Short history of cyber coverage creates loss reserve challengesReprints
The rapid growth of cyber insurance coverages of the past several years is creating challenges for claims professionals as they seek to set loss reserves and forecast claims for a product with little loss history.
Eventually, experts say, more standardized measures of determining loss reserves will develop, but at this point there is no consistency in the process.
“The bottom line is it’s very hard to put numbers against these incidents,” said Paul Handy, London-based head of global technical services for Europe, the Middle East and Africa at claims management firm Crawford & Co.
“It takes quite a bit of effort to understand what is going on when these attacks occur. That’s the complication from the client’s perspective, so you can imagine what we’re seeing from our perspective,” said Doug Backes, Johnston, Rhode Island-based manager of staff claims for FM Global.
“The key challenges are the limited historical precedents,” said Tom Harvey, London-based model product manager for Risk Management Solutions Inc.
Other lines have a “very long history” and have “well-established models,” he said. But because of its limited history, forecasting cyber loss reserves is “trickier” than other lines of business where trends can be used to forecast losses going forward.
New entrants in particular “don’t have an historical view. It’s very difficult to project forward based on what an individual claim can look like,” how large a potential claim can be, how many claims can be expected within any given year and what percentage of companies will report these claims, Mr. Harvey said.
Fact patterns are not analogous, said Jackie Waters, Chicago-based managing director and practice leader of Aon Risk Solutions’ financial services group legal and claims practice, focusing on data breach losses.
For example, when talking about a U.S. Securities and Exchange Commission-related claim in the directors and officers liability market, the same rules apply “regardless of the business you’re in,” so they can be used to establish guidelines and predict values, she said.
But with data breach losses, there are differences in the size of the businesses, the kinds of records kept, how they are kept, the kind of incident that occurred, the type of breach, and what was or was not taken. “It changes the equation a lot,” Ms. Waters said.
Another factor is that the coverage being offered is fundamentally changing, said Mr. Harvey. Just 18 months ago, little business interruption was being provided as part of cyber coverage, but now business interruption and contingent business interruption is increasingly being offered as part of a standard cyber policy, “which is different than the breach and privacy type of coverage that has been provided for a number of years,” he said.
“You may find yourself in a situation where the claims that are starting to arise” are for issues “you did not have any kind of expectation of,” said Eric Cernak, Hartford, Connecticut-based cyber risk and privacy practice leader at Munich Reinsurance America Inc. Ransomware, for instance, is “really prevalent now,” but that was not the case four or five years ago, when a policy form merely “might have provided some form of cyber extortion coverage.”
Observers note the recent WannaCry malware, for instance, affected some 300,000 computers worldwide.
Risk aggregation can be a factor in several respects, said Kurt Suhs, Atlanta-based senior vice president and chief cyber underwriting officer for Ironshore Inc. Cyber losses potentially affect lines including D&O, property and professional liability in addition to cyber.
Furthermore, a firewall’s security flaw, for instance, could affect 100 companies, Mr. Suhs said. Geographic risk aggregation can also be an issue if, for instance, a cyber problem causes a 100-story building’s air conditioning unit to fail.
Kenneth K. Dort, a partner with Drinker Biddle & Reath L.L.P. in Chicago, said he does not anticipate risk aggregation will become an issue for insurers in response to WannaCry despite its wide distribution.
“I’m not sure this is really a question of risk aggregation as it is of risk control,” he said. He said he anticipates the malware will lead the various players involved, including insurers, to “really bear down” and make sure policyholders’ systems are “truly secure in the context of risk minimalization.”
Mr. Harvey said at this point some insurers are using scenario-based modeling, while others are using “crude probabilistic” models. “There’s really a whole range of approaches that companies are taking” in their risk modeling. “I suspect in time more consistent approaches will be used,” he said.
People like to draw analogies between cyber and employment practices liability insurance, which took perhaps 40 years to develop consistent standards, said Mr. Suhs.
“We are only at the 20-year mark with cyber,” he said. “We still have another 15 to 25 years.”