Guy Carpenter: failure to find silent cyber solutions might lead to downgrades

Solutions to the issue of silent cyber are emerging amid the uncertainties, according to Guy Carpenter. But firms must take this issue seriously as regulators and rating agencies are now taking a close interest in the issue with the risk of downgrades very real for companies that do not get a handle on the challenge.

Erica Davis and Siobhan O’Brien, both from the Cyber Center of Excellence at Guy Carpenter, told APCIA Today that most stakeholders have responded to the challenges of silent cyber to ensure that safeguards exist for potential insurer exposure identification and protection.

But they stressed that those companies which have a lack of focus on addressing their silent cyber exposures may face ratings downgrades.

Silent cyber, also known as unintended or non-affirmative coverage, refers to the potential cyber exposures contained within traditional property and casualty insurance policies, which may not implicitly include or exclude cyber risks.

As Davis pointed out, unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber coverage, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber, or the language remains untested to the exposure, and could theoretically pay claims for cyber losses in certain circumstances.

As a result of the uncertainties around these potential exposures, insurers face challenges around the lack of uniformity in the industry, risk accumulation and lack of cyber expertise. The general scarcity of available and historical data creates complexities with the modelling and quantification of silent cyber exposures. In the last year, various stakeholders have responded to the industry’s silent cyber challenges to ensure that safeguards exist for potential insurer exposure identification and protection.

“Regulators are concerned with the extent to which insurers may not have adequate reinsurance support and/or capital to be able to sustain a systemic silent cyber event on their insurance portfolios,” Davis said.

“In response, global regulators are enhancing supervision, coordinating efforts to develop a comprehensive approach by requiring firms to have clear strategies and stated risk appetites, encouraging board-level awareness, and establishing issuance of supervisory statements that set out regulators’ expectations of firms.”

Action plans
According to Guy Carpenter, the UK Prudential Regulatory Authority (PRA) stated on January 30, 2019 that: “Firms reported challenging market conditions, broker pressure, and lack of historical data, models, and expertise as the main impediments for the prudential management of cyber underwriting risk. We appreciate these challenges but do not believe they are insurmountable.”

In addition, in January 2019 the PRA issued a “Dear CEO” letter indicating that all re/insurers should develop Silent Cyber Action Plans to evaluate, model and quantify risks.
“Since the silent cyber issue came to light in 2016, the industry has been making various advancements,” O’Brien said.

“Insurers Allianz and AIG, and the Lloyd’s of London insurance market have all announced commitments to explicitly clarify how cyber risks are covered or excluded in traditional policies and to identify when a dedicated cyber insurance solution is needed.”

According to Davis and O’Brien, cyber modelling for non-affirmative risks is still in its infancy but improving. It is anticipated that specific cyber risk quantification models will be able to consider tail risk for multiple consequences.

Companies with a lack of focus on addressing their silent cyber exposures may face ratings downgrades. Guy Carpenter’s International Cyber Center of Excellence, which contains dedicated specialists in broking and analytics focused on providing enhanced solutions to Guy Carpenter’s clients, collaborates with its ratings advisory team, delivering a strategic consultative approach and comprehensive advisory services.

“Through our ongoing dialogue with the rating agencies, we ensure clients stay ahead of changing views, criteria, requirements and expectations related to managing non-affirmative cyber risk, allowing companies to be proactive to changing views that impact ratings,” said Davis.

According to Guy Carpenter, with the new oversight from regulators and the recent Lloyd’s of London requirement for more clarity around the extent of cyber coverage under policies, the re/insurance market is receiving more exposure information and asking questions about underlying portfolios.

It noted that these developments enable industry stakeholders to make more informed decisions and allow the availability of reinsurance capacity.

O’Brien added: “Guy Carpenter’s Global Cyber Center of Excellence works with clients to provide silent cyber quantification capabilities and risk transfer solutions. We partner with clients to migrate them from a non-affirmative position to an affirmative one where cyber is either excluded or affirmatively placed and priced.

“We bring a multi-step framework to help clients manage group exposure.”