Cyber Insurance
FIO obviously seeks to learn more about cyber insurance, particularly about the effect of catastrophic losses. On September 29, 2022, the day before publishing its Annual Report on the overall insurance industry, FIO issued a request for comments entitled “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” Supplementary information attached to the request for comment includes FIO’s repetition of the following in its initial statement, which is that cyber insurance has become an increasingly significant risk-transfer mechanism. FIO’s comments go on to say the insurance industry has an important role to play in strengthening cyber hygiene and resiliency. Through underwriting and pricing, insurers can encourage or require insureds to implement strong cybersecurity standards and controls.
The solicitation for comments is divided into two major areas regarding catastrophic cyber incidents and potential federal responses. With respect to the second area, FIO seeks comments regarding use of existing models such as TRIP, required participation, scope of coverage, moral hazard, risk sharing, reinsurance/capital markets, funding, limitations, and effects on the cyber insurance market.
June 2022 Report: The Effectiveness of TRIP
In June 2022, FIO issued is annual report of the effectiveness of TRIP. Fifteen pages address the availability under TRIP for cyber losses. Within those pages are separate discussions of coverage, the market, ransomware, data call information, and the overall application of TRIP to cyber terrorism losses.
In 2016, the U.S. Department of the Treasury (Treasury) confirmed that the TRIP requirements apply to any policy covering cyber risk written in a line of insurance that is subject to the program. Treasury began collecting cyber insurance data within those lines in 2018. Since then, it has “routinely engaged with stakeholders” to discuss the market and significant developments.
In 2022, Treasury expanded the TRIP data call to request more detailed information regarding cyber risk insurance. Treasury would like to obtain more detailed information relating to the availability and affordability of such coverage. As a result, Treasury now requests premiums and limits of policies written in both TRIP-eligible and non-TRIP-eligible lines of insurance, as well as premium and policy count information broken out by size of the policyholder, cyber extortion coverages, and loss information for ransomware.
Cyber insurance provides coverage for risks “arising ‘from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks,’” as well as potentially providing coverage for physical damage that can be caused by cyberattacks, misuse of data, data storage, and the availability, integrity, and confidentiality of electronic information. Covered events may include “malware, phishing, social engineering, cloud outage, and data exfiltration.” Covered losses may include “costs of forensic investigations, litigation expense, regulatory defense and fines, crisis management, cyber extortion, and business interruption losses.”
Insurers continue to evaluate the extent to which they are willing to extend dedicated affirmative cyber cover for state-sponsored cyberattacks that may seek to further national goals or potentially support terrorists or criminal groups but that are not outright military conflict. An early such attack by the group NotPetya in 2017, was attributed to Russian nation-state actors against Ukrainian interests, and spread across Ukraine to many entities on a worldwide basis. Certain property and casualty insurers that faced NotPetya-related claims under non-cyber insurance policies invoked standard war exclusions (which largely did not speak to cyber impacts) in defense of the claim. Litigation on these issues continues. A New Jersey trial court decided in early 2022 that a war exclusion did not apply to damage caused by a NotPetya attack.
The insurance industry paid most NotPetya claims without invoking a war exclusion under policies with cyber coverage. The aggregate impact of NotPetya was more than $10 billion worldwide. NotPetya led insurers to evaluate the extent to which they are willing to assume the risk of potential systemic exposures driven by nation-based state actors. Lloyd’s released a series of policy wordings providing different levels of coverage for cyber events that may involve nation-state actors. With the onset of the RussiaUkraine conflict, insurers and regulators have taken steps to address ambiguities as they relate to war exclusions for cyber incidents.
FIO attributes the growth of the cyber insurance market to be driven in part by the significant increase in cyber incidents, particularly ransomware. In 2021, one million cyber insurance policies were issued to small policyholders. Medium-sized policyholders were issued 60,000 such policies. Large policyholders purchased 15,000.
North American and European businesses are the most targeted. Some of the principal sectors are industrial, public sector, and consumer business. Treasury estimates $590 million in ransomware payments were made in the first six months of 2021 versus $416 million in all of 2020.
In a 2022 TRIP data call, insurers reported total nationwide property limits subject to TRIP, irrespective of whether terrorism risk insurance was obtained, to be about $270 trillion, and total liability limits subject to TRIP were $150 trillion. By contrast, the corresponding figure for all cyber limits, whether subject to TRIP or whether terrorism risk insurance was obtained, was only $2.4 trillion.
Recent legislation will require mandatory reporting by critical infrastructure entities of covered cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Ransomware and other cyber incidents have led to higher claim frequency and loss severity over the past two years.
