Considering insurance to manage IoT-driven catastrophic cyber-risk

Catastrophic cyber-loss hardly ever arises from the loss from a single/few insured—but principally from correlated cyber-risk experienced by many insureds simultaneously due to a single event. Image: Shutterstock

The rapidly evolving era of IoT-driven smart cities and societies has ushered in realistic possibilities of society incurring a non-traditional catastrophic cyber-loss worth billions of dollars just out of a single cyberattack. Here, 'catastrophic loss' often refers to a tangible monetary equivalent extremely severe for the victim, arising from a surprisingly low-likelihood adverse event (e.g., analogous to an earthquake). As an example, a cyber-attack on Internet-connected home IoT devices such as air conditioners, refrigerators, ovens, and room heaters can:

1. Make these devices unusable.
2. Potentially cause physical damage to homes/buildings equipped with such devices.
3. In worst cases, it renders the city's power grid dysfunctional (due to peak load overloading) and causes blackouts with massive societal and economic consequences.

To drive home the point on realistic cost calculations, consider the (futuristic) scenario of 150 million home/office IoT devices (including smartphones) in a single smart city becoming simultaneously inoperable due to a cyber-attack with an average cost of $100 per device. Even if 50 million (out of the 150) devices led to losses in business (say due to power grid failure for hours) and quality of life spanning five million households/corporations, with each of the latter contributing to a loss of an average $5000, we are looking at $25 billion in catastrophic financial losses incurred by the smart city due to a single (one in a fifty year) cyber-event. A takeaway message here is that catastrophic cyber-loss hardly ever arises from the loss from a single/few insured—but principally from correlated cyber-risk experienced by many insureds simultaneously due to a single event.

One might argue that cyber-insurance is a standard cyber-risk management mechanism for handling cyber-loss incidents resulting in catastrophic societal financial consequences. Consequently, we should delve into:

1. how traditional insurance markets might deal with correlated losses that have an IoT-driven cyber component and
2. how existing stand-alone cyber-insurance markets might deal with correlated IoT cyber losses.

Nonetheless, for the above cost calculation example, it is very difficult for any cyber insurer (or even a collection of a few together) to cover at least 50 percent of $12 billion at one point.

Traditional insurance policies (usually along with exclusions and deductibles) broadly span two types: policies covering loss or liability through tangible property damage and business disruption and policies covering liability or third-party cyber-risk.

Also read: The cyber-insurance vision is failing for ransomware attacks in India

In the past decade, property and business disruption policies have been underwritten to consider cyber as an additional source of damage but do not explicitly account for correlated cyber-risk sources. This ambiguity has led to courts dismissing lawsuits that demanded cyber-loss coverage due to correlated cyber-risk—let alone catastrophic cyber-risk that is correlated. Examples of such lawsuits related to the IoT space include (but are not limited to):

1. (self-driven) automobiles with IoT-driven machine parts amenable to property damage via external hacking and
2. smart devices in home, office and critical infrastructure settings.

Moreover, to make things complicated for the insured, the underwritten policy legal language is often framed to restrict coverage only for non-intentional/accidental cyber-attacks and/or on non-portable IoT devices with the requirement of additional proof that damage and business interruption of claimed amounts were caused by cyber-elements not excluded from policy language. Hence, current versions of traditional insurance appending cyber-coverage would be of less value in covering IoT-driven catastrophic cyber-risk losses.

The landscape for traditional insurance covering catastrophic IoT-driven cyber-risk on liability or third-party grounds is not that bright either. There are numerous classes of policyholders in the IoT space with potential liability coverage claims—device manufacturers subject to a cyber-attack, hardware and firmware manufacturers, and cyber-vulnerable software providers. The CGL insurance policies bought by these policyholders should ideally cover the liability losses in question. However, as the status quo stands, courts have transferred liability to device and software manufacturers to protect their clients from the adverse effects of cyber-attacked products – thereby putting less burden on cyber-insurers to cover liability losses, let alone catastrophic cyber-losses. In addition, many policy contracts contain provisions limiting the liability for catastrophic damages related to IoT products far below a victim organisation's actual multi-party cyber-risk exposure.

Stand-alone cyber-insurance markets cover:

1. First-party cyber-losses, including business disruption, data restoration, ransomware payments and
2. Third-party losses, including civil liabilities and statutory fines.

However, these markets face significant barriers to underwriting specific policies to cover IoT-driven catastrophic cyber-risk. First, cyber insurers find it challenging to use policy coverage restrictions to reduce catastrophic cyber-risk exposure. Unlike traditional risk, it is tough to identify and exclude physical, causal, and motivational factors contributing to correlated IoT-driven catastrophic cyber-risk from those of traditionally correlated cyber-risk. Second, catastrophic IoT-driven cyber-risk does not have an industry or a geographical boundary such that specific policy underwriting can limit the span of non-excluded correlated cyber-risk. In other words, an underwriter cannot segregate industry/geography/system-specific scenarios where the cyber-risk exposure of any policyholder is catastrophically correlated with peers with those where the exposure is non-catastrophically correlated. The result sourcing from these barriers is a cyber-insurance market with very low policy limits (far below economic exposures to cyber-risk) for various client and cyber-risk types to maintain cyber-insurer solvency.

Irrespective of whether cyber-insurance markets are stand-alone or otherwise, cyber-insurers find it challenging to underwrite policies covering correlated IoT-driven catastrophic cyber risk because:
 

1. Estimating very low probability events (and hence setting policy premiums) is extremely difficult as factors affecting such events in cyber-space are very dynamic over quantity, time, and space, and
2. There is hardly a demand for such policies as potential policyholders grossly underestimate the cyber risk of a catastrophe.

There are two market alternatives on the lines of insurance to cover catastrophic cyber-risks: cyber reinsurance solutions and insurance-linked security solutions such as catastrophe bonds.

The benefit of cyber reinsurance markets is that they insure aggregate cyber risk that might wipe out cyber insurers' capital after a cyber catastrophe event. Their drawback is that they operate mostly out of quota-share treaties, wherein cyber insurers cede only a specific fraction of cyber risk to a reinsurer. This leads to cyber insurers adopting coverage limit management techniques, the drawback of which is reduced capital inflow.

Catastrophe bonds are purchased by investors such as hedge funds who push capital into the cyber reinsurance market in return for periodic interests, with the condition that if a catastrophic event were to occur, the invested capital would go all into reimbursing victims of the cyber-catastrophe who demand coverage from their cyber-insurers. The interest proceeds are then traded in the multi-trillion-dollar financial market. While the catastrophe bond market for cyber has arrived but is in its infancy, there is no doubt that such markets will scale if reinsurers adopt the excess-of-loss reinsurance model compared to the quota-sharing model. This is because cyber insurers can diversify excess loss through reinsurance, which would further diversify this risk in the financial market. However, unlike traditional catastrophic bond markets, where the (natural) catastrophe does not affect financial stability, a cyber-catastrophe can affect financial stability. Hence, more information is needed by bond writing parties to screen cyber-risk exposure to guarantee no threat to financial stability.

By Ranjan Pal (MIT Sloan School of Management) and Bodhibrata Nag (Indian Institute of Management Calcutta)

[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]