Insurers face silent cyber risk when broad commercial package or other insurance policies do not explicitly address cyber-related coverage terms or specifically exclude cyber risks. This ambiguity in coverage can lead to disputes and litigation following a cyber event when insureds seek funds from available policy limits for protection; it also poses risk of reputational damage to insurers.
Large silent cyber exposure can restrict an underwriter's ability to measure risk aggregations and correlations of exposure to cyber risk. In a wide ranging cyber event, this could lead to large unforeseen losses and in more extreme circumstances, could cause material reductions in capital, which could negatively pressure individual ratings.
Efforts to assess the financial impact from the most severe cyber events include a recent report from Guy Carpenter and Cyber Cube that estimates a 1 in 100 probable maximum loss for the U.S. insurance industry of $14.6 billion. Challenges in measuring silent cyber exposures and the unique nature of cyber events add to the difficulty of creating cyber catastrophe models with similar analytical value as well established natural catastrophe models. Uncertainty lies in estimating the probability of severe events that have never taken place, such as attacks on utilities and energy infrastructure or larger ransomware or cloud service attacks. Also, risk correlations for cyber are not related to the geographic location of the insured.
Underwriters are increasingly aware of the potential exposures posed by silent cyber risk, but remedial actions are moving at a varying pace. Three major insurance carriers recently took public steps to address silent cyber risk that will likely shape market direction. In September AIG announced an objective for commercial policies to have affirmative cyber coverage or clear exclusions going forward. Beginning January 2020, Allianz will make clear how cyber risks are covered in traditional P/C policies and define scenarios for which a dedicated cyber insurance product is required. Lloyd's of London announced that by 2020 they will require underwriters to affirmatively state whether first-party property damage polices include or exclude cyber coverage.
Lloyd's action was influenced by the Bank of England's Prudential Regulatory Authority (PRA) 2019 move to require UK insurers to develop action plans to address silent cyber risks. The PRA noted that casualty, financial, motor and A&H lines have outsized silent-cyber exposure. Regulators in other jurisdictions are likely to take a more active approach toward encouraging affirmative cyber coverage going forward.
U.S. statutory cyber direct written premiums doubled from 2015 to 2018 to $2.0 billion. Demand for cyber insurance coverage is expanding as policyholders' awareness of cyber threats grow with the proliferation of data breaches and more recent developments in ransomware attacks. Client take-up rates for cyber coverage increased to 38% in 2018 from 31% in 2017, according to global broker Marsh. A more active approach by insurers to write affirmative coverage or more specifically add sub-limits or exclusions related to cyber in traditional policies would likely increase cyber take-up rates and further bolster segment premium.