Cyber risk rising

January 5 2018 by Nick Ferguson

Will 2018 be a breakout year for cyber? While such risks continue to cause headaches for some industry professionals, insurance buyers are increasingly worried about their exposure and insurers are falling over each other to sell products that ease those concerns. But are underwriters prepared for the digital equivalent of Hurricane Andrew?

Cyber risks — not just hacker attacks or malware infections, but also mundane technical failures or IT glitches — have increased significantly in the Allianz Risk Barometer rankings over the past five years, driven by the seemingly endless supply of high-profile events that continue to make the news.

From an airline grounding its entire fleet due to the failure of an ageing computer system to hospitals being shut down by a cyber attack, 2017 offered plenty of reasons to be concerned about the risks that lie buried in corporate IT systems.

Indeed, the NotPetya ransomware attack in June last year was possibly the most costly cyber event in history. Delivery company FedEx said in September that the incident cost its TNT unit roughly US$300 million, while shipping company Maersk announced a similar estimate and consumer goods company Reckitt Benckiser put its losses at US$150 million. Assuming there are many other companies with losses of similar scale to these, the total cost must easily run into the billions.

Given the size of the potential exposures and the lack of loss history, particularly in Asia, accurately underwriting such risks is a problematic endeavour.

“We lack historical claims data because it involves an insurance product that is still relatively new in our portfolio,” said Hartmut Mai, chief underwriting officer for corporate lines at Allianz Global Corporate & Specialty, in a report last year. “Also, companies shun publicity when they have been victims of a hacking attack because they are worried about their reputation.”

Given that some risks are therefore difficult to adequately transfer to the insurance market, companies should probably focus their efforts on building systems that are secure and resilient in the first place. But this is easier said than done for businesses with global operations or which are engaged in multiple M&A deals or have systems that connect to third parties.

The story of how TNT was infected with NotPetya illustrates the point. During a conference call with analysts, FedEx’s chief information officer said TNT, which was in the process of being integrated into FedEx’s IT system after their 2016 merger, had been exposed to the attack through an infected tax software update used by its Ukrainian office. As a result of that small chink in its cyber armour, the entire company was reduced to communicating over Whatsapp and was left with tens of thousands of unprocessed packages at the end of the day.

While the high-profile nature of such attacks has driven interest in cyber policies, according to insurers, it has also undoubtedly encouraged hackers to create new malware that will be deployed in 2018.

And the risk for companies is set to ratchet up in May, when the EU’s new data protection regulation enters into force. It applies worldwide and carries fines of up to 4% of total worldwide annual turnover for companies that expose EU customer data while in breach of the directive. One thing is for sure: the number of Asian companies that are liable under this regulation is far bigger than the number that comply with it.

Cyber risks are somewhat unusual as they are unlimited. What this could mean was brought into sharp relief as soon as the new year got underway, when it was revealed that all Intel processor chips made during the past decade have a serious security vulnerability — a potential back door affecting tens of millions of computers worldwide. This is the type of thing that hackers dream of finding, and one day they probably will.

By some estimates, global cyber limits are roughly US$100 billion, most of which is in the US. The industry could certainly cope with a loss of that scale, but it is difficult to say what such an event would mean for future policies. Unlike hurricanes, cyber attacks are certain to increase in both frequency and severity on time scales that make climate change seem, well, glacial. Will 2018 be the year that tests the market?