The industry’s ultimate insured losses from the June 2017 NotPetya virus will now exceed $3bn with the majority emanating from silent - or non-affirmative - coverage, according to the independent loss adjudicator, Property Claims Services (PCS).
The update is an increase on a Q2 loss estimate which calculated the total insured loss at $2.7bn from the cyber virus.
The loss upgrade coincides with the launch of a new cat cyber loss index from PCS that may eventually lead to greater reinsurance and retro capacity being devoted to the fast expanding class.
The PCS Global Cyber service will cover events that have triggered insured losses of at least $250mn from both affirmative and non-affirmative - or silent - cyber coverage.
It is a significant development in the industry’s ability to have confidence in an independent quantification of cyber losses.
But it also once again highlights the industry’s significant exposure to so-called silent cyber cover, where cyber losses seep into traditional broader coverages such as business interruption cover provided in property programs for large corporates.
The increase in the NotPetya loss estimate may also prompt a fresh debate about (re)insurers’ silent cyber exposures which - calculated objectively - enable executives and capital providers to rethink the ultimate profitability of cyber exposures rather than simply focus on affirmative covers where the loss ratios are typically modest.
In June 2017, the NotPetya virus swiftly overtook WannaCry to become the world’s most damaging cyber attack.
Initially targeting the Ukraine, it spread into the IT systems of a number of multinational corporations and has led to estimates of economic losses as high as $10bn.
One of the worst-affected companies was the US pharmaceutical firm Merck and its insurance cover has the potential to become an unwanted poster child for the industry’s silent cyber exposures.
Earlier this year, the company estimated losses from the attack at $915mn spread across the 2017 and 2018 financial years and begun to make recoveries on its affirmative cyber tower led by Chubb and believed to provide around $275mn of coverage, according to sources.
In its second quarter results last month, Merck largely echoed its earlier guidance on this year’s impact although it added that it will incur marketing/administrative and R&D costs of $35mn for the first half of the year, net of $15mn insurance recoveries.
The extent of the liability facing insurers on the Merck property tower - which are understood to include leader Allianz, AIG, FM Global, Liberty and Zurich - will ultimately depend on their individual policy wordings, which are understood to vary and could therefore lead to coverage disputes.
Indeed, in its 2017 accounts, the pharmaceutical company said it had “insurance coverage against costs resulting from cyber-attacks” and has already received some proceeds.
“However,” it went on, “there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident.”
This message was repeated last month in its second quarter earnings.
When PCS provides an event loss estimate it has a policy of not individually itemising individual carriers’ gross or net exposures. However, most observers assume that its estimate includes significant losses falling into Merck’s property tower, which was placed by Aon and was thought to provide around $1.75bn of cover.
In addition to Merck, PCS’ updated loss calculation will likely include estimates from shipping giant Maersk and other corporates such as ad agency WPP and FedEx which were materially affected by the attack and may be able to claim under different policies.
A number of senior cyber figures have welcomed the new PCS initiative to provide further clarity on the industry’s cyber exposures.
PCS’ property cat loss estimates are widely relied upon as a trigger for capital markets and binary loss contracts, such as ILWs and cat bonds.
Rob Ashton, CEO of underwriter Radius Specialty, commented: “Few, if any, other perils are being approached in the same way as non-affirmative cyber; affording coverage for a known multidisciplinary peril, that is growing in potential severity almost daily, yet with limited information available to underwriters that would allow them to price the risk, manage accumulations and hedge their downside.”
While David Flandro, global head of analytics for JLT Re, remarked: “PCS have taken a pioneering step forward in their construction of a cyber catastrophe loss index.
“JLT Re are very excited to partner with PCS in its journey to bring greater clarity in respect of both affirmative and silent cyber claims. We are confident that this will represent an important milestone for the industry.”
According to Tom Johansmeyer, co-head of PCS, the loss index will add to the industry’s armoury of understanding its cyber cat exposures.
He explained: “There’s no one correct approach to managing risk and capital in the face of a growing cyber threat.
“The latest iteration of PCS Global Cyber helps risk bearers address any silent exposure they may have lurking in their portfolios while also taking an active approach to the cyber business they purposely write.”
He added: “We believe that the prevalence of affirmative or silent cyber risk will fluctuate in the years to come as the market evolves and losses occur. So, rather than take a view that one approach will emerge, the PCS team has worked closely with the market to develop a loss index suite that will serve the market as cyber continues to evolve.”