Resilience focus: cyber and terrorist threats converging – Gallagher

Traditional forms of cyber coverage are being augmented by covers that offer different protections, such as physical damage and even bodily injury. Lines are being blurred between terrorism and cyber products with the shared aim of bolstering resilience, according to insurance broker Arthur J Gallagher.

“It’s how the market is moving, between the property, terrorism, cyber markets. And we need to find a landing on how to insure that kind of risk,” Jason Coombe, director in Arthur J Gallagher’s technology & cyber practice, told StrategicRISK.

The broker has engaged in research published in the summer suggesting a quarter of large UK firms are worried or uncertain about their crisis resilience. Cyber extortion and terrorism were flagged as two top threats in the past two years, with 51% believing their business to be at high risk of cyber-attack in next 12 to 18 months.

In one instance, Gallagher has worked with Brit Insurance on a custom manufacturers’ cyber policy that indemnifies against property damage and bodily injury exposures resulting from a control system interruption, typically excluded from other cyber policies. “There’s still very limited cover available. It represents a new line of cover,” said Coombe.

Brit is an example of an insurer offering coverage for physical damage and business interruption costs arising from a cyber peril. The insurer houses such business within its liability division to a team underwriting both cyber and terrorism covers.

“The real movement in this area is in business interruption,” Coombe said. “Coverage is extending around the non-physical and into unknown territory. That can be about future earnings or a reputational harm perspective.”

Novae is one such insurer focused on the reputational harm angle, Coombe noted, focused on business income loss payments in the wake of an event that leads to “customer attrition” and loss of future earnings. Rival London market insurer Tokio Marine Kiln is another firm that has offered a standalone reputational harm product for several years.

There is an argument that all they’re doing is increasing the indemnity period, he suggests, albeit with a cyber trigger. This is an untested area, he suggests, and although the cyber insurance market has established a reasonable period of working with its clients, the use of forensic accounts to make the loss calculations for such policies is virgin territory. “They would argue it’s tried and tested; it’s just a trigger point,” Coombe added.

He noted that most cyber losses to insurers come from the now-seen-as-traditional breach response policies, which were pioneered in the London market by Beazley. Insurers are in frontier territory with these broadening cyber covers, in areas where reliable data and therefore risk modelers have not yet caught up. “Physical damage from a cyber peril is yet to be properly modelled in the same way as you might model hurricane in the property market,” Coombe added.

In another instance of the blurred lines between cyber and terrorism covers, Gallagher has worked on a crisis resilience product with AIG Europe over the past few years. The policy, designed cheaply with smaller and medium clients in mind, covers perils from terrorism and riots through to kidnap or blackmail. The resilience product will respond, in terms of its crisis consulting services, to a cyber extortion event, noted Justin Priestley, executive director of Arthur J Gallagher’s crisis management practice.

While the lines between malicious cyber-attacks – leading to damage or injury – and broader terrorist attack methods are being blurred, terrorism in its more traditional forms – which are also evolving – is still a major peril unto itself, underlined by recent Islamic extremist attacks in France, Spain and the UK. “A lot of clients are very aware of their security situation around terrorism. Some of our clients have been caught up in recent events,” said Priestley.

He noted that many clients are analysing their exposure might be. “They are realising that even if they themselves are not the target, their business can be caught up in the immediate security operation and follow on consequences, which can lead to denial of access,” said Priestley.

“What people are doing is analysing what they think their exposure might be. Historically in the UK if you go back ten or fifteen years then people were most concerned about large vehicle bombs within city centres, coded warnings, and essentially physical damage,” he said.

“Nowadays clients are being affected by incidents but they are not necessarily the target. They are thinking how to mitigate, to make staff aware, to look at insurance, to look at scenarios and model them. We can run realistic disaster scenarios, such as a marauding vehicle, to quantify what the losses might be for denial of access and loss of attraction,” Priestley added.