Property underwriters are feeling the pressure as cyber has become an increasing source of risk within the property insurance industry, according to panelists at Advisen’s 2017 Cyber Risk Insights Conference, held last week in New York City.
“I think ‘under pressure’ is a great way to describe what property underwriters are feeling today,” said John Coletti, senior vice president and chief underwriting officer at XL Catlin. “Property insurers have a lot to worry about right now, and foremost is how to deal with hurricanes and wildfires and that line of business, but I think just as important is how to deal with cyber exposure.”
“To this day, it’s really been an issue that’s been the proverbial can being kicked down the road when it comes to cyber exposure in the property market,” he said. “There’s never been any affirmative assertion on cyber coverage – just a little discussion here and there.”
With recent events curtailing business operations, such as the WannaCry attack, Coletti said he hopes for a turning point in which many property insurers are compelled to take a position on what to do about cyber, he explained.
“I think we’re at that moment,” he said.
He explained that with hundreds of millions of dollars in third-party losses on the business interruption side that need to be paid for as a result of attacks like this, it seems likely property insurance policies may be implicated as reimbursement is sought under those policies.
“I think that will lead the property insurance market to say, ‘We have to do something, because these aren’t exposures we’ve ever underwritten or that we’re equipped to handle,'” Coletti said. “That leads you to the question, ‘What’s going to happen next?'”
He explained that as more cyber events trigger action, cyber policies are expected to emerge that aren’t just financial loss policies, but contain elements of all-peril and all-risks policies.
“It’s going to be revolutionary for insurers,” Coletti said.
Beyond the property insurance market, other areas of insurance are feeling the impact of cyber exposure as well, he added.
“A good example is K&R,” Coletti said, referring to the kidnap and ransom insurance market. “It has had an influx of ransomware claims recently…now we’re getting ransomware claims paid under K&R policies.”
Tim Francis, enterprise cyber lead at Travelers, added that “having K&R coverage and extortion coverage was fine before anybody ever knew about the word ‘ransomware’ but now since its development, people are standing up, taking notice.”
As a result, gaps in cyber coverage as well as overlaps in coverage have become prevalent, at least for the short term.
“I think this is one of those areas where we have gaps and we have overlaps, and inevitably, we’re going to live in that environment for a little bit,” Francis said. “As a carrier, understanding where potential aggregation points are is important, and for a short amount of time, you probably will have opportunities to purchase coverage in multiple different ways. I think that’s ultimately a good thing, and over time, we’ll see that shift.”
This is because many cyber schemes don’t always look like cyber events at first, making the right coverage difficult to pinpoint, he explained.
“A scheme that involves somebody fooling our insureds into doing something they later regret, which is a very broad and encompassing concept, at first blush doesn’t sound like it would be a cyber event,” he said. “Oftentimes, the way somebody is being defrauded doesn’t necessarily have to do with computer systems, or using data, or the kind of things we tend to think about with cyber. It’s easy to say that there’s really no place for that in a cyber policy, but over time as these schemes become much more sophisticated and often linked to some data compromise, it starts to sound more like cyber.”
He offered one example of money being stolen from customers with the growing popularity of W-2 schemes, in which cyber criminals target human resources departments and payroll systems.
“That still sounds to me largely like a crime coverage, but with these W-2 schemes, people start to say, ‘Well, it does sound kind of similar to cyber, especially if it was perpetrated because someone hacked into the system and knows the CIO’s account information,'” he said. “So it starts to sound reasonable to have some element of cyber coverage.”
Ultimately, the insurance industry as a whole will need to not only learn how to better manage cyber risk, but carve out separate policies for true cyber exposure and other new exposures, Coletti said. He warned against lumping them together under one policy.
“These type of schemes aren’t schemes we’ve witnessed before,” he said. “Because it’s new, what we’re trying to do is apply this exposure to some old tried and tested insurance policies, and it just doesn’t work. Crime underwriters are saying, ‘We weren’t ready for this,’ so what happens is the exposure just gets thrown in with cyber.”
“It’s OK for now, but I think ultimately, a lot of these exposures will be better suited under a separate policy. You can’t just dilute cyber policies with anything that is new and different and has some sort of cyber element to it. It dilutes the value of what a true cyber policy is for, which is cyber attacks.”