But the ongoing argument over the scope of cyber war exclusions threatens to wreak yet more reputational damage on the market – in a line of business which is crucial to the industry’s ongoing relevancy.
Late last week, we reported on two developments which represent this debate reaching a new peak of intensity – the introduction of a narrower wording on the Marsh Echo excess facility, and Munich Re’s missive to cedants outlining its aversion to recent extensions of cyber war cover, beyond what it thinks is tenable.
It would be wrong to think the debate around cyber war is a recent development. It has in fact been a topic of conversation and an issue which needs “fixing” since the dawn of the cyber market.
However, in the last 12 months, this conversation has escalated to (at times) conflict around what is the best course of action.
At the heart of it all is, I believe, a genuine desire on the part of all market stakeholders to do the right thing – to provide clarity to clients around the extent of their cyber war coverage and, in turn, create a more resilient cyber market poised for further growth.
The irony of the situation is that, in striving for that clarity, the result is horribly complicated.
Like in other lines of business, the cyber market has previously relied on traditional war exclusions to manage the remote risk scenario of cyber warfare.
But it has always known that, with the increasing use of cyber attacks as weapons of war, what constitutes “war” is getting broader and murkier – and the loose language around “war” within exclusions effectively meant clients were being granted less coverage. Do nothing and policyholders lose out.
As such, the blunt narrative that the recent cyber war exclusion updates are serving only to take away cover is wrong – and, in fact, providing clarity around wordings can only be to the benefit of policyholders. (As CFC’s head of cyber strategy James Burns outlined in a blog on LinkedIn).
Unfortunately, the communication has also been poor – with some coverage from the national press, which failed to fully express the nuance, being described as frustrating and unhelpful by the market.
In this saga there are some stakeholders who have shouted the loudest, including Lloyd’s, the Lloyd’s Market Association (LMA), Marsh, Munich Re and, to an extent, Beazley and CFC.
But in reality, many in the cyber market are keeping their head down and waiting for others to go first – and the silence more widely has served to throw the spotlight on those speaking up and proved unhelpful in attempts to reach a consensus.
It is a complex landscape in flux.
However, what is increasingly clear is that a continuation of the current misalignment of opinion could create significant reinsurance coverage gaps and continued uncertainty over ultimate aggregations.
More pressingly, an inability to find consensus in the market before a major cyber war event amplifies the risk of this dispute being ultimately settled in the courts post-event, Covid BI style.
Below we lay out the complexities of the cyber war debate.
The cyber market has known since its inception that it would have to address the cyber war question.
The market knows cyber war carries huge systemic risk and potential aggregations that could be fatal for the industry, and many market participants have been engaged in the debate on how to address this for many years now.
However, a war in Ukraine and the rise of geopolitical tensions globally has brought a reality to the situation which hasn’t been present in quite the same way before. This has come in tandem with a cyber market which is growing rapidly, but is now coming up against a capital availability challenge due to cautiousness around aggregation of ill-defined risk.
Drawing a line on what is truly systemic is key to the ongoing sustainability of the cyber market. Doing this in an immature class of business with ever-changing threat vectors is no easy feat – and perhaps was always going to end in dispute.
But, if anything, the (re)insurance industry’s experiences of trapped planes in Russia and poor definition of BI wordings in a pandemic serve as clear evidence that lack of contract certainty creates outsized reputational issues down the line.
In London the cyber war debate really started heating up with a summer 2022 announcement from Lloyd’s that it would require exclusions for cyber losses stemming from state-sponsored cyber attacks as of 31 March 2023.
This was in reality driven behind the scenes by the PRA – and it is a little-discussed fact that the London company market is also under pressure to define cyber war coverage and systemic risk aggregations.
Included is a timeline of significant events, based on Insurance Insider reporting, although it should be caveated that this list is not exhaustive.
The LMA sits at the centre of drawing up a framework and wording for use by managing agents, which aligns with the mandate set out by Lloyd’s. A number of market constituents had input into the LMA wording, including Marsh and Munich Re among others – and the result was LMA 5567 A/B (see graphic below).
Carriers can submit their own wording, which are then given approval for use if they fit within said framework – which is where the intensity of the debate really started in earnest.
As reported, the wording later secured by Marsh for its $100mn Echo excess cyber facility affords greater carve-back of cover in specific cyber war scenarios than that of the LMA’s wording.
But other wordings are understood to be in circulation in the wider market outside of Lloyd’s which also effectively extend coverage for insureds outside of what is outlined by the LMA framework.
This has caused alarm at Munich Re, which in late April issued a strongly worded missive to cedants, saying recent developments in the marketplace threatened to “undermine all recent progress and dramatically increase the war exposure within cyber policies”.
