Silent cyber assessment framework

Abstract The (re)insurance industry is faced with a growing risk related to the development of information technology (IT). This growth is creating an increasingly digitally interconnected world with more and more dependence being placed on IT systems to manage processes. This is generating opportunities for new insurance products and coverages to directly address the risks that companies face. However, it is also changing the risk landscape of existing classes of business within non-life insurance where there is inherent risk of loss as a result of IT events that cannot be or have not been excluded in policy wordings or are changing the risk profile of traditional risks. This risk of losses to non-cyber classes of business resulting from cyber as a peril that has not been intentionally included (often by not clearly excluding it) is defined as non-affirmative cyber risk, and the level of understanding of this issue and the cyber peril exposure from non-cyber policies varies across the market. In contract wordings, the market has remained relatively “silent” across most lines of business about potential losses resulting from IT-related events, either by not addressing the potential issue or excluding via exclusions. Some classes of business recognise the exposure by use of write-backs. Depending on the line of business, the approach will vary as to how best to turn any “silent” exposure into a known quantity either by robust exclusionary language, pricing or exposure monitoring. This paper proposes a framework to help insurance companies address the issue of non-affirmative cyber risk across their portfolios. Whilst the framework is not intended to be an all-encompassing solution to the issue, it has been developed to help those tasked with addressing the issue to be able to perform a structured analysis of the issue. Each company’s analysis will need to tailor the basis of the framework to fit their structure and underwriting procedures. Ultimately, the framework should be used to help analysts engage with management on this issue so that the risk is understood, and any risk mitigation actions can be taken if required. In the appendix, we present a worked example to illustrate how companies could implement the framework. The example is entirely fictional, is focused on non-life specialty insurance, and is intended only to help demonstrate one possible way in which to apply the framework.


Disclaimer
The views expressed in this publication are those of invited contributors and not necessarily those of the IFoA.The IFoA do not endorse any of the views stated, nor any claims or representations made in this publication and accept no responsibility or liability to any person for loss or damage suffered as a consequence of their placing reliance upon any view, claim or representation made in this publication.The information and expressions of opinion contained in this publication are not intended to be a comprehensive study, nor to provide actuarial advice or advice of any nature and should not be treated as a substitute for specific advice concerning individual situations.On no account may any part of this publication be reproduced without the written permission of the IFoAs.

Aims and Terms of Reference
The Cyber Risk Investigation Working Party sits under the Institute's Risk Management Research and Thought Leadership Sub-Committee, which reports into the Risk Management Board of the Institute and Faculty of Actuaries (IFoA).The group was established as a forum for actuaries to share insight and research and to respond to cyber risk developments within the industry.
The working group aims to provide further insight on all areas of cyber risk relevant to actuaries within the life and non-life insurance industry including pricing, reserving, capital calculations and within enterprise risk management.The purpose of this research paper is to suggest a framework to develop actuaries' understanding of their companies' non-affirmative cyber exposure and equip them to engage with management on the issue, so that steps can be taken to better manage the risk from exposures to cyber perils within all lines of business.

Definition of Cyber Risk
Cyber risk is the risk of any financial loss, disruption or negative reputational impact because of a failure in information technology (IT) systems, whether through people, process or technology.According to the Chief Risk Officer ("CRO") (Forum, 2016), cyber risk covers • any risks emanating from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks; • physical damage that can be caused by cyber attacks; • fraud committed by misuse of data; • any liability arising from data use, storage and transfer; and • availability, integrity and confidentiality of electronic informationbe it related to individuals, companies or governments.
The risk is dependent upon the malicious (or non-malicious) threats the organisation faces and how organisations mitigate the risks through business and strategic decisions.
The insurance market has developed the concept of affirmative and non-affirmative ("silent") cyber in recent years to recognise the uncertainty that exists in contract wording in addressing cyber as a peril on non-cyber standalone classes of business.The Prudential Regulatory Authority (PRA) (PRA, 2019) defined affirmative and non-affirmative cyber in 2019: "The PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk.This includes both of the following sources of cyber insurance underwriting risk: 1. Affirmative cyber risk, i.e. insurance policies that explicitly include coverage for cyber risk; and 2. Non-affirmative cyber risk, i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk.This latter type of cyber risk is sometimes referred to as 'silent' cyber risk by insurance professionals." It is the assessment of the second of the two sources of cyber risk, non-affirmative, listed above on which this paper is focused.

