Understanding Systemic Risks
At CRIF we plan to provide useful information and articles covering various threads of Cyber Risk & Insurance. One such thread is that of underwriting and through a series of bi-monthly articles we hope to provide some insight into how cyber risks are underwritten and what underwriters look for when analysing submissions. Each article will include commentary from the various CRIF members covering broker, legal & technical perspectives where necessary.
So, as the first article in the series we thought we would start by discussing sustainable underwriting and in particular the wider issue of systemic risks and portfolio management. In the world of cyber, systemic risk could be a wide-scale virus attack, a zero-day vulnerability in commonly used software, or the failure of a commonly used cloud provider.
If we look at just one of those examples, that of a cloud service failure, how would such a failure impact business and in turn the insurance industry?
Let’s start with a few words on cloud services and the popular Software-as-a-Service (SaaS) offering. SaaS provides online software services allowing anyone with access to the internet and the correct credentials to access a system from anywhere, whether at the office, at home or whilst travelling. This means that access to key applications in not impacted when away from the office.
A business will contract with a SaaS vendor but it is not uncommon for that vendor to contract with an Infrastructure-as-a-Service (IaaS) vendor. So how does this work? In general terms the business uses the SaaS vendor to manage and maintain the software whereas the SaaS vendor may utilise an IaaS vendor to manage and maintain the infrastructure including data storage. This means the likelihood is the business has no contract with the vendor holding its data.
It stands to reason that there will be more SaaS vendors than IaaS vendors, and more businesses using the services that there are SaaS vendors. This means that a failure of the service provided by the IaaS vendor could impact the service of many SaaS vendors, which in turn could impact many more businesses, the same businesses buying cyber insurance therefore creating a systemic exposure.
Underwriters therefore need to be aware of this and other potential systemic exposures in order to manage portfolios of business and to ensure the sustainability of those portfolios. Underwriting on an account-by-account basis is key to understanding the particular risk at hand but writing accounts in isolation would be to ignore the systemic exposure associated with such risks.
Cloud computing is but one example of systemic risk within cyber. Dependencies upon an often limited number of software and hardware services and solutions are arguably the most apparent systemic risks. Think about the prevalence of certain cloud computing platforms to small and mid-sized retail companies, or the limited number of Industrial Control System manufacturers in heavy industry and critical infrastructure. Commonality of technology is found within industry sectors but also across industry sectors, such as the zero-day vulnerabilities discovered earlier this year, e.g. Heartbleed and Shell Shock.
Such systemic exposures could become more prevalent where cyber as a peril is being covered in non-cyber insurance policies which are underwritten by non-cyber underwriters. A number of insurance bodies, including Lloyd’s the IUA (The International Underwriting Association of London) and CRIF have voiced concern over such situations, to the extent that Lloyd’s recently issued a bulletin to managing agents discussing this very issue further raising awareness amongst the broader underwriting community.
As the number of businesses purchasing cyber insurance continues to increase so the systemic exposure increases making it even more imperative for underwriters to understand and manage such exposures as ensuring the sustainability of cyber risk portfolios will enable to insurance market to continue offering improved products and competitive rates.