Cyber risks constitute a big challenge for the insurance industry, not just because of the risk of change and the accumulation risk but also due to hidden exposure in policies from different lines of business - silent cyber. What is Munich Re’s approach?
What are the biggest challenges when dealing with cyber risks?
Stefan Golling: Cyber risks are ever-present – as the WannaCry and NotPetya ransomware attacks so spectacularly demonstrated. Some companies affected by malware have incurred costs running into hundreds of millions. What’s more, cyber risks are increasing as devices and machines become more and more interconnected. According to a study by the Ponemon Institute, 98% of the companies surveyed had experienced malware attacks, and almost two thirds had been victims of a web-based cyber-attack. Therefore, for the insurance industry, cyber is one of the most important issues of our time. The growth potential is clear, as demand for cyber coverage as well as risk mitigation and assistance services continues to rise. The biggest challenges are the risk of change, undoubtedly, the accumulation risk, but also the undiscovered cyber exposure that may turn up in policies from all lines of business. These so-called “silent” cyber risks are currently the subject of intense discussion in the industry.
Why is it so difficult to deal with silent cyber in traditional property and casualty covers?
Stefan Golling: Quite simply because there is cyber exposure hidden within existing coverages that have either not yet been identified or has not been adequately assessed. What’s involved here is a large number of traditional property and casualty policies in which cyber risks are not mentioned or are not explicitly included or excluded, and may therefore lead to exposure in such portfolios. Some policies do define cyber risks, but they’re not always clearly worded. Together with our clients we want to identify this ambiguities, and then analyse and quantify them. Our aim is to jointly implement a sustainable underwriting process that provides transparency to all parties, through comprehensive and explicit cover. This includes thorough risk assessment, a sophisticated pricing approach and the consideration of accumulation aspects in order to eliminate these uncertainties.
Some experts consider cyber risks to be uninsurable. What is Munich Re’s postion?
Stefan Golling: There are indeed aspects that we do not want to insure at this time. One example of this would be a widespread outage of external networks, such as power, telecommunications or internet infrastructure. Our approach is based on understanding risks, assessing them adequately and thus making them insurable. This can only be done in close cooperation with experts from insurance and reinsurance, insureds and external partners, in order to develop a common understanding of how cyber risks should be dealt with. In addition to risk transfer, this also includes risk management services and security measures. To this end, we deploy our global cyber teams and rely on a network of renowned external partners to complement our own knowledge and range of services. For example, we cooperate with IT security experts in order to offer solutions for our clients’ entire value chain. Continuous market surveillance is also an important aspect of our cyber strategy. Data from past cyber losses will indeed help us to better classify the risk, but that is only of limited value when assessing future loss potential. The reason for this is the risk of change that we’ve already mentioned: in the course of digitalisation, cyber risks and loss scenarios change quickly and continuously. It’s therefore essential to continually develop one’s own approaches and know-how. We want to contribute to the cyber challenge being seen less as an insurmountable obstacle and more as an opportunity for sustainable new business throughout the industry as a whole. Here, we also see that state and pool solutions could support insurers to provide comprehensive protection for policyholders. If the insurance industry is not able to provide its clients with comprehensive risk transfer solutions and services, this would be an admission of failure. We are ready to accept the challenge.