Since the globalisation of economic relations and the shift towards worldwide production and logistics networking, companies are becoming increasingly dependent on IT services. Interruptions in global production due to cyber events along supply chains or from outsourced tech environments are increasing the importance of risk management and risk assessment. It is in the best interest of any company to avoid production losses in order to minimise permanent loss of reputation and market share. For this reason, there is an ever-increasing demand to transfer this aggravated cyber risk to insurance. This exposure is highly complex and only in rare cases could the risk be properly assessed and adequately underwritten. As a consequence, the insurance industry has to analyse under which circumstances cyber contingent business interruption coverage may be offered.

A cyber Contingent Business Interruption (“CBI”) insurance loss can result from damage to the computer system of a service provider or a supplier on which the insured depends.

To illustrate a cyber CBI loss as a result of the failure of a critical technology service provider for information or telecommunication services, take the example of a compressor manufacturer for the air conditioning of  automobiles as an insured company. Imagine the company relies on an externally-provided cloud platform to store stock information. Now consider the repercussions to the compressor manufacturer when the provider of this cloud service is temporarily unable to offer its services in the wake of a cyber attack. This leads to production stoppage for the insured compressor manufacturer and, in turn, a financial and reputational loss to the company.

In this second example, the same applies analogously to the impossibility of an insured food manufacturer to maintain production when a core supplier of spices cannot deliver its ingredients after a cyber incident. This scenario can also be seen from the opposite perspective: A food manufacturer suffers a cyber attack leading to a halt in production and fails to take delivery from the insured supplier of spices. These two non-tech cyber CBI scenarios, whether from the perspective of supplier or customer, include the supply chain of raw material, parts and components or ingredients, operational technology (e.g. production machines), operating materials (e.g. lubricants) as well as logistic or infrastructure services.

Both the probability and the severity of cyber CBI losses are not only determined by the characteristics of the third party. They also depend on the structure and the business model of the insured organisation itself. Are contracts designed carefully with sufficient but realistic agreements on service levels? Is there, where possible at all for the insured, an arrangement to monitor the information security level in order to maintain the ability to deliver goods or services? Large companies usually have more and better organisational, technical and, ultimately, human resources. Therefore, to perceive and understand the risk while also monitoring and continuously improving security is easier to accomplish for large companies than for small ones.

A careful cyber insurer has to consider both the risk assessment, in order to understand the complex interconnectedness of the business models and the underwriting aspects to generate a profitable book of business. A detailed overview of both aspects can be seen below.

The cyber contingent business interruption risk of an insured single company is characterised by the exposure and the information security level of the relevant provider of IT services or of the suppliers of goods. There are insured organisations which represent a higher exposure than others by virtue of their industry sector. For example, there is an above average dependence on IT services by retailers, financial institutions and IT service providers themselves, as well as by organisations active in the tourism, hospitality, logistics and transportation industries. Furthermore, manufacturers of IT hardware, electronics, food, pharmaceuticals and the automotive industry are highly dependent on suppliers of goods and ingredients.

The relevant control points for an assessment of cyber CBI risk start with addressing cyber security within third party agreements and also by regularly monitoring and reviewing services, including any changes to such services. It is of utmost importance when learning from information security incidents that an open culture of reporting information security weaknesses exist. Additionally, in the management of the supply chain, it should not be a one-time event to plan and implement, as well as to verify, review and evaluate information security continuity. It is rather a permanent process to maintain an acceptable level by considering the cyber CBI risk within the framework of business continuity and disaster recovery management.

The challenge companies face when identifying risk is the limited or oftentimes no access to the relevant information needed during the appraisal process. In order to reduce this gap, Munich Re develops an endorsement to its cyber risk assessment questionnaire landscape in order to optimally collect the information necessary for a sound assessment.

To put theory into practice, the risk identification starts by addressing cyber security in agreements with other organisations and ends with the implementation and management of information security continuity after a serious cyber business interruption of an important supplier. But it also considers, e.g., the insured’s own cyber CBI risk assessment, change management and lessons learned from past information security incidents.

Not only is the assessment of the technical risk difficult but the underwriting of cyber CBI for such complex exposures is as well. An insurer may find it very challenging to gain a comprehensive overview of the supply and service chains and often relies in part on auditing the efforts of an insured. Professional supply chain management should be a precondition for granting cover to the insured.

In cyber insurance a contingent business interruption loss must not be covered as standard. It should only be included under certain circumstances:

• It is crucial that the risk situation of the suppliers concerned be transparent to ensure that the risk is assessable.
• It is wise to include only contingent business interruption losses for direct contractual partners of the insured, and to explicitly exclude second and third-tier suppliers. Otherwise the frequency of cyber CBI losses can skyrocket to a level which is no longer insurable due to accumulation concerns.
• CBI coverage for cyber incidents at such partners should be provided only for those named in the policy. Coverage for unnamed immediate suppliers should be offered only as a sublimit of the sum insured of direct supplies and service provider.
• As a cyber insurance is designed to provide cover for pure financial losses, all types of physical perils should be excluded.

Imagine a key supplier of products or services fails to adequately secure his systems or may have a malicious insider. Or an administrator of the supplier fails to properly protect access to the network and as a result that vulnerability is exploited. Accordingly, when assessing the business interruption risks from cyber attacks, underwriters should pay particular heed to the coverage content for contingent business interruption losses.

What this means in practice? A first-tier supplier of the insured company suffers a network security breach due to malware. This can be covered. But insuring a supplier’s system outage would be tantamount to extreme risk creep. This requires a much higher level of care and experience since at this point loss frequency increases significantly. It is not the intention of the insured’s cyber policy to compensate all IT related incidents which happen at this supplier – even when coming from potentially poor IT quality.

Prudent sublimits restrict contingent business interruption risks. Conversely, a risk with no limits is almost incalculable owing to its accumulation potential. In a supply chain, many unknown pathways and many unknown members can exist. Moreover, the cyber portfolio of an insurance carrier contains many such supply chains and, accordingly, many more unknowns. This represents a high accumulation loss potential. Reason enough for the insurer to limit his exposure by limiting insured sums.

A significant time deductible should also always apply. The insurer compensates losses, suffered by his client, i.e., the insured company. Therefore, the event should start when the insured organisation, not the supplier, experiences the material impact. The policyholder might have a stock buffer of supplied goods to bridge the gap caused by the interruption or the service disturbance can be compensated by own or other third-party capacity.

Globalisation and the increasing interconnectedness of technology and business as well as the resulting dependencies from it will drive the demand for companies to find insurance solutions. But the high complexity and lack of transparency make cyber CBI risks a challenge for the insurance industry as a whole. We have already learned from large property CBI losses that we do not have the risk entirely under control. Since cyber insurance is a nascent product to the scene, it is crucial that we ask how we can learn from and improve on the property insurance approach in regard to this relatively new cover.

Given the complexity as well as the loss potential of the exposure, providing cyber CBI insurance coverage should not be offered as a standard on the market. Munich Re wants cyber CBI insurance to be provided only in a conscientious way that is both selective and deliberate. An assessment of the exposure in conjunction with a cautious selection of desired risks creates transparency and thus is the basis for careful underwriting. Like the industry as a whole, we are constantly learning to improve methods and quality in risk management, and we are looking forward to entering into a dialogue with you.