Tuning in to Silent Cyber

Posted by Mark Greisiger

A Q&A with Scott Stransky of AIR Worldwide
The exposures associated with cyber incidents and losses reach far and wide, including a whole category of risk called “silent cyber.” With traditional policies offering ambiguous coverage for cyber events, insurers and their insureds face a significant amount of gray area for these risks, which have now become commonplace. To better understand silent cyber and what can be done about it, we talked to Scott Stransky, vice president and director of emerging risk modeling at AIR Worldwide.

What is silent cyber?
If you ask ten people in the insurance industry you will get 15 or more different definitions. Our view is that silent cyber is the risk to non-cyber policies that stems from cyber incidents. Say, for example, you have a cyber attack that causes a fire and the fire causes damage to a building. The traditional property policy includes coverage for fire loss but doesn’t explicitly mention cyber events. That same event could cause bodily injury or business interruption, affecting more exposures that could be ambiguous in the policy.

What is the concern about silent cyber?
When cyber is not affirmatively included in the policy, the insurance market may end up owing large payouts for events that were not accounted for when writing the policy. As we’ve seen, all lines of business and insurance can be impacted by a cyber event—from marine to space to offshore energy. We’ve posited that even agriculture insurance could be affected if someone hacked into crop-dusting planes, for example. It may sound far-fetched but it’s possible. And if these exposures are not spelled out in the policy, they end up being sorted out in court. It may take a big event—as we saw in the insurance industry with Hurricane Andrew in 1992, which put many insurance companies out of business—to serve as a wakeup call and help us better understand the risks before the insurance industry starts to get the issue under control.

Your organization helps carriers model and quantify the expected frequency, severity and financial impact of cyber risk events. Can you give us an example of a black swan incident that had systemic implications or aggregation risk exposures for carriers?
I mentioned the hypothetical fire earlier. Something like that could be caused by a printer. There are printers in millions of companies and homes, many with the same model. If bad actors found out a way to hack it and make it overheat and catch on fire, many properties could burn down as a result with no correlation based on geography or the size of the building, which is how earthquakes and hurricane risk is determined. Our team’s certified ethical hacker recently found that there are tens of thousands of unsecured printers out there, so we know this isn’t that far-fetched of a scenario and if something like this happened, it may or may not be covered by cyber insurance.

We’ve also seen major systemic and aggregation risk with a major financial services organization getting hacked. In addition to the losses that would be covered by a cyber policy, let’s say we’re talking about a public company, and its shareholders would be concerned about losing share value after the event went public. They might decide to sue the company’s directors and officers, or there may be a supply chain effect with other companies this organization did business with now suffering losses and suing the directors and officers. Two years ago we saw NotPetya, which impacted many organizations with business interruption. There was also a German steel mill that got hacked, plus the more recent Norsk Hydro attack—some of these damages are still being decided in court.

Other than raising awareness in the insurance industry about silent cyber, what can be done to address this issue?
It’s not all doom and gloom. There is actually an opportunity here and we are starting to see policies spell out the risk more. We know the risk itself will not be going away, but the way it’s covered by insurance can and should change. It could go one of two ways: Either affirmative cyber coverage will include losses to other lines or the other lines themselves will explicitly include cyber risk. If I were an insured I would want to understand exactly how I’m covered. Another possibility is to look for a bespoke policy through a broker that makes everything more explicit. As a modeling company we are trying to quantify this risk and help the insurance industry better understand why it needs to be accounted for, which should help enable this coverage expansion.

In summary…
We would like to thank Mr. Stransky for his expertise and insights into silent cyber, a topic of continued interest, especially to the brokers and insurance carriers we support who affirmatively offer cyber risk coverage. Given the reach of cyber risk impacting even the most traditional of companies (systems/data, network dependencies, cybersecurity safeguards coupled with privacy practices, IoT, etc.), we expect unforeseen coverage battles to continue, including those with major systemic risk potential. Having cyber risk modeling experts like Scott and AIR Worldwide  can give us some clarity on how to react to a changing marketplace bearing changing risks. For that reason, Scott is always a crowd favorite panelist at our NetDiligence Cyber Risk Summit conferences. While there is no cyber crystal ball, we should look for whatever insight we can into black swan events and their attendant risks.