Terrorism and Cyber Crime

Key Developments During 2018

Terrorism: Threat Landscape

  • Marsh report in their “2018 Terrorism Risk Insurance Report” that attacks by ‘lone wolves’ and small groups against soft targets are becoming more common, vehicles are increasingly being used by attackers, and the threat of cyber attacks continues to grow. The EU Terrorism Situation & Trend Report 2018 confirms that recent terror attacks by jihadist terrorists have followed three patterns: indiscriminate killings; attacks on symbols of Western lifestyle and attacks on symbols of authority.
  • Buyers of terrorism coverage are seeking expanded coverage to include active assailant events and that give first- and third-party business interruption protection for lost income or revenue without the need for a direct property damage trigger.

Terrorism: Pool Re

  • The Counter-Terrorism and Border Security Bill will amend the scope of reinsurance available to cover business interruption losses through an amendment to the Reinsurance (Acts of Terrorism) Act 1993 to enable Pool Re to extend its business interruption coverage to include losses that are not contingent on physical damage to property. The 1993 Act is being amended so that a loss will fall within coverage where it results from interruption to business resulting from or consequential upon acts of terrorism. The Bill has had its third reading in the House of Lords and been returned to the House of Commons for the amendments to be considered.
  • In January 2019, Pool Re announced that as a result of sufficient capacity now existing within the commercial insurance and reinsurance markets to cover contingency losses arising from acts of terrorism, it will cease to reinsure Members for the contingency cover they provide to their insureds. After Q1 2019, therefore, it will not be possible for Member insurers to cede this class of business to Pool Re. Most of the risks formerly ceded to Pool Re consisted of sporting events, concerts and tours. Actuaries may need to take into account changes in risk profiles from retaining these coverages gross or transferring them to commercial reinsurers.

Cyber Crime: Threat Landscape

  • In their Cyber Risk Outlook 2018 Judge Business School, Cambridge University reports on the international nature of cyber risk, with loss events reported in over 150 countries. The potential for global contagion was illustrated by WannaCry and NotPetya attacks in 2017. They also report that the commoditisation of cyber criminal tools (Ransomware-as-a-Service, Malware-as-a-Service and DDoS-for-Hire) has made global extortion and business disruption campaigns accessible to the less experienced, with crypto-currencies and anonymity fuelling the spread of cyber crime.
  • 2018 has shown that politics, deception and malicious intent are also sources of cyber risk. More evidence came to light of alleged Russian cyber attacks in Ukraine, the potential influence of Cambridge Analytica and fake news on the US Presidential election and in the Brexit campaign. The ability for data to be misused and for disinformation to spread was recently explored by the BBC in its “Beyond Fake News” project.
  • The number of attacks and the attractiveness of Financial Services as a target is illustrated by a 2018 Forbes report which states that cyber attacks cost financial services firms more to address than firms in other industries ($18 million per firm vs. $12 million for firms across industries) and that they “fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries”.

Cyber Crime: Regulator Actions

  • HMT, the BoE and FCA work together to manage incidents which impact or have the potential to impact the financial sector which includes working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) for cyber incidents. As well as issuing guidance around operational resilience they have organised a series of cyber exercises to test the sector’s response to a large-scale cyber attack. Such testing aims to test a firm’s defences and its ability to detect and respond to a range of external attackers as well as people on the inside.
  • Non-affirmative, or silent cyber, is an area which continues to raise concern for regulators, insurers and risk managers. Silent cyber refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. Traditional policies may not explicitly include or exclude cyber risks and this ambiguity can result in a scenario where cyber losses are paid under a policy that was not originally deigned to cover them. There have been silent cyber losses on non-cyber lines of business for various insurers e.g. as a result of the NotPetya attack. In its July 2017 supervisory statement “PS15/17 Cyber insurance underwriting risk”, the PRA set out its expectations that firms should be able to identify, quantify and manage both affirmative and non-affirmative cyber coverage. Actuaries working in this area may face problems including limited data, ambiguity of policy wordings and difficulty is assessing aggregations of exposure as well as the changing nature of the underlying risks.

Cyber Crime: Actuarial considerations

  • The IFoA paper “Cyber operational risk scenarios for insurance companies” sets out a framework for actuaries and others to robustly assess the potential losses stemming from cyber risk that their insurance organisations face.

Summary of 2017 Discussion and Actuarial Implications

  • The changing nature of crime may pose challenges in managing disruption and associated costs.
  • Setting assumptions for pricing, measuring accumulations and reserving for terrorism and cyber crime policies is challenging given the limitations of the data and uncertainties in the future developments of the risk profile.
  • Actuaries may need to work collaboratively with others to increase their understanding of the underlying risk drivers and develop ways to measure and respond to them.
  • Terrorism coverage was traditionally designed to cover property damage but significant losses have occurred in recent attacks from business interruption e.g. police cordons, reduced visitors. Coverage may be insufficient for small business and individual travel policies.
  • Cyber risk is a continuously evolving threat - it is a challenging risk to assess, with limited historical experience available, and rapidly changing patterns of loss.
  • Result of economic and technological risk drivers. It often exploits people’s culture and behaviour to breach computer security.
  • Insurers and pension schemes hold large amounts of personal and financial data that is attractive to criminals. Scheme members and policyholders are also vulnerable to fraud and scam attacks.

Further Reading

Previous Hotspot - Technological Change / Next Hotspot - Mortality