricter notification requirements and stiffer fines for data breaches than firms have so far faced in America. Partly because of this, the market for cyber-insurance, which represented only $2.5bn in global premium revenue in 2014 (90% of which came from American companies), is expected to treble by 2020, according to PwC, a consultancy. That would still leave it tiny in comparison with, say, the $670bn global motor-insurance market.
Data breaches are, however, for the most part a manageable nuisance rather than a disaster. Despite the hundreds that take place annually, only 90 since 2010 have been reported by American companies to regulators as having had a “material” impact on their business.
The bigger concern is the “silent” exposure: cyber-attacks that cause physical damage or bodily injury and can end up triggering other policies, such as life, home or commercial-property insurance. Often, such policies, though not designed with cyber-risks in mind, do not specifically exclude them either. In some cases the difference may be minor; a burglar who enters a house by hacking a “smart” lock will not necessarily steal more than one who breaks a window. But cases such as the massive damage caused to a steelworks in Germany in 2014 by hackers who messed with a blast furnace, or the hacking of the Ukrainian power grid (blamed by many on Russia), give insurers pause. They have added urgency to efforts to understand, measure and calibrate their exposures to these new threats.
With real-world precedents still too rare to form the basis of any reliable estimates, the industry has turned to using hypothetical scenarios. At the end of last year, for the first time, Lloyd’s of London, an insurance market that specialises in niche and emerging risks, asked its syndicates (groups of insurers and brokers) to come up with “plausible but extreme” cyber-attack scenarios, and report back their estimated total exposure, in what is to be an annual requirement. The exercise follows a cyber-scenario report in May 2015 from the management of Lloyd’s itself on a hypothetical hacker-caused blackout of the entire power grid of the American north-east. It estimated this would cause direct losses to business revenues of $222bn, and a total dent in GDP of over $1trn over five years.
Many insurers are turning to outside expertise. Matt Webb of Hiscox, a specialist insurer, describes an “arms race” between analytics firms such as RMS and Symantec, offering their long-standing modelling prowess (RMS is already well-trusted on hurricane modelling, for example) to help insurers understand their cyber-liabilities.
But even if exposures are better understood, limiting them may prove tricky. Kevin Kalinich of Aon, an insurance-broker, points to the near-impossibility of drawing a line, for example, between cyber-war or cyberterrorism and “normal” hacking. Cyber-crime knows no geographical bounds, unlike, say, a Florida hurricane. Mr Webb reckons that insurance policies will at a minimum need explicitly to recognise that cyber-risks are covered or to exclude them—just as many policies already include exemptions for terrorism or war.
Although insurers are already helping companies with more humdrum data breaches, the industry still lacks a clearly formulated response to a larger-scale cyber-calamity. Inga Beale, CEO of Lloyd’s, is optimistic that the market, thanks to its exacting modelling exercises and its unique risk-sharing structure, is better equipped than most. But only a devastating, real-life cyber-attack would test how effective its preparations have been.