By Dan Reynolds
Scenario: It wasn't that insurers hadn't seen aggregated exposures like these before because they had. It wasn't that they weren't aware of the danger, because they were. Well, they thought they were anyway.
As things turned out, it was the very invisibility of the risk that undid so many carriers and their insureds.
They say of aquaculture risk that it
can be so tricky because shrimp and fish move. They slip through nets and are out into the open ocean before you know they are gone.
That turned out to be so much the same
for the risk of stolen data. Between the years 2010 and 2014, carriers, eager for new markets to help them escape the doldrums of an extended soft market, began to sell more and more cyberrisk coverage.
Prices were cheap. There was plenty of capacity.
It's a maxim of the insurance world that uneducated capital will enter markets seeking premium volume, leading to great risk for the unwitting carrier and prices that are far too low for anyone's good.
Most of the premium volume in 2010 through 2014 was in the excess and surplus markets, although there were a few admitted carriers that sold it. But when it came to understanding the risk, in the end it turned out that most of the underwriters were relatively uneducated.
A consultant's report produced in early 2013 sent shockwaves through the business world and rankled the U.S. State Department.
Individuals thought to be connected to the Chinese army hacked into corporate technology infrastructure, mostly in the United
States and Canada, according to the report.
Using spearphishing and other tools to bypass network passwords, the Chinese hackers set up
"back doors," conduits through which they could pass information out of the hacked business's technology infrastructure at will.
One of the more shocking aspects of the report on the attacks was that
the intruders operated inside business and government firewalls for years, picking up information in key industry areas like oil and gas, and electricity transmission, and transferring the information at will.
But what we all learned in 2013 was dwarfed by what we found in 2014. What the insurance industry and its clients feared most occurred. Not one, but two major cloud vendors, that each stored data for hundreds of commercial clients,
Investigators once again suspected the Chinese, but in these cases, there really
was no way to determine who carried out the attacks. All the cloud vendors and their customers knew was that the systems
were breached and that terabytes of business and personal data, a lot of it medical data, was gone.
The aggregation of claims numbered into the thousands. Cloud vendor customers, who were in turn storing their customers' data on the cloud, thought they
successfully transferred the risk for any loss of data and privacy claims to the cloud vendors.
But a closer examination of their contracts left that issue open to debate, which meant litigation.
To their credit, carriers limited
the cyberrisk coverage they offered
between 2010 and 2014, although in some cases those limits stretched into the tens of millions.
The combination of conservative limits,
coupled with the sheer number of customers that were affected by the breaches, spelled big trouble for the businesses that
hosted important data on the cloud.
With inadequate insurance to fall back on, those companies that
failed to read their cloud vendor contracts properly and purchased inadequate insurance limits found themselves the target of dozens of class-action lawsuits. The aggregate, uninsured settlement amounts would exceed $1 billion.
Analysis: The amorphousness of cyberrisk, that it could affect any industry and produce privacy loss claims in the hundreds or thousands per company, is what has risk managers on edge.
"The frightening thing about cyberrisk is that it could hit almost every sector," said Neil Smith, an emerging risks expert at Lloyd's of London.
"Businesses are increasingly dependent on digital technology, from financial services to manufacturing," Smith said.
Although reports in 2013 linked vast numbers of cyberattacks to operators in China, in many cases, should an attack occur, finding out who the author of the attack is could be next to impossible, said Jim Whetstone, senior vice president, U.S. technology and privacy manager for Hiscox.
"I think from our perspective it is important to understand that you may not know if it is state-sponsored or not," Whetstone said.
Whetstone and others said that a breach that struck a cloud provider would be worrisome.
"This has clearly got the attention of the insurance industry because it is an aggregate exposure," Whetstone said.
"I think it is definitely something that the industry is realizing that there is that aggregation, that a single event could trigger multiple policies."
A broker with a technology focus agreed.
"It is a huge exposure and is not only a worst case scenario for the clients and the insurance buyers but also from an insurance company standpoint because these cloud providers are data aggregators essentially," said Zach Scheublein, an associate director with Crystal & Co.
"If insurers are not underwriting towards their clients' use of cloud providers, they are opening themselves up to a huge loss from an aggregation standpoint," Scheublein said.
Determining who should shoulder the liability from a big loss should a cloud provider be breached will be very tricky, and that is where litigation costs could become another worry.
"Certainly cloud providers do recognize that there is an exposure there because in a lot of cases if you read their contracts with their clients they disclaim any liability for a breach," Whetstone said.
"They know they can't take on that much liability," he said.
Should there be a loss, a company that collects sensitive data and stores it on the cloud may think it transferred that risk to the cloud provider. But a closer reading of its contract may prove that is not the case.
"I may have contracts with my clients and then I have that outside contract with my cloud provider. Was I able to transfer the risk through to the cloud provider?" Whetstone asked.
In many cases, the cloud vendor may have no idea what a customer has stored on its numerous servers.
"They really don't know what it is," Whetstone said. "They don't really care what it is. If a breach happens to one of the many servers that make up the cloud, they may not know whose customer data is on there, what parts of it, what pieces they may have spread out to a number of servers on that cloud.
A 2012 report from Betterley Risk Consultants that interviewed 29 insurance carriers, most of them excess and surplus lines carriers, pointed out several weaknesses in the markets' approach to covering this risk.
"The insurance industry still needs to do a better job of helping brokers understand the exposures, coverage and services of cyber risk, so they can better serve their clients," Richard S. Betterley, the author of the report, wrote.
"Many brokers have only a general knowledge of cyber exposures and coverage."
Companies included in the survey included CNA, Liberty International Underwriters, Ironshore, XL, Chubb and Ace Group.
Carriers responded to Betterley that reinsurers like the cyberrisk product, but expressed a great deal of concern about accumulation risk.
"With so much data moving to the cloud, this accumulation risk is becoming more severe, a trend that concerns us greatly," Betterley wrote.
But in the summer of 2012, premium volumes in this area increased substantially. Carriers that Betterley called "significant players" in the market were reporting premium growth of 25 percent to more than 100 percent. Several carriers reported premium growth of between 50 percent to 100 percent, with one carrier reporting premium growth of more than 100 percent.
Premium growth is good news for carriers looking for new markets in a very competitive world. But in the area of cyberrisk, and the breach that could hit a cloud server, it remains to be seen whether they know what they are getting into.
DAN REYNOLDS is managing editor of Risk & Insurance®.
April 12, 2013
Copyright 2013© LRP Publications