Cyber attacks like the pervasive NotPetya that started in the Ukraine and spread around the globe revealed the impact silent cyber risks can have to the insurance industry. Losses emerged in various traditional lines of business. With increasing awareness and expertise, Munich Re is tackling the challenge of transforming silent cyber into affirmative coverage.

While there are continuous and intense discussions within the industry about silent cyber risks, there is no question that existing traditional policies often contain hidden cyber exposures. “Conventional policies were not designed to include cyber as a potential risk. For this reason, coverage in case of a cyber incident might be ambiguous and unclear. Cyber exposure could be covered, although the insurer may not be prepared or may not even be aware of assuming this risk. For insurers, this means that they could potentially assume exposure without proper underwriting and accumulation management. The goal should be to make cyber coverage non-silent either by providing affirmative coverage or by covering it at least consciously”, explains Stefan Golling, Munich Re’s Chief Underwriter. “The risks coming from the cyber peril clearly exist and affect all industries, markets and companies. For this reason, demand for adequate coverage, risk mitigation and assistance services creates a variety of business opportunities. Realising the growth potential requires a comprehensive understanding of cyber and silent cyber and correspondingly an adequate assessment of the existing exposures.”

As almost every conventional policy is exposed to cyber risks, the silent cyber exposure is potentially significant. With cyber threats increasing and prevailing ambiguities in traditional coverages, a need for further clarification exists. The insurance product landscape should therefore jointly addresses the insureds’ need for cyber coverage and clearly define what is covered and what is not in existing policies.

Katja Weber, responsible for Underwriting Strategies & Quality in Non-Life, illustrates “removing ambiguities and adequately considering cyber within a clearly defined risk appetite involves two steps in our view: First, it needs to be decided to which line of business the cyber exposure belongs to, either in the cyber line or as a covered peril in the traditional lines. Secondly, the cyber exposure that remains within the traditional lines needs to be adequately addressed. This means the exposure has to be considered in wordings, risk assessment, pricing and accumulation control“.

As there is currently only limited silent cyber claims data available a possible solution to assess the exposure in the traditional lines could be  exploring loss scenarios. Munich Re has analysed a variety of illustrative Property and Casualty cases to determine how cyber risks could affect traditional policies.

An example for Casualty could be a cyber-induced product defect like contaminated food or vulnerable IoT devices. In most markets, the producer is liable for damage caused by product defects. In such a case the covered loss could imply Bodily Injury, Third Party Property Damage and depending on the product features, Pure Financial Loss.

A potential silent cyber scenario for Property could be a cyber-attack leading to Business Interruption due to loss/damage such as seen in NotPetya in 2017. The emergence of ransomware and other cyber-attacks showed the vulnerability of businesses and the enormous consequences on their operations due to lost/damaged data (e.g. non-availability, corruption, encryption, alteration, and deletion of data, programs, and software).

In order to tackle the silent cyber challenge it is necessary to understand the cyber peril as a whole and to gain clarity and transparency in the portfolios. “When we know where cyber exposures leak unintentionally into conventional lines, then we can start to correctly address and turn them into affirmative coverage and manage the inherent accumulation exposure,” Katja Weber explains. “This process must be a journey shared across industry participants. Our experts at Munich Re have developed an approach and various concrete measures to support our clients during this process. For example, these include an intense dialogue and consulting, a collection of claims, scenario based exposure assessments, wording manuals, accumulation studies, risk assessment tools and underwriting heat maps – just to mention the most important ones.”

Munich Re has the ambition to actively support its clients with regard to cyber and silent cyber. As Stefan Golling points out, “we want to contribute to the cyber challenge being seen less as an obstacle and more as an opportunity for sustainable new business throughout the industry as a whole. Our approach is based on understanding risks, assessing them adequately and thus making them insurable. When talking about Munich Re as a leading global cyber solution provider, he adds, “this can only be done in close cooperation with experts from our insurance clients, our insureds and external partners from the cyber ecosystem, in order to develop a common understanding of how cyber risks should be dealt with.” In addition to risk transfer, this also includes risk management services and security measures. “To this end, we deploy our global cyber teams and rely on a network of renowned external partners to complement our own knowledge and range of services”.

“Reducing the surprises and bringing sustainability to the underwriting process as well as continuous market and trend surveillance should all be aspects of a comprehensive cyber strategy including silent cyber” explains Katja Weber. “The execution will be a marathon, not a sprint. Together with our clients we will continually evolve in order to ensure an adequate insurability of cyber and to leverage the growth potential”.