Access the ICMIF Knowledge Hub homepage. Members are encouraged to bookmark this page for future reference.

Thought leadership article

COVID-19 has changed how we think about cyber risk

COVID-19 has affected virtually every aspect of our daily lives. As insurance touches almost everything we do, it is not surprising that the pandemic has also had a major impact on our industry. This is especially true for cyberinsurance...

Nearly 1,000 respondents, from 56 countries, participated in Willis Re’s 2020 Cyber Risk Outlook survey, across a cross-section of the risk management, claims, underwriting, legal, broking, and analytics communities. The results show that just as COVID-19 has reshaped how we view so many other aspects of life, it has also had a marked impact on how we view cyber risk.

COVID-19 and cyber exposure

An overwhelming majority of survey respondents (86%) think the frequency of cyber attacks will increase as a result of COVID-19, and over half (54%) think the severity of those attacks will also increase.

This may be down to the sudden and wholesale transition to working from home for many, which has been accompanied by an increase in vulnerability for businesses that did not have either the IT capacity or IT expertise to support this transition or otherwise had inadequate data governance or security controls. While respondents from all geographic regions broadly agreed on the frequency numbers, there was some disparity in views about the likely increase in severity,

There is currently no clear consensus on the biggest driver of cyber-related losses over the next 12 months. Pre-COVID-19, over half the survey respondents (53%) felt that data breach would be the biggest driver of cyber-related losses, but now opinion is evenly split among data breach, ransomware/extortion and business interruption.

Concerns about business interruption have grown at the expense of data breach, with the former rising from 10% to 32% as an expected driver of cyber-related losses. These findings were broadly consistent by geographic region. It might have been expected that with the growing publicity surrounding ransomware, this would increase as an expected driver of cyber-related loss; however, business interruption has been prominent in the news as a leading driver of economic loss arising out of the pandemic (although not necessarily insured loss), which might explain the perception that it will drive more cyber-related losses over the next 12 months.

Respondents are also now more attuned to the potential for a catastrophic loss arising out of a cyber “event.” The chart below shows that pre-COVID-19, 13% — or around one in eight respondents — felt a USD 10 billion-plus insured cyber event was likely within the next five years; now one in three does.

Willis-chart-1

Pre-COVID-19, 13% felt a USD10 billion-plus insured cyber event was likely within the next five years; now one in three does.

From a regional perspective, concern about a USD 10 billion+ insured cyber event in the next five years is strongest in APAC where close to one in two respondents thinks this is likely. It is mildest in Europe: While concerns have risen in line with other regions, only one in five respondents in Europe thinks such an event is likely.

Overall, however, the pandemic has highlighted how collectively dependent we are on digital communication to do business and conduct our daily lives. It has also shown the widespread and devastating economic impact of an unexpected “tail” event that pays no attention to geographical boundaries. These factors might explain a greater appreciation of the potential for a large systemic cyber loss.

wtw_WillisRe_logo_hrz_rgb - July 2019

Willis Re are pleased to share the results summary of its fourth annual cyber survey that monitors the insurance industry’s perception of silent cyber risk. COVID-19 is the focus for its 2020 Cyber Risk Outlook, that looks at how the pandemic has changed the way we view cyber risk and cyberinsurance, and the nature of this risk going forward.

COVID-19 and cyber coverage availability

A greater appreciation for cyber risk should also mean a greater appreciation of the need for cyber protection. 75% of respondents think COVID-19 will lead to an increase in demand for cyberinsurance. Europe was the only region where respondents felt the increase in demand would be less significant, at 62%.

The greater perceived demand for cyberinsurance does not, however, look like it will be accompanied by a commensurate increase in supply. Only 45% of respondents feel the supply of cyberinsurance will increase going forward, perhaps reflecting a concern about the increasing scale of cyber risk that remote working presents and maybe also a general shift toward more cautiousness in insurers’ underwriting appetite for cyber. At 35%, North American respondents were the most cautious about an increase in supply, with APAC respondents being the most optimistic at 65%.

Irrespective of geography, a large majority of respondents (74%) think pricing for cyberinsurance will increase. This conforms with the hardening market we now see affecting cyber and a broad range of other lines of business.

COVID-19 and silent cyber

We also returned to silent cyber (i.e., unspecified cyber coverage in policies not originally designed to cover cyber risk) in our 2020 survey. Despite moves to eliminate silent cyber exposure through exclusions or clarificatory policy language, respondents see silent cyber as an issue that has been exacerbated by COVID-19.

57% of respondents think silent cyber exposure has increased as a result of the pandemic while only 12% think it has decreased. The numbers are broadly consistent by geographical region, with Europe possibly being a little less pessimistic than the rest of the world: 51% of respondents from Europe expect the level of exposure to increase.

The challenges in the courts over business interruption coverage under property policies as a result of pandemic-related shutdowns have highlighted the need for contract clarity, and the uncertainty over liability coverage arising out of the pandemic amplifies this need. Based on our survey result, respondents throughout the world think silent cyber remains an issue.

The chart below shows the perceived extent to which silent cyber remains an issue by line of business.

Willis-chart-2

What do you think will be the frequency of cyber-related losses in each of the lines of business below as a result of unclear policy language over the next 12 months?

For example, 71% of survey respondents think there is a greater than one in 10 chance that over the next year a directors’ and officers’ (D&O) or errors and omissions (E&O) claim will arise out of unclear language related to cyber coverage. Around 65% of respondents think the same will be true for commercial property or liability policies. The problem extends more broadly to cover personal lines (52%), specialty lines (49%) and even workers compensation (43%).

Geographically, respondents in APAC expressed views consistently above these average levels while respondents in Europe expressed views consistently below them. Although comparisons with our prior surveys are not exact, concerns about silent cyber coverage in various business lines appear to be on the increase, quite possibly fuelled by uncertainty as to which claims will or will not be covered as a result of COVID-19.

Conclusions

While there are some interesting nuances by geographical region, our survey results reveal a number of consistencies in the ways in which COVID-19 has affected how we view cyber risk:

  • Perceived exposure is up; we are now more wedded to digital technology than ever before. Bad actors have a wider target to aim at, and in the current environment, it is more difficult to maintain adequate levels of cyber resilience.
  • The massive economic damage caused by the pandemic shows how devastating a worldwide “tail” event can be — a wake-up call for cyber insurers given the enormous accumulation exposures presented by cyber as a peril.
  • Demand for cyberinsurance will continue to grow — supply may not keep up with demand, particularly if increased exposure is leading to more losses — and prices may therefore continue to increase.
  • Despite some corrective actions in the market, silent cyber remains a stubborn and even growing concern. The pandemic has shown what happens when policy language is unclear or challenged — particularly when it comes to business interruption — and this has significant accumulation implications for insurers when it comes to cyber risk.

No one could have predicted the unique and devastating way in which 2020 has developed, and it will be interesting to see how economic conditions affect the cyber market as it continues to evolve at a rapid rate over the next year. In the meantime, we want to thank everyone who participated in this year’s survey and look forward to offering some insights on market views in 2021, by which time life will hopefully be less upside down than it is today.

Click here to download the full 2020 Cyber Risk Outlook report.

Scroll to Top