From Pandemics to Cyberattacks: An Introduction to Silent Risks

by Layla Trummer, ACAS, Candidate Liaison Committee

One of the exciting parts about working as a P&C actuary is that the work is constantly evolving. With each new emerging risk or large event, the industry learns more so that we can charge an appropriate price for the risk we are assuming. Adequate pricing ensures the solvency of the insurance industry, but what happens when an exposure is not explicitly included or excluded from coverage? These “silent” exposures have the potential to cause significant losses. Two timely examples of silent exposures are silent cyber and silent pandemic risk.

Silent cyber is a peril in which cyberattacks cause losses in traditional lines of business. These lines of business are not designed to cover cyber-related losses yet cyberattacks are not explicitly excluded (nor included) as a covered peril. A similar definition applies to silent pandemic risk, where contract language is ambiguous with regards to pandemics and could trigger claims. Silent cyber and silent pandemic risks are not to be confused with affirmative cyber (which refers to the cyber line of business) and affirmative pandemic covers (contracts that specifically cover pandemic risk).

Cyberrisk increases as more devices become interconnected through the internet, and pandemic risk increases as the world becomes more interconnected through travel and global supply chains. Exposures that used to be isolated are now correlated, making diversification more difficult. Portfolios have higher levels of risk aggregation when a single cyberattack, or a single pandemic, impacts multiple policies.

Commercial property lines are most exposed to both silent cyber and silent pandemic risks. Silent cyber can lead to higher losses for both physical property damage and business interruption. For example, an IT system safeguarding the control room of an industrial plant could be the target of a cyberattack leading to a system failure resulting in an explosion. For pandemic risk, contract language for physical damage definitions could be ambiguous with regards to whether it is a covered peril that could trigger business interruption claims. Property is not the only line where silent risks are already present, however. Consider a professional liability claim where an IT provider could be liable for losses stemming from silent cyber exposures if the provider is deemed negligent in providing a secure network. Or consider a directors & officers liability claim emanating from inadequate disclosures during a pandemic.

Silent exposures are very hard to quantify and therefore difficult to price, so the insurance industry has largely excluded silent exposures by using specific contract language. Following the SARS outbreak in 2003, many insurers added exclusions to standard policies for losses triggered by viruses or bacteria. For silent cyber, the turning point event was the Petya/NotPetya ransomware attack in 2017. This is one of the largest examples of silent cyber losses to date, with silent cyber accounting for around $3 billion in insured losses (whereas affirmative cyber only accounted for around $0.3 billion in insured losses). Following this event, a market exclusion was adopted for silent cyber and the industry shifted to write separate policies specifically designed for cyber exposures. Silent exposures still exist however, since not 100% of policies are able to exclude it for various reasons.

Both silent cyber and silent pandemic risk should be placed in affirmative covers to ensure the viability of the insurance industry. Governments around the world are currently relying on the risk expertise of the insurance industry to develop backstops for pandemic risk. For example, as of March 2020, the U.S. Congress is drafting PRIA, the Pandemic Risk Insurance Act, which is inspired by TRIA, the Terrorism Risk Insurance Act, enacted following the World Trade Center event. PRIA will backstop the business interruption insurance market similar to how TRIA backstops the terrorism insurance market. The cyber line of business currently represents an exciting growth area in the industry with several opportunities for actuaries. The insurance industry is learning together when it comes to cyberrisk, and the need for the risk to be insured is getting increased attention. The P&C insurance industry will continue to evolve, to the benefit of actuaries, because at the right price, any risk is insurable.