TLDR:
Key points:
- Cyber insurers urged to evaluate policyholder dependencies after recent cyber outage
- Guy Carpenter warns insurers to assess common tech aggregations and adjust risk tolerances
Cyber insurers are advised to take advantage of a recent cyber outage caused by a cybersecurity firm’s update to evaluate their policyholder dependencies. This evaluation should include assessing potential aggregations across commonly used technologies and adjusting risk tolerances accordingly, warned Guy Carpenter. The recent incident caused widespread crashes on computers running Microsoft Windows in various industries like airlines, banks, retailers, and hospitality. Cyber insurance typically covers business interruption due to network outages, including those caused by system failures from non-malicious acts like human error and extends to Contingent Business Interruption (CBI) if a vendor’s outage impacts the insured’s network operations. Key to assessing network interruption claims will be the policy’s waiting period, which varies depending on the industry and organization size.
Though specific scenarios for widespread outages from software updates aren’t usually modelled, analogous scenarios involving IT service disruptions can help estimate losses. Guy Carpenter is working with cyber catastrophe vendors and conducting its own analysis to provide insights to clients. System failure losses will be covered under traditional reinsurance structures, with recent trends showing a shift towards targeted catastrophe covers that address specific scenarios. Recoveries from event-based products will depend on how coverage is defined between malicious and non-malicious incidents, and Guy Carpenter will assess how this event affects tail risk assumptions and the broader $15.5 billion global cyber industry. Insurers need to consider the physical consequences of tech failures as technology integration continues, with exposure for P&C policies depending on how cyber risks are addressed.