Background
Major cyber events continue to make international headlines on a regular, and increasingly frequent, basis.This has seen the topic of cyber security become a significant concern for company boards in recent years moving from an emerging risk to an active risk.
Cyber-attack profiles are not confined to a single geographical region or industry segment.The range and scale of the attack are generally a combination of the intent of the threat actors (e.g.theft/disruption) and the resources available to them (e.g.criminal gangs/state sponsored or lone wolf).The scale of a cyber attack poses a new risk to the insurance industry and the approach to managing accumulations.
Previously, accumulations of risk could be managed predominantly by geography but, as was demonstrated by WannaCry (Symantec, 2017a) and NotPetya (Symantec, 2017b), cyber attacks transcend geographical regions (despite NotPetya being aimed at Ukraine (Marsh, 2018)) and can cause losses across any region and/or industry.In the case of affirmative cyber coverage, companies are able to manage (to an extent) the risk they are underwriting (UW) as this will have been defined within their risk appetite, intentionally covered within a policy and supported by capital.However, cyber attacks have the potential to cause economic losses that trigger claims on noncyber standalone lines of business.The timeline in Figure 1 1 outlines some known cyber events that have, or have the potential, to cause losses to traditional lines of business.
Following developments within the industry to monitor and manage affirmative cyber exposures over recent years, the insurance market's focus has moved to address the potential of non-affirmative exposure in light of recent events and near misses.The growing awareness of non-affirmative cyber exposure is bringing the need to address the potential exposure to the forefront.This is partly due to the increased awareness of the potential materiality of losses from the events, like those shown above, as well as the increased regulatory activity in this area requiring companies to address this.

Cyber as a Peril
The term "cyber" is often used in the insurance industry to describe the concept of loss arising from an IT-related event.Such an event can cause loss on policies where the exposure was defined affirmatively, or where the exposure was neither affirmatively included nor excluded.
Many lines of business are now faced with the reality that IT developments are creating a new risk landscape for UW.Developments in IT may generally have a positive effect in reducing the likelihood of an event across many lines of business, for example • satellite navigation systems enabling semi-automatic ship navigation reducing the risk of manual error; 1 For details and references of the events, please refer to Appendix 4.

British Actuarial Journal
• Supervisory Control and Data Acquisition (SCADA) systems creating safer working and operating environments for industrial facilities reducing the risk of injury and/or physical damage; • cloud systems hosting platforms increasing the robustness of availability for companies to conduct business.
However, these developments simultaneously introduce new risks which are not well understood.
The IT improvements themselves may introduce a greater systemic risk when failure occurs or drastically increase the event severity due to over-dependence on the system.This is an area that to date has not been well studied.Hence, the concept of considering "cyber as a peril" helps us define the situation where the loss is not concerning the coverage provided on a standalone cyber policy (i.e.data forensics, breach response etc.) but rather the event of physical damage, business interruption, and liability as a result of an IT-related failure that triggers payout on non-cyber lines of business.To a large extent, this risk is not new but is becoming increasingly more important as businesses have a growing dependence on IT systems.It is also becoming increasingly clear that contract clauses designed to exclude losses resulting from "cyber as a peril" are not as robust as once thought.As these common clauses continue to be tested in the courts, there is growing concern and questions being raised by the market on the reasonability of their use.In Figure 2, we highlight a few events that are causing potential losses to insurance (SC Media, 2019) as a result of cyber attacks.The attacks generally caused disruption to servers and computers at the companies resulting in losses.The exclusions wording on property and other non-life insurance products are being challenged by these companies as they seek to recover losses from these events.
These events are a sample of known events at the time of writing and highlight that for this issue the insurance industry is largely at odds with its client base.When a company seeks insurance to cover the risk, their intention is to cover all financial loss as a result of physical damage.The insured is not concerned by the direct cause but rather the impact the event causes to their financial situation.Hence, as IT-related incidents continue to increase in frequency, one might expect the number of court challenges to continue to increase until more clarity is provided by the market.

