A Left Turn at Albuquerque… the history and impact of supply chain risk in the cyber liability market

By Jenny Soubra, U.S. Head of Cyber & Technology at Canopius USA

How did we get here? In an insurance market where supply chain risk was traditionally addressed by the property market, somehow CBI (contingent business interruption) coverage crept its way into a cyber policy, which originally gained popularity in the US as a liability product to address breaches of PII (personally identifiable information) and their regulatory consequences.

I’m old enough to remember when CBI was first added to “cyber” products – not that we called them that.  Coverage was on a named vendor basis only – because how else do you underwrite that exposure?  The supply chain is complex and massive.  It’s an exposure even property insurers (who have decades of experience over the cyber market with these concepts and dedicated actuarial models to support) sometimes struggle to get their arms around.

But here we are.  And for years, the federal government has warned both the private sector and insurers to work together to solve the problem of digital supply chain risk.  Recent conversations between the federal government and industry experts have finally brought the topic out of random, congressional subcommittee hearings and into the forefront of potential policy.  It is now clear that this sort of supply chain vulnerability is problematic, and recent supply shortages of anything from gas to beef to public transit underscores the urgency of the problem.

No one planned for this. No reasonable risk manager at a manufacturing plant or property owner would have identified cyber risk as a major concern 10 or even 5 years ago. This was only a risk for companies with significant PII exposure. But the money follows the market opportunity, and the cyber-crime market is growing and evolving.

Yesterday’s market dealt in stolen personal data and its value; today’s trades in shutting companies down – disruption for the sake of it – and the ransoms that can be collected as a result. The effects of ransomware attacks this year on multi-national meat manufacturer JBS S.A. and Colonial Pipeline, the largest refined oil pipeline in the US, were far-reaching, moving behind the threat of PII loss, wreaking havoc along the entire supply chain.

This brings us back to the unusual tale of digital supply chain risk being separately insured from the physical supply chain.  Cyber underwriters are nothing if not versatile – but in the US, most emerged out of financial, specialty or liability lines that have very different processes than property and other short tail lines. Property underwriters see devastation from fire, hurricanes, and other catastrophes that shut down businesses and hinder the flow of supply chain. However, This is not quite the same as the disruption of the digital supply chain which is far more vast and global, but the nature of cat exposures is similar.

The expert/specialist nature of many insurance professionals, coupled with years of profitable returns, allowed the cyber insurance market to hum along unfettered, creating a soft market atmosphere that perhaps didn’t align with the actual exposures insured. The insurance market is fantastic at transferring well understood risk, but new risks do not come without their growing pains.

All of this background has led to an unusual confluence of market factors that creates both huge risk and huge opportunity for the industry: under investment in cyber security and resilience across the private sector, lack of visibility into aggregation across the insurance market, subsequent constraint of available capacity, the disparate nature of systems and security solutions challenging technologists to solve for the problem at scale, lack of government education, assistance and response relative to cyber risk over decades…  All these factors are finally coming home to roost.  Those demanding ransoms are testing exactly how much they can eke out from victims before the economic calculation tips, and the economics, while finally changing on the basis of government and insurance market action, aren’t changing quickly.

Is it simply cheaper to pay ransoms than to recover data than to restart operations manually? Is that the environment we want to foster as an industry?

In turbulent times, one of the most important attributes of an insurance partner is consistency and foresight. I’m fortunate enough to have worked through a few hard markets. The real winners I’ve seen have typically been the ones who are consistent. Insurance as an industry sells promises, and those promises are exactly as reliable as the paper and reputation they’re built on.  But now we must do much more than promise. The market needs to address the changing nature of cyber risk and anticipate the risks of the future.