Cyber research by the working party has to date focussed on General Insurance risks where firms have been increasingly writing cyber insurance policies. The Working Party are now looking to begin a new workstream, exploring how potential Cyber scenarios may impact a Life insurer, where historical loss event data will not be available for some of the more extreme scenarios.
The main source of exposure for Life insurers is through operational risk. These risks are well known, examples in recent years such as TalkTalk and SolarWinds highlight the risks faced through data loss and security breaches through third party suppliers. Such events can result in significant reputational damage, and for Life insurers could result in large numbers of customers moving their policies to other providers as soon as terms and conditions will allow. These secondary impacts would not generally be included within the operational risk capital assessment but would be considered through scenario analysis of lapse and expense risk. Typically cyber scenarios are unlikely to be selected for the calibration of a tail event, but the scenario being considered should be representative of the kinds of losses that could be triggered by a cyber event where these are seen being within the 1-in-200. Although not directly used to determine tail risk, cyber scenarios could still be used as part of validation.
Longer-term impacts might be seen as a result of external events. A cyber event triggering some form of lasting contamination to the environment or the water supply could generate longer-term changes in mortality and longevity risks. A cyber attack on a nuclear processing plant for example could result in a radiation leak with longer-lasting health impacts on populations for multiple generations. These types of risk events, although being realised through experience over a period of many years, might still result in a risk event within a 12 month period if the impact needed to be recognised in the long term best estimate assumptions.
Changes in the industry could also be seen in the popularity of long term savings if a cyber event has resulted in a policy not serving the purpose for which it was purchased. For example loss of policyholder, data has resulted either in untimely benefit payments, harm to customers, or incorrect benefits to be paid.
Another area of potential risk could be regulatory change in response to a cyber incident. Changes in regulation could have an impact on a firm's cost base if additional development and controls have to be implemented. For example, if an outsourcer common to a number of insurers is impacted by a data loss event, there could be a widespread loss of confidence in the industry; with public demands for tighter regulation following within a short time frame. If this results in the outsourcer being de authorised, the firm may have to find an alternative provider or bring the business back in-house at short notice.
The firm could also be impacted by events external to the company. For example, if there were to be a remote shutdown of national infrastructure as a result of a cyber event. A recent example would be the US oil pipeline shutdown; if an event occurred which resulted in a loss of power or internet availability for a period of days or weeks, this could disrupt vital healthcare systems, which some of the more vulnerable policyholders might be reliant on, with a mass mortality event occurring. Worse still, given Cyber is man-made, if a malicious event were to be enacted at a time of extreme weather, itself an increasingly frequent event, the impact of a loss of power could be even greater as the population loses the ability to regulate temperature.
It is also possible that a cyber event at another firm has an indirect impact on a life company. For example, if a third party fund manager restricts the ability of firms to encash unit-linked policies. Disrupted operations in a retail bank may mean that the firm can't process claims to customers.
Aggregation and Diversified Capital
It's likely that firms will have considered scenarios that would be representative of a cyber trigger for each of their risk factors, however, it's feasible that some of the cyber events discussed above could trigger an observation on multiple risk factors at the same time. For example, a cyber event impacting the payments system in a cashless society could result in customers being unable to receive policy benefits and an equity/credit market event alongside a potential increase in mortality.
The working party are looking to investigate how various scenarios might cause a risk event across multiple risks within a company -
We will be holding a discussion forum in the summer to investigate these areas, if you would be interested in joining please contact Professional Communities.
Want to hear more about how you can mitigate and manage the growing risk of suffering financial losses from a cyber event, listen to Kovrr, a Cyber risk model vendor, on Monday 28 March, we will also be highlighting this related work on Cyber tail risk for Life insurers currently being carried out by the IFoA Cyber Risk Working party. Sign up here.