Potential Scale of Silent Cyber
Non-affirmative cyber risk is a very real threat, and recent cyber events have highlighted how it has the potential to threaten the ongoing viability of an organisation; 90% of the Petya/NotPetya industry losses were classed non-affirmative losses (Reinsurance News, 2018).
Risk managers and actuaries should be aware of the various sources of non-affirmative cyber risk in a portfolio of business to ensure that exposures are being adequately priced for, as well as captured appropriately in capital and pricing models.Reputational costs (Mondelez/Zurich) as well as increased regulatory interest (from the PRA and/or Lloyd's) also need to be considered.One could reasonably expect an entity UW affirmative cyber risks to price, manage and hold capital for the affirmative exposure.Entities at present are less likely to be holding explicit capital for the risk of non-affirmative losses which are the significant but hidden part of the exposure as shown in Figure 3. Hence, given the potential severity of this type of event, entities should ask themselves if a severe cyber event causing non-affirmative losses would constitute a capital event for the company.This will depend primarily on the type of business underwritten and the capitalisation of the company.However, each entity has an obligation to understand and quantify their non-affirmative exposures, where possible, so that the management of the company can take educated decisions on the actions the company should take, based on the risk.

Regulators View
In January 2019, the PRA published a "Dear CEO" letter re-affirming their expectations of entities in respect of affirmative and non-affirmative cyber (PRA, 2019).The PRA expected companies to be able to demonstrate an understanding and appetite for non-affirmative/silent cyber.These key requirements outlined by the PRA include • actively managing non-affirmative ("silent") cyber risk; • setting clearly defined cyber strategies and risk appetites that are agreed by the board; and • building and continuously developing insurers' cyber expertise.
At the time of writing, the European Insurance and Occupational Pensions Authority ("EIOPA") is also in consultation with companies ahead of releasing a Quarterly Reporting Template (QRT) that would require Solvency 2 regulated entities to report cyber exposures as part of the regular reporting process (EIOPA, 2018).An entity must demonstrate its active management and strategy towards silent cyber to meet the expectations of regulators.Regulators recognise that this is a difficult topic and is committed to overseeing the market as it continues to develop the understanding and monitoring of silent exposures.
Following the July 2019 announcement from Lloyd's calling for clarity around cyber coverage in all insurance policies (Lloyds of London, 2019), there is expected to be significant change during the 2020 renewal process for policies incepting 1/1/2020 onwards.The two specific statements made by Lloyd's were as follows: • " : : : underwriters are required to ensure that all policies affirm or exclude cyber cover".
• "Define cyber risk as any risk where the losses are cyber-related, arising from either malicious acts (e.g.cyber attack, infection of an IT system with malicious code) or non-malicious acts (e.g.loss of data, accidental acts or omissions) involving either tangible or intangible assets".
The action by Lloyds is likely to drive greater movement towards reducing contract uncertainty by giving both clients and (re)insurers clarity on what is being insured.The market movement on this will require close attention, particularly when large events occur, including any new clauses brought to the market and any clauses tested by the courts.

Current Approaches to Assessing Non-Affirmative Cyber
Some entities may have already developed sophisticated approaches to managing and monitoring non-affirmative cyber risk; however, the market remains inconsistent on its view of the "silent" potential in portfolios.Figure 4 has been taken from one of the PRA's Non-Affirmative Cyber Risk Feedback (PRA, 2019) sessions.It shows the percentage of total policy limit exposed to non-affirmative cyber risk as assessed by the companies sampled by the PRA review.The spread of results illustrates that although firms agree that traditional lines of business have considerable exposure to nonaffirmative cyber, views (and perhaps assessment approaches) can vary significantly.Furthermore, one of the PRA's key messages was that "quantitative assessments of non-affirmative risk" were not well developed and that "stress tests suggest cyber events could have widespread impact across different CoBs".
Responding to this uncertainty, this paper sets out a framework upon which readers can bring consistency to the way non-affirmative exposure is assessed and suggests a process for the subsequent generation of loss scenarios.It provides a common taxonomy to ensure that key aspects of silent cyber risk are considered and sets out examples of how to implement the framework.

