Aon's Reinsurance Solutions reposted this
What does the Crowdstrike event mean to cyber insurers? Here are six key implications: 1. This is reported to be a non-malicious event, meaning that “system failure” coverage, where offered, within cyber re/insurance policies is the relevant loss trigger 2. Business interruption (loss of income and extra expenses incurred), where offered due to system failure, is expected to be the most directly affected head of damage, subject to applicable waiting periods 3. Dependent business interruption, data restoration, incident response and voluntary shutdown costs may also be applicable and contribute to re/insured losses 4. At the individual risk level, we expect this event to increase insurers' attention to system failure coverage grants and business interruption waiting periods 5. At the portfolio level, Aon sees this event as an opportunity for the market to react by improving granularity on codifying policy information important for understanding portfolio accumulation risks stemming from certain coverage grants, to allow more nuanced event loss estimation and accumulation scenario analysis. 6. The industry has developed specific insurance coverages, reinsurance and bond products which this event will test, both from an event definition and loss quantum perspective. Click below to read our briefing. #crowdstrike #cybercatastropherisk
Kitty Ho
2mo
Thanks for the neat summary, Rory. My favourite is point 5, given the complexity of cyber triggers and coverages, such a functionality would be so handy!
Barry Rabkin
2mo
"2. Business interruption (loss of income and extra expenses incurred), where offered due to system failure, is expected to be the most directly affected head of damage, subject to applicable waiting periods" I'm hoping this CrowdStrike event is an opportunity for (re)insurers to remove system failure coverage from their cyber insurance policies. Cyber insurance policies should only cover cyber attacks - period. Why? System failure and cyber attacks may seem similar but they have different event dynamics: low frequency / high severity for system failure and high frequency / high severity for cyber attacks. The loss modeling should be different to generate accurate maximum probable loss estimates. Adding system failure to cyber insurance policies seems like an add-on that was requested by insurance brokers rather than a logical initiative requested by actuaries.
Peter Armstrong
2mo
Nice summary Rory. I’m also reflecting a bit about Crowdstrike’s own Tech E&O exposure and coverage. Somebody’s Financial lines portfolio across Tech E&O and Cyber Liability has a worrying time ahead
Stephen Woodward
2mo
As we saw during the pandemic (not to mention post 9/11), the only thing that counts is to RTFP (read the *ç%&ing policy). As history has shown time after time, simply saying „we never intended to cover this“ counts for nothing if an autonomous car can drive itself through the wording.
Alan Tai
2mo
Thanks Rory! As a current Aon Reinsurance intern and someone brand new to the industry, this is extremely interesting! I’ve mainly worked on PD+ BI accounts so it’s intriguing learn about a new insurance type and Aon’s perspective on recent events.
Marcel Velica
2mo
Rory, this is an insightful update! AON's approach continues to make waves. Thanks for sharing these key developments! Rory Egan
Cyber balance sheet risk solutions: Insurance, Finance, ESG, Enterprise Clients & Captives | Chartered Insurer I Passing it forward as CII Mentor
2moAnd let’s also see how many claims are brought against Property policies for CBI/unspecified suppliers, particularly as this was non-malicious Rory If the policy language is not tight enough, some will be successful even if underwriters never envisaged providing such cover. 🧐🤔