How insurers can identify and manage their silent cyber exposures

Supervisors are concerned that insurers may be unaware of the full extent and nature of their cyber exposures as, absent exclusions, cyber events could trigger claims on policies that may not have been designed and priced to cover cyber risks. Identifying, quantifying, and managing these silent exposures according to regulatory expectations amid competitive pressures, while maintaining a firm eye on consumer protection, is therefore essential, but not necessarily straightforward.

Supervisors expect insurers to identify and, where appropriate, quantify their silent cyber exposures, and develop a systematic approach to deal with them according to a set cyber risk appetite, which, in turn, should be consistent with the firm’s overall risk appetite. To address unwanted silent cyber exposures, firms may, for example, choose to exclude and then reintroduce cyber risk into add-on policies with appropriate limits, or exclude cyber risk completely and redirect policyholders towards standalone cyber policies, underlining potential ancillary benefits. This will require firms to clarify policy language to make clear what is included in each policy.

Concurrently, insurers need to develop a comprehensive cyber insurance strategy that is adapted to their unique business model, and strikes the right balance between managing exposures and providing useful cover to policyholders. Both the design and implementation of this strategy will be crucial.

In our experience, supervisors are likely to look for indicators of perceived positive and negative behaviours in relation to key risk issues in their interactions with firms. These indicators are likely to have a significant bearing when supervisors evaluate firms’ maturity in dealing with cyber underwriting risks. In this context, positive indicators may include, for example, tracking cyber premiums across the business through using specific coding to tag policies across business lines. Negative indicators may include, for example, a firm being unable specify or explain the portion of a premium that relates to cyber risk in a specific policy.

Our recent report on Cyber insurance underwriting explores these issues in more depth, focused on challenges related to silent cyber, cyber modelling and data, and managing tail risks. We explore key risks and actions for firms, positive and negative indicators, challenge questions boards can put to their organisations, and a checklist of next steps for firms.