All material subject to strictly enforced copyright laws. © 2021 Inside P&C is part of Euromoney Institutional Investor PLC.
Accessibility | Terms & Conditions | Privacy Policy | Modern Slavery Act | Cookies | Subscription Terms & Conditions

Cyber insurers tighten underwriting as SolarWinds uncertainty reigns

solarwinds-building.jpg

Select insurers writing cyber policies have introduced new SolarWinds exclusions in recent weeks, compounding fears that the hack may cause significant claims aggregation and further pressure loss ratios across the class, this publication understands. 

Cyber insurers, as well as breach-response vendors and government agencies, have rushed to respond after software company SolarWinds last month revealed that up to 18,000 commercial users of its Orion platform may have been affected following a cyber attack on the company.

The widespread nature of the loss event has raised concerns in the cyber market about the potential for the fallout from the SolarWinds breach to result in a “cyber cat” scenario, at a time when profitability is already severely challenged in the cyber market.  

At least two carriers, Chubb and Crum & Forster, are mandating known circumstance exclusions, which limit the degree of cover insureds will receive for future claims relating to the loss event. 

One new policy endorsement from Chubb, seen by this publication, precludes cover for incidents where the affected iteration of SolarWinds’ Orion platform is present on an insured’s computer system or shared computer system. 

Both carriers are understood to be introducing the new, specific exclusions in tandem with enhanced questionnaires, and implementing them if insureds confirm the presence of the affected software on their systems. 

72568

A canvass of London cyber market sources suggested that carriers in EC3 are yet to go so far as to bring in SolarWinds exclusions when quoting. Instead they are demanding enhanced disclosure from clients, which may entail forensic analysis from a breach response vendor. 

Some London market cyber specialists also questioned the effectiveness of such an exclusion, saying that, in such cases, it may be difficult to prove proximate cause. 

US cyber market sources told this publication that they had received notifications of circumstance in relation to the attack, but emphasized that it was too early to know the final claims quantum. London market sources also said they had so far received no formal claim notifications with loss estimates relating to the event, although some more prudent insureds had been signaling to their insurers early that they had a potential vulnerability. 

Some sources suggested to this publication that the extent of the losses from SolarWinds would become clearer over the next six months, amid ongoing efforts from breach-response providers to establish the full extent of the attack. 

The presence of “non-IT” BI wordings, which provide contingent BI cover as a result of service provider failure, in the cyber market create the potential for huge claims aggregation from the SolarWinds event. 

These wordings have increasingly come under the spotlight in recent years following claims including a systems outage at Southwest Airlines in 2017 that resulted in a $100mn loss

It is expected that non-IT BI wordings will now come under major scrutiny at renewals as carriers assess the systemic implications of the event. 

The potential for substantial losses to arise from SolarWinds comes at a time when profits in the market are already under extreme pressure as a result of rising ransomware claims.

The additional fear factor will add further upward pressure to pricing in the increasingly distressed cyber insurance market, where rates have started to surge in the double digits and are set to gather pace through 2021

SolarWinds has the potential to be one of the largest third-party losses the cyber market has had to deal with. After a year of market focus on first-party claims, the event has underlined the challenge of underwriting a product which has both first- and third-party exposures and rapidly changing threat vectors. 

Although the market still has little visibility around the ultimate loss quantum, it has led some sources to question whether the cyber market would be able to successfully weather a cyber catastrophe event at this stage, given current levels of profitability. 

The incidents most closely resembling a cyber cat event have been the NotPetya and WannaCry attacks in 2016 and 2017, where claims were manageable but cyber insurance penetration was far lower. Sources drew parallels between SolarWinds and these two systemic events but said SolarWinds had the potential to be far more damaging.

Sources pointed out that the SolarWinds event presented an opportunity to collect data from insureds that may help the market respond more effectively to a future large catastrophe event. 

The latest underwriting action by carriers follows measures taken by AIG, Chubb and Beazley to trim exposure and increase premiums charged. 

Earlier this month, Inside P&C reported that AIG, Chubb and Beazley had turned to measures including co-insurance and ransomware sub-limits and premium hikes in the run-up to January 1 renewals. 

Crum & Forster and Chubb did not respond to a request for comment.

We use cookies to provide a personalized site experience.
By continuing to use & browse the site you agree to our Privacy Policy.
I agree