Predictably, since 2019, a substantial increase in cyber insurance pricing has occurred, resulting from deteriorating loss experience coupled with the increased demand. Underwriting standards have tightened. They include use of multifactor authentication, training platforms, and policyholder adherence to best security practices. These tightening trends will continue while insurers will also limit coverage under non-cyber policies. Cyber-liability policies typically include an exclusion for bodily injury and physical property damage, meaning that their coverage for an event of cyber terrorism would not extend to such losses. To the extent that TRIP-eligible policies would otherwise cover bodily injury and physical property damage, when the policy excludes coverage for such losses arising from a cyber event, there would be a lack of responsive coverage where a cyberattack is involved, creating protection gaps for policyholders needing coverage. FIO will continue to monitor this development.
TRIP and state regulator data calls require insurers to report whether their cyber policies are written on a package or stand-alone basis. Policies are identified as stand-alone when the policy provides coverage only for cyber risk, while package policies provide broader coverage, including coverage for non-cyber losses. The Effectiveness Report provides graphs comparing stand-alone and package policies for 2019, 2020, and 2021, broken out by surplus lines, captive, non-small, and small insurers. The premium charge per $1 million of cyber limits is reported and charted similarly in the Report. In 2021, one million cyber insurance policies were issued to small policyholders.
Comments Not From FIO Abouyt Cyber Insurance and TRIP
Professor Jeffrey E. Thomas made a very interesting observation regarding the size of cybercrime, estimated by the software company McAfee to have been $945 billion in 2021, which was itself an 80% increase from 2018. Thomas cited Fitch Ratings losses to cyber insurers for 2020 to be seventy-three percent of premiums. Applying that loss ratio to the $6.9 billion in premiums in 2021 resulted in an estimate of $5 billion in losses paid for 2021, which Professor Thomas rounded down to 0.5% (.005) of the $945 billion cybercrime losses estimated by McAfee. However, he also noted that another cybersecurity company estimated trillions of dollars of cyber losses for 2021.
While Professor Thomas used the more conservative McAfee figure, one can only wonder at the real size of the differential between the amount of cybercrime and the amount of cyber insurance. TRIP coverage of cybercrime is limited to acts defined as terrorism. In an email in November 2022, Professor Thomas pointed out how the Terrorism Risk Insurance Act (TRIA) mandates that an event must be certified as terrorism by the Secretary of Homeland Security before it is eligible for the TRIA backstop. A more complete excerpt of his email is in the footnote below.
Cybersecurity is certainly on everyone’s agenda, and the Biden administration recently budgeted $1 trillion towards cybersecurity. However, that amount was allocated among multiple administrative agencies, and little or none of it is earmarked for cyber insurance despite FIO and others espousing that cyber insurance is a part of a program of cybersecurity. It should be noted that some scholars and others actually believe that cyber insurance motivates cybercrime and leads to more cybercrime than in the absence of cyber insurance. So, there is definitely a debate in this area. How it plays out will be interesting but is uncertain. Those on either side of this debate may move one way over the short term and in another direction as years go by. Cybercrime, terrorism, and war are moving rapidly. Individuals, corporations, financial institutions, and governments try hard to keep up, even when they work together. One tendency is to come together with bureaucratic responses—such as rules and regulations—which may slow down the approach. There is clearly no one “correct” way to look at cyber, cyber insurance, legislation, regulation, court litigation, and court review.
Professor Thomas summarized this concern well with respect to cyber insurance in his January 22, 2022 article:
Cyber risk insurance policies are relatively new insurance products and are subject to a push-pull regulatory environment. On the one hand, the need for cyber insurance coverage is being pushed by cyber risk legislation and regulations that impose requirements for companies and individuals to protect against cyber risk and to preserve privacy of data and identity. Insureds are required to meet these requirements and often face liability (for compensation or penalties) for failure to comply. In addition, courts supplying the common law of imposed liability on companies for damages caused by cyber risk. On the pull side of the equation, as insurers seek to develop this market, they have to meet the usual requirements for new products, but the nature of cyber risk has created regulatory challenges such as the complexity of the risk, a lack of historical loss data, and the prospect of risk accumulation and aggregation.
Conclusion and a Rationale for Short Shrift Given to Climate
This article mostly discussed TRIP and cyber insurance. Climate loss is not covered by TRIP, and will not be, unless terrorists are proved able to influence the weather. The Flood Insurance Program is administered and regulated by FEMA, unlike TRIA, which is administered and regulated by FIO. FEMA and the insurance industry both deal with climate-related losses. There has been lots of recent discussion and action by the global insurance industry about climate risk and the problems that it poses. At least temporarily, climate appears to be the number one global insurance focus. However, unlike cyber and terrorism, climate has been a risk for centuries. With much recent comment and analysis, groups are being formed, along with new initiatives. Little is changing in terms of policy language or insurance regulation. There is much activity, but without real substance in terms of lowering climate risk or preventing either reduced coverage or higher premiums. Neither the FIO nor the most consumer-oriented regulators can do much about this concern. Undoubtedly, the year-end 2022 climate report from FIO will expand the conversation. We expect that next year’s annual survey report on FIO will address that climate report and include an in-depth discussion of climate.