Is silent cyber risk creeping up on insurers?
by Anthony Dagostino & Mark Synnott
Figure 1. Silent cyber risk factor by line of business
However, a significant fraction estimated a much higher effect, which illustrates how much uncertainty there is over the potential extent of silent cyber exposure. The degree of anticipated risk also varied materially between lines of business. For both auto liability and workers compensation policies, more than 75% estimated the risk factor as 1.01 or less.
For the auto liability line, this may reflect a sense that accidents linked to vulnerability in technology would become product liability losses. The reason for such a low level of perceived vulnerability for workers compensation is less clear.
Given the spread of responses, while the median risk factor for the higher risk lines of other liability and property coverages is a modest 1.01, the mean is significantly higher. The mean risk factor is 1.07 for other liability and 1.074 for property policies. What effect would this imply? Suppose the loss ratio for a book of property business was 60% with all cyber-related losses completely excluded. Assuming that silent cyber losses follow the same severity distribution as other losses, silent cyber exposure might bring this loss ratio to 60.6% using the median view — or 64.4% using the “wisdom of crowds” average view.
Results by industry group
We also asked all respondents to estimate the risk of silent cyber losses in various industry groups. Auto liability and workers compensation showed little variation in estimated risk across industries — probably because the risk was perceived as low overall. However, there were significant industry differences for property and other liability policies (Figure 2), contrary to the aggregated responses across all industry groups shown in Figure 1 for these two insurance lines.
The Construction/Engineering and Industrial/Manufacturing/Natural Resources industry groupings were seen as relatively low risk for other liability losses, perhaps reflecting that these industries accumulate less personal information from members of the public and so are less exposed to data breach liability. It may be that there is a perception that the silent cyber risk is linked to the data breach risk. Industry groupings that consistently handle consumer information — Hospitals/Medical Facilities/Life Sciences, IT/Utilities/Telecom and Financial Services — were seen as higher risk. However, despite several large data breaches in recent years, the Retail/Hospitality industry group was seen as lower risk.
Interestingly, although the best-known examples of silent cyber property losses have occurred in industrial settings, respondents did not foresee especially high risk for the Industrial/Manufacturing/Natural Resources industry group. Instead, the IT/Utilities/Telecom and Financial Services industry groupings were seen as higher risk, perhaps reflecting perceived threats to utility infrastructure.
Given the speed at which cyber exposures are changing, we deliberately sought responses from a broad range of experience levels (Figure 3). While seasoned professionals offer a depth of expertise with loss scenarios and wordings, those newer to the insurance industry may be more in touch with current technologies and how they could be used (or misused).
The survey also includes respondents from a range of functional responsibilities (Figure 4). Roughly half the responses from insurers were from those in analytics or risk management, with the rest predominantly in underwriting; the majority of the Willis Towers Watson respondents were brokers.
Over the coming months, we will be calibrating survey results for practical deployment in the measurement, management and mitigation of silent cyber risk. We also plan to extend the reach and scope of our survey with a follow-up in early 2018. The survey was conducted before the WannaCry and NotPetya attacks, and it will be interesting to see how assessments have changed in light of these and other recent events.
Download the Report
Tags: outlook, silent cyber risk, Willis Towers Watson