Clauses
Table 1 outlines some of the common clauses used to address cyber as a peril in the London market.These clauses form the basis of the suggested framework.The framework proposed in this paper requires an understanding of the usage and confidence of wordings across all classes of business.As a reference point, we have included the results of the London Market Association ("LMA") Cyber Risk and Exposures Model Clauses Review (LMA, 2018).It is strongly advised that each individual entity performing such an analysis makes its own assessment which is directly relevant to the nature of the business it writes.
As one performs the review, one may come across broker specific wordings and amendments to standard clauses after speaking to UW and Legal teams.As far as possible, these should be reflected in the analysis if they are being used materially across the business.The wordings themselves are complex and do not all address the same issue.For example, some clauses intend to exclude cyber-induced losses, other are used to make it affirmative ("write-back" cover), while many simply only exclude cyber risks or events under certain situations, for example, malicious versus non-malicious events or physical versus non-physical losses.It is important to develop a company specific understanding of these clauses so that misleading information is not presented to management.Some of the most common clauses are CL380 (for Marine and Energy) and NMA2914 and NMA2915 (for Property).All of these have come under growing scrutiny in their ability to effectively exclude cyber as a peril.In this paper, we will not discuss the complexities of contract wordings and why there is market debate on this; however, we encourage entities to engage in these discussions and form their own view.Lloyds Market Bulletin Y5258 published 4 July 2019 (Lloyds of London, 2019) was issued in order to ensure that clarity is provided for Lloyd's customers on coverage for cyber exposures.This specifically requires the clarification of whether affirmative provision of cyber coverage is provided from 1/1/2020 for first-party property damage policies and at later dates for liability and treaty reinsurance.Lloyds are engaging in pro-active change to better manage and address cyber as a peril; hence, regular monitoring and assessment of wording may be required until the market and courts are able to form a consensus on robust wordings.

Overview
This framework has been designed with the primary aim of helping actuaries, and risk managers approach the problem of quantifying and communicating the non-affirmative (silent) cyber risk in their company's portfolio.This has been sourced from the experiences and expertise in the working party.The below outlines the key stages of the proposed framework.Please note that it is not a requirement to perform every step or every detail within each step.The framework shown in Figure 5 is suggested best practice, and a proportionate approach is encouraged In the following sections, greater detail is provided on the key areas of the framework with additional information on where different subject matter experts (SMEs) should be consulted to maximise the quality of the analysis performed.The following tables summarise the proposed levels of input from SMEs across the framework using the key shown in Figure 6.
It is important to note that the framework distributed by the working party is populated with market views, and any users must review the appropriateness of all assumptions from their own company's perspective.Furthermore, the cyber risk landscape (whether affirmative or non-affirmative) is ever evolving, and this will result in changes, such as contract wordings, that users should be aware of and respond to accordingly in their analysis.
For additional clarity, a simple example of how the framework may be applied is prepared in an accompanying MS Excel file (see Appendix 3).

Exposure Assessment
This section of the framework details steps 1 to 4 outlined in Figure 5.This section aims to create a consistent base upon which to calculate a company's exposure and is the main objective of the exercise.The steps are outlined in Table 2, and it is key that UW has input to this stage.
Users should ensure that they do not interpret the data they are seeing incorrectly.Be wary of different classes of business having different data-recording standards across the business that may impact the assessment.Underwriters should be the main contributors and take ownership of the data being used for their class of business.Underwriters are likely to be the main source of the clause usage in their markets, and this should be parametrised in an appropriate and manageable way (see Appendix 1 for suggestion).If granular data on wordings usage are available, this should be prioritised but care taken also to confirm confidence in the data quality.Furthermore, if the company records details of each policy status in their data management systems, with regards to cyber, an assessment of the confidence in that data is important.Particularly, if the data process requires UW and/or technical assistants to record data, they may not be easily able to interpret (unless guidance has been provided).
When performing the assessment of wordings used, users should consult the legal team to form a company's view of the strength of those wordings.This is crucial so that the company is able to form its own view of risk and can communicate this to management.Users may also decide to 1. Define Exposure  consult claims teams to determine if the company has received any non-affirmative claims and how the clauses performed in these situations.
It is important to consider where it may be appropriate to supplement any analysis with specific policy-level assessment.Peak exposures or key lines of business may require additional analysis to confirm policy status, and the framework has been developed with the ability to flag these investigations within the analysis.Determining if peak exposures have clauses and/or sub-limits that contribute to the analysis is an important part of the assessment to be able to provide the clearest view to management.

