Casualty Quarterly, Spring 2021

Q&A—Cyber Risk

NiamiThe Academy’s Cyber Risk Task Force (CRTF) has been active in the past few years as the issue of cyber risk has gained more prominence both in the U.S. and globally. Cyber risk affects many aspects of actuarial practice, from financial and operational risk management to product development and has unique impacts in areas particularly susceptible to cyber risk such as telehealth. The COVID-19 pandemic has further sped up digital transformation of many industries’ priorities—and as remote working has increased, so has cyber risk. Ransomware attacks and IT system penetrations are in the news every day.

The CRTF has been busy in the past couple of years, with the 2019 paper, Cyber Risk Insurance: A Resource Guide for Actuaries, last November’s research report, Cyber Breach Reporting Requirements: An Analysis of Laws Across the United States, and the January letter to the U.S. Department of the Treasury on the Terrorism Risk Insurance Act (TRIA). The task force plans to release papers in the near future on a variety of subjects related to cyber risks and coverages.

Casualty Quarterly did a Q&A with CRTF Chairperson Norman Niami to ask about some of the key cyber risk issues facing insurers and the actuarial profession.

The issue of cyber risk is becoming more vital—especially with more work, education, medicine, and of course commerce online during the coronavirus pandemic, as the task force’s recent letter to the Department of the Treasury stated. What’s the big picture for insurers, and actuaries, facing cyber risk across many areas?

Given that cyber risks are relatively new in comparison to many other insurance risks, there are challenges. One issue is the lack of significant historical data at the company and market level. There’s also the fact that the cyber risk landscape is continuously changing, whether it is the type of vulnerabilities and attacks or industries targeted. For instance, local governments, colleges, and manufacturers were not primary targets just a few years ago. With the fact that geography of a company’s operations and the location of perpetrators are almost irrelevant is another difference from other lines of business. So it is critical for insurers and actuaries to continuously stay on top of current issues and adapt as various aspects of risk, coverage, and technology change. Given the expected growth of cyber insurance coverage, the challenges make actuaries perfect candidates to contribute to further understanding, measuring, managing, and controlling cyber risk.

The CRTF’s January letter to the U.S. Department of the Treasury on whether cyber event losses originating from outside the United States should qualify as “damage within the United States” suggests this meets the intent of covered damage under TRIA. Why is that?

As I mentioned, geographic boundaries are a lot less relevant to the risk and loss for cyber insurance than for other lines of business. There are many scenarios where a cyberattack originating outside the United States would lead to substantial damage and losses within the United States. Providing coverage for damages inside the United States was envisioned to fall under the umbrella of coverages under TRIA, regardless of country of origination. Therefore, foreign events such as those contemplated in the Treasury Department’s review would meet the intent of covered damage under TRIA and thus be covered. The 2017 NotPetya attack, which targeted Ukraine, quickly turned into a global catastrophe. As of 2020, it was the costliest known cyberattack with total costs estimated as high as $10 billion. Two of the most heavily impacted companies were Merck and FedEx, with each losing a few hundred million dollars due to the attack.

Last June’s CRTF letter to the Government Accountability Office near the beginning of the pandemic provided an overview of TRIA and Treasury Department guidance, and noted the treatment of cyber coverage under TRIA has enabled a more robust participation among reinsurers. Can you provide some additional insight on this observation?

Reinsurance is generally available and insurers and reinsurers have started partnering with tech companies, such as the one between Munich Re and Google for Google Cloud Protection. Further clarity and improvements of TRIA would help address whatever market conditions might exist. Having said that, generally rates are increasing and there may be more underwriting scrutiny of risks given the recent cyberattacks and the significant increase in ransomware. A recent Aon report stated that policyholders can expect a rate increase of 20% to 50% in 2021.

Accumulation of cyber exposure would appear to be a difficult challenge to measure accurately. How is that evolving?

Slowly, but it’s progressing. Lack of geographic boundaries in many aspects of cyber risk, the ever-increasing sophistication of bad actors, and the changing landscape of targets make it challenging. Companies and vendors are continuously working on this challenge to improve accumulation risk analysis. However, again, the relative newness of cyber insurance compared to other areas makes it ripe for more work and innovative solutions.

Another challenge is measuring “silent” or unintended cyber, which is the existing exposure in non-cyber policies. Most insurance policies follow a standard form that was mostly written predating the rise of cyber risks.

Recently the New York State Department of Financial Services issued guidance to P/C insurers regarding cyber insurance. Can you offer thoughts on this move?

The guidance provides best practices for insurers that write cyber insurance. Insurers affected by this guidance would be well advised to incorporate these best practices into their risk strategies. The recommended practices range from formal involvement of the relevant governing body in establishing a formal strategy for measuring cyber insurance risk and addressing “silent” (unintentional) cyber insurance risk, to evaluating systemic risk and using a data-driven approach to assess potential gaps and vulnerabilities in an insureds’ cybersecurity. While many companies may have already established some of the practices, at least to some extent, it provides another tool in improving assessment, management, and control of cyber risks.

Can you say anything about the upcoming series of papers that the CRTF is developing?

Given the rapid expansion of the “Internet of Things,” I believe they will be useful tools for most insurance professionals and other stakeholders. Collectively, the papers address some of the primary aspects of cyber insurance and related issues and challenges. Even those with some cyber risk experience will find them useful and helpful.

Clearly, cyber risk is an active area with some interesting challenges and dimension. Any advice for actuaries not working within the space who might be looking to better understand the exposure?

