VIEW 25
Cyber insurance: Product or peril
The insurance industry, in the 330 years since its beginnings at Edward Lloyd’s coffee shop, has grown organically, evolving from the bottom upwards into the industry we see today. This organic development, in the absence of a top down blueprint, has been very effective in responding to client’s demands but has led to a very confusing taxonomy of the classes of cover on offer. Some classes of insurance are defined on industry lines such as marine, energy or aviation. Others are defined on a product basis such as property, kidnap and ransom (K&R), directors and officers (D&O) liability and the like. These two different categorisation methods lead to plenty of definitional overlap. A librarian, believing that classification schemes need overarching coherence, would throw up their hands in horror at this jumble of confusion and retreat, whimpering, to their Dewey Decimal system. Who cares! From an insurance standpoint, it may be ugly but it works…
Non-affirmative Cyber
Until now. The two defining axes of product and industry are illustrated to the right. The kidnap and ransom of a ship’s crew would be at the intersection point of K&R and Marine as shown. But there is a third concept in insurance: the peril. A peril is an event or circumstance that causes a loss such as a fire, floods or tornado. Perils cause damage in both product and industry categories; a tornado can damage buildings (property) and boats (marine). So, perils are represented on a third axis, underlying the horizontal plane that contains the product and industry classes.
That leads us to the key issue: is cyber a product or a peril? Until now, cyber policies have typically been seen as a stand-alone insurance product, represented by the green slice. However, an ‘all perils’ property policy theoretically covers damage from a cyber-attack even though this is not explicitly spelled out. This is known as non-affirmative or ‘silent’ cyber and represented by the orange layer in the diagram. A white paper on non-affirmative cyber called “Are we heading for PC&C?” published in 2018 by Capsicum Re estimated that non-affirmative cyber was nine times bigger than affirmative cyber. Since this cyber coverage is silent, that’s a lot of missing premium for underwriters.
It’s a big headache for regulators too because it means that risk may be being mispriced in the marketplace. How will the problem be resolved? The evolution of the terrorism insurance market offers some clues. After 9/11, terrorist perils became explicitly excluded from property policies and silent terrorist cover became explicit. However, as time passed, and data sets improved, terrorist risk was reabsorbed into property policies again. In a similar way, cyber may move from product to peril and then back again in the fullness of time.
