Explore Munich Re Group

Get to know our Group companies, branches and subsidiaries worldwide.

Cyber Knowledge Series 2024
Navigating the rising tide of latent cyber insurance claims:
A call for vigilance and strategic action
A call for vigilance and strategic action
© [M] Munich Re [P1] Kevin Phillips / Getty Images [P2] Portra / Getty Images
    alt txt

    properties.trackTitle

    properties.trackSubtitle

    In 2015, a pivotal class action lawsuit was filed against Facebook, igniting a legal dispute over the alleged violations of the Illinois Biometric Information Privacy Act (BIPA).  Fast forward to 2021, and this concluded with a staggering settlement of $650mn. This landmark case, alongside a number of similar litigations against industry giants such as ADP, Six Flags, and TikTok, stark findings also exacerbated by the Illinois Supreme Court’s interpretation of BIPA, deeming each instance of illegal processing as a separate violation, these developments serve as a sobering reminder of the evolving landscape of cyber insurance. The trajectory of these cases highlights a concerning trend in the industry — the rise of latent claim developments that increase in potential after several years due to modifications in legal precedent and, regulatory strengthening. This also serves as a harsh reminder that Cyber insurance has a casualty element and might not be as short tail as it may be convenient to believe. As such, we as an industry need to be vigilant as we cannot quickly manoeuvre r on these long tail issues as we did so successfully with ransomware. The question is “how do you know whether a potentially positive looking underwriting year has large latent claims waiting in the tail, years after notification?” 

    Additionally, an example of the most recent trend of litigation is Pixel Tracking. This code, embedded in websites to track user behavior, has raised significant privacy concerns. Pixel Tracking is heavily used online — including on hospital system websites, which allegedly resulted in several cases of patient appointment information and other protected health information being disclosed to third parties. Because of the highly personal and private nature of the information these claims have an uncomfortable character, meaning claims arising from Pixel tracking usage in healthcare websites could become very costly and drag on for years. 

    Business interruption claims, albeit for different reasons, seem to also be contributing to the elongation of the cyber insurance tail due to some of the complexities cyber brings to business interruptions. Here, delays typically center around the collection and assessment of the right information to quantify income loss. The market generally is seeing both settlement inflation and an increase in time from incident to settlement for business interruption claims. The combined challenges of evolving privacy litigation and business interruption are thus undermining the narrative of a shortening cyber tail. A widely held belief   recent years and thus creating a perilous future for insurers as large claim costs can emerge years after the policy inceptions or indeed claims events. 

    Considering these emerging challenges, any claims with latency, such as privacy related actions, require heightened vigilance. As these can spike so long after the policy inception, it is exceedingly difficult for insurers to react swiftly to emerging trends, unlike those in ransomware where events are (more) immediately visible. With the limited history around the development pattern of cyber, any significant jumps in incurred claims on older underwriting years have an outsized leverage on any future projection. Therefore, insurers that have suffered large late losses might face questions to justify the performance of younger years being different. We advocate for a holistic understanding of these claims, emphasizing the importance of client dialogue in deciphering the underlying causes of latent development in claims.  

    Insurers are encouraged to engage in dialogue with reinsurers, shedding light on the circumstances surrounding these claims. By understanding the intricacies of each case, insurers can accurately assess risk and refine underwriting strategies accordingly. It is also important for the industry to embrace structured data collection. By capturing detailed causes-of-loss, insurers can proactively analyze emerging trends and anticipate future challenges. This proactive approach mitigates the risk of being caught off guard by evolving loss patterns, ensuring the sustainability of the cyber insurance market. 

    In conclusion, the era of latent cyber insurance claims demands change in thinking in the industry's approach. We must remain vigilant, adapt to emerging trends, and foster collaboration with clients to navigate this evolving landscape. By embracing data-driven insights and strategic partnerships, insurers can effectively mitigate risk and safeguard the future growth of cyber insurance. 

    Experts
    Timothy Marshall
    Timothy Marshall
    Cyber Underwriter, Global Clients
    Helga Munger
    Helga Munger
    Senior Claims Manager