Scenario Development
Once exposure has been defined and understood, the next question that many management committees will ask is to what extent they need to be concerned about any significant exposures resulting from the analysis.To do this, the framework proposes performing a scenario generation analysis that seeks to develop scenarios that are relevant to the exposure that has been defined as being at risk to non-affirmative cyber risk.Table 3 summarises the key steps and inputs suggested by this framework.
It is recommended that entities consider where potential coverage clash exists.To do this, they should define the common cyber coverage.This framework has proposed the CRO forum definition in order to construct a working example, but we encourage users to consider the most appropriate for them and consult with all relevant areas of the business.Furthermore, the assessment of where clashes of cyber coverages may be claimed on other classes of business will require discussion with underwriters and their teams as well as claims teams.Once this has been defined, the exposure clashes can be assessed to highlight where there may be areas of concern.It is expected that some organisations may have practical difficulties around obtaining appropriate data depending on how claims root causes/sources are recorded.This may result in changes to data-recording practices in order to capture claims data from cyber perils more appropriately.
Once peak exposures have been assessed, scenarios should then be considered that directly impact these areas.Assessments can be then made as to their potential severity.The assessment of potential silent exposure and potential clash coverages should enable entities to focus their analysis on scenarios that matter to them, enabling them to articulate to management if the exposure is a cause for concern or one that management can be comfortable is well mitigated.
Scenarios should also consider which clauses they could trigger and in turn what the company's confidence in those clauses might be.This will also help the company form a view for management if the exposure at risk is a cause for concern requiring action to help mitigate or control.
We consider this an important step in the framework to help make sense of the analysis performed and contextualise the numbers into a meaningful scenario.We encourage users of the framework to consider bespoke scenarios unique to their business rather than relying on any industry scenarios (although also important to consider) that may not adequately cover the risks they face.
Scenario development can be a detailed process, and companies will have to determine what resources they want to allocate to this area of the framework; however, it can be a very useful tool to communicate risk to management that is directly relevant to companies own exposure and UW experience.

Management Reporting
Ultimately, the goal of this framework is to provide actuaries, risk managers or anyone else tasked with articulating to management how they have assessed the company's nonaffirmative cyber exposures a clear and structured process to achieve this.Examples of the output are shown in Table 4. Simple and transparent management information (MI) packs should be developed in collaboration with all parts of the business.This MI should accurately and fairly represent the analysis and exposure.It is important that users communicate uncertainties in the data and analysis they perform to management.Given the complex nature of this topic, management should be able to understand and interpret output only at a level that is equivalent to level of complexity performed in the analysis.It is important to educate management on the clause strength interpretation so that they are aware that cyber losses may occur even where exclusions are currently being relied upon.
Ultimately, entities are required to develop a risk appetite and strategy going forward to manage their non-affirmative risk.The analysis performed should support this development by creating greater clarity to management so that they may make educated decisions reflecting the analysis performed.
Finally, users of the framework should consider upfront if the analysis performed should be one-off or easily repeatable.A developed risk monitoring strategy would enable the analysis to be performed regularly providing management with updates so that they can continually assess the risk.Consider whether embedding the analysis as a regular process is not possible or not and if this should be raised with management to rectify.This analysis should aim to raise awareness of the risk across the business and provide a regular view of the risk landscape so that if an event occurs entities are able to understand potential sources of loss and plan accordingly.Ultimately, this may lead to market pressures to re-define clauses, structure of reinsurance arrangements, pricing of cyber as a peril and the capital set aside to support the business.

Limitations
This framework is proposed only as a guideline on how to approach the problem and should not be used blindly as there are many limitations.Some of the key limitations include the following.
• Clauses used in the basis of this framework are subject to change and may be replaced.
• The cyber market is evolving rapidly, and coverages are continuously changing.
• The framework aims only to provide a high-level overview of the risk.Outputs should be interpreted in a consistent manner.• Any and all data limitations identified will increase the uncertainty inherent in any outputs produced.
• The lack of claims data and the fast-evolving nature of cyber risk is results in the need for extensive use of expert judgement.• The framework provides only a deterministic snapshot in time of the potential silent cyber exposure.The actual range of estimates may vary significantly.

Level of Application of the Framework
Companies will inevitably be at different stages of their journey in assessing non-affirmative exposures.Hence, the level of use of this framework may vary.Figure 7 illustrates how companies of different maturities may choose to apply this framework.
The use may also depend on companies' availability and quality of data, that is, direct insurers are likely to have greater granularity of data than reinsurers with treaties across various classes of business.There will be value in applying the framework regardless of data quality, but it is important to communicate these additional limitations clearly to management.

Figure 3 .
Figure 3.The hidden iceberg of non-affirmative exposure.

Figure 4 .
Figure 4. Percentage of total policy limit exposed to non-affirmative cyber risk as assessed by the companies sampled by the PRA review.

Figure 5 .
Figure 5. Illustration of the Silent Cyber Assessment Framework.

Figure 6 .
Figure 6.Level of input by SMEs.

Table 1 .
Common Clauses Used to Address Cyber as a Peril IUA, International Underwriting Association; IMIA, International Association of Engineering Insurers.The clauses listed above include only those known up to the end of September 2019.

Table 3 .
The Steps to Develop Scenarios

Table 4 .
Management Reporting and Governance