Get involved and use opportunities to learn more about cyber risk that may be relevant for your specific area. Given today’s technological landscape and developments, cyber risk impacts just about every line of business to varying degrees and in different ways. Understanding cyber risks and the relevant issues more will improve your understanding of the ever-changing landscape that will impact areas of your responsibility.

Automobile Insurance Committee Releases COVID-19 Issue Brief

The Automobile Insurance Committee recently released an issue brief, Considerations for Handling Auto Insurance Data in the Era of COVID-19, that looks at the ramifications of the pandemic for auto insurance.

Many insurance companies have issued refunds, premium credits, dividends, or rate reductions to reflect the lower-than-previously-expected loss levels in the current policy terms, the issue brief notes. Data for 2020 will look quite a bit different than in prior—and possibly future—years and will make interpretation difficult, it says.

While the duration, the size of the data impact, and state variations due to the virus are unknown at this point, the issue brief is intended to provide considerations that might be used by actuaries and regulators overseeing automobile insurance in this interim period.

By some estimates, miles driven in some months of 2020 declined by 30 percent or more, which reduced automobile accident frequencies over this period. But the issue brief notes that some companies expanded coverage for delivery drivers who use their personal vehicles for deliveries (typically a commercial coverage), which could temper the effect on the decline, and certain commercial vehicles may not see a decline due to at-home deliveries or to supply grocery stores, etc.

On the severity side, claim costs may be impacted adversely due to changes in the mix of claims, due to a higher percentage of more serious incidents given that some drivers are speeding excessively on the less-congested roadways.

Webinar Covers P/C Public Policy Issues

The Casualty Practice Council’s Jan. 14 “P/C Public Policy Update” webinar included Casualty Vice President Lauren Cavanaugh presenting on race and insurance initiatives at the NAIC and the National Council of Insurance Legislators (NCOIL); Senior Casualty Fellow Rich Gibson, who discussed congressional attention to providing business interruption insurance coverage in the event of future pandemics; Automobile Insurance Committee Chairperson Greg Frankowiak, who discussed COVID-19 impacts on auto lines; and Kathy Odomirok, outgoing chairperson of the Committee on Property and Liability Financial Reporting (COPLFR), who presented highlights of COPLFR’s recent FAQs on COVID-19 considerations in preparing P/C loss reserve opinions. Webinar slides and audio are available to logged-in Academy members.

CPC Submits Comments on Colorado Senate Bill 21-169

The Academy sent casualty, health, and life practice-area letters regarding Colorado Senate Bill 21-169, related to the legislation’s stated purpose of prohibiting unfair discrimination in insurance. The letters, which included one on behalf of the Casualty Practice Council, express support for the elimination of unfair discrimination in insurance and focus on the potential impacts the bill would have on P/C and other types of insurance from an actuarial perspective.

CPC Files Comments With ASB on Exposure Draft

The Casualty Practice Council (CPC) filed comments on the Actuarial Standards Board exposure draft, Using Models Outside the Actuary’s Expertise (Property and Casualty). The comments addressed several recommendations regarding scope of Actuarial Standard of Practice (ASOP) No. 38, including consistency and the application of historical data.

Academy Gives Presentations at CASTF ‘Book Club’

The Academy made three presentations to the NAIC’s Casualty Actuarial and Statistical (C) Task Force (CASTF) at a Feb. 23 virtual meeting as part of CASTF’s “Book Club” series to facilitate regulator training and the sharing of expertise on predictive analytics specific to the topic of race and insurance.

Academy presenters were Dorothy Andrews, chairperson of the Data Science and Analytics Committee (DSAC); Roosevelt Mosley, DSAC member and member of the Casualty Practice Council’s (CPC) Racial Equity Task Force; and Lauren Cavanaugh, CPC vice president.

Gibson Presents on P/C Issues at NCSL, Midwest Actuarial Forum

Senior Casualty Fellow Rich Gibson presented on P/C issues at several events early this year.

Presentation to State Legislators on BI Insurance

GibsonGibson presented during a Feb. 15 virtual panel discussion to the National Conference of State Legislatures’ (NCSL) Executive Committee Task Force on Insurance regarding business interruption (BI) coverage. The panel explored current proposals for pandemic BI coverage. Gibson provided information on important actuarial considerations for pandemic coverage.

Midwest Actuarial Forum Presentation

Gibson presented at the Midwest Actuarial Forum’s Virtual Spring Meeting Webinar on March 5, giving an overview of recent property/casualty public policy developments, including presumptive benefits in workers’ compensation, proposals to provide federal support for coverage in the event of business interruption brought on by pandemics, the National Flood Insurance Program, the NAIC’s initiative to address race and insurance, and other issues. The overview drew from the Academy’s comments, issue briefs, policy papers, and other efforts to inform policymakers, actuaries, and the public about the implications of, and actuarial perspectives on, key P/C issues.

P/C RBC Committee Submits Major Underwriting Risk Factors Report to NAIC

The Property and Casualty Risk-Based Capital Committee issued a major report to the NAIC’s Property and Casualty Risk-Based Capital (E) Working Group in which it presents indicated Line of Business Underwriting Risk Factors for the P&C RBC Formula. Committee chairperson David Traugott subsequently presented an overview to the working group and the committee is expected to make further presentations to the regulators in the near future.  This is the first in a series of three reports the committee has been developing; the second and third are to focus on investment income adjustment and loss concentration factors, respectively.