It is oversimplistic to characterise this as a Marsh vs Munich debate.
One of the biggest difficulties with this story is that there aren’t necessarily two schools of thought – there are multiple.
It is true that Munich Re disagrees with the extent of coverage afforded under the Marsh Echo wording – sources said it believes that the scenario outlined under clause 1.2 is indeed war, and the knock-on impacts of that in other non-warring states should be excluded as such.
However, as I mentioned above, there are other wordings in circulation in the wider market which Munich Re takes issue with.
It is worth noting that Marsh (the biggest cyber broker in London) was able to gain support for its narrower wording from the London market as Echo was fully subscribed at its 1 April renewal – and after Munich Re Syndicate exited, that capacity was replaced.
Marsh, meanwhile, would argue that it doesn’t take a “position” in this debate as such – its only stance is that it has responsibility towards clients to secure as much coverage in wordings as possible.
Outside of 1.2, it has been suggested that many carriers in the market are more concerned around the lack of definition in the scenario under the LMA clause 1.3. How do you know when the attack causes material damage that the attack itself can be a new act of war? We haven’t seen it (fortunately), but the supporters of clause 1.3 say it would be obvious if we saw it.
To date, even non-war aggregation events so far have not been able to provide a clear guideline as to what a catastrophic, systemic loss really looks like for the market.
Meanwhile, among US markets (who are watching this from afar with interest) the consensus is again mixed – but the proportion of those who believe the traditional war wordings will suffice appears to outweigh those who are looking to define coverage.
Anecdotally there are suggestions that the US market is gaining market share as a result of the introduction of new cyber war wordings in London. And this publication understands that some global carriers are using different wordings in the US and the UK for that very reason – adding to the complexity.
The reinsurance renewals
Key to how this story will play out is the upcoming treaty renewals, and in particular whether the other reinsurers will follow the market share leader, Munich Re.
Munich Re is a significant player in both direct and reinsurance cyber business – with premium understood to be running into the billions. As such, it believes controlling aggregations is paramount on a balance sheet, as well as an industry, level.
The (re)insurer warned it will take the “necessary steps” to ensure that any risk it takes on from cedants will be in line with its own appetite – while stopping short of explicitly saying it would refuse to provide reinsurance coverage.
Nevertheless, this now raises the very real prospect of some carriers being unable to secure back-to-back reinsurance coverage for their cyber book. And this is a market which cedes around 40%-50% of its risk to reinsurers.
Finding alignment between cedants and reinsurers is therefore a crucial part of the cyber market being able to move forward.
It is understood that the extent of coverage granted for cyber war will be a key focus area for Munich Re at the upcoming 1 July renewals – and both cedants and reinsurance peers will be watching closely to ascertain whether the strength of Munich Re’s rhetoric will match the reality.
Sources noted that other reinsurers are being less hardline in their communications with cedants so far – and are rather asking questions around their position on cyber war, and the aggregations they are running. It’s not unreasonable to question whether Munich Re’s peers will see this as an opportunity to gain market share, if they believe they can manage the aggregation risk.
Brokers told this publication they were doubtful that there would be a consensus among reinsurers in time for 1 July. It is worth noting though that the July renewals typically feature London market and European cedants – many of which will have aligned in some way to the Lloyd’s mandate or LMA wording.
In contrast, 1 January is predominantly a US renewal. As such, 1 January 2024 could prove to be the true test of global cedant-reinsurer alignment on this important issue (and there is plenty of time for more debate before then).
In other classes of business, it has tended to be the reinsurers which have forced through change. The restructuring of the specialty treaty market at 1 January is a clear example. However, it’s worth noting that this was post-Ukraine, and there was clear consensus among reinsurers that things needed to change.
The circumstances around this cyber war situation are far different – it is a rare example of the industry attempting to be proactive in defining coverage, rather than reactive.
Is there a scenario where there can indeed be a number of schools of thought? Or perhaps a scenario where a different view on cyber war coverage can be taken depending on what type of insured is transacting? (Financial institutions for example are more concerned about cyber war coverage than your average SME business).
It feels unlikely – and runs the risk of making things even more complicated and fraught than they are.
Ask anyone in the market how they think this will play out and few dare to venture an answer. If there is any consensus, they think the market will gradually align to one view – but some believe this timeframe will stretch out further than 1 January 2024.
But can we guarantee the industry won’t find itself facing a systemic loss event, and a resulting high-profile war coverage dispute in the courts before then?
Insurance Insider delivers global wholesale, specialty, and (re)insurance Intelligence that enables you to act first. Redeem your complimentary 14-day trial for more premium content from Insurance Insider.
Scan here to download the app