Ariel Re’s Carr: CrowdStrike highlights cyber coverage discrepancy concerns

Significant discrepancies between the products being offered by primary carriers remain a key concern for the cyber reinsurance market as it nears the 1 January renewals, Ariel Re’s Dan Carr has told The Insurer.

The reality, Carr said, is that none of the products currently being offered by the market are perfect.

“At Ariel Re we have made a concerted effort to try and bridge some of those challenges as a reinsurer. However, when you’re providing defined reinsurance products at the back end into a front-end insurance market with variable wordings and the potential for different policy responses, as well as inconsistent approaches to portfolio data capture and reporting, there’s an inevitability that you have to make an awful lot of assumptions when assuming that risk,” said Carr, head of cyber underwriting at Ariel Re.

One of the major issues with the cyber (re)insurance market is a lack of standardisation across primary underwriters’ wordings, Carr said.

“We want to get some level of consistency and certainty of control with regards to the nature of the events we're taking on as a market, whereas you've often got the inverse pressures in the insurance market as we collectively seek to grow product penetration.

“As a result, there remains significant variability in the risk sitting on balance sheets because of a wide range of policy wordings.”

That discrepancy was made apparent by the CrowdStrike incident.

“Very few could quickly say with a high degree of confidence, ‘This is the total aggregate exposure we’ve got to this event’. It was very much: ‘We’ve written this amount of total limit; however this policy gives coverage for system failure, this one doesn’t, this does in some circumstances, and this one has a contingent business interruption sublimit.’

“There remained a huge range of outcomes, and the data to thoroughly evaluate them is not necessarily immediately and clearly accessible.”

Understandably, the original insureds want the broadest coverage they can secure, and primary carriers are working to provide them with the protection they need, but the concern from reinsurers’ perspective is precisely how those products then stack up.

“There's an awful lot of intellectual powerhouses trying to enumerate and consider the size and quantum of the CrowdStrike event itself, whilst on the other side, you’ve got the additional question as to what risk the market is covering. What's the variance between such coverages?”

The natural reaction to prevent such issues and confusion is to insert exclusions into cyber coverages to achieve some level of uniformity, either in the reinsurance or the primary protections.

But Carr said that is not the right response.

“The reality is that such coverage came into the market because there’s a clear and demonstrable need for it from customers. And sequentially, there’s going to be demand for reinsurers to provide that coverage as well.

“What we need to ensure throughout the chain is that we’re collecting the right information to make this a feasible and sustainable proposition. It’s highly unlikely we’ll get the modelling view of these events correct at first, but at least we’ve got the right building blocks in place to give the market the best chance, and to more easily address it should that prove not to be the case.”

Carr said it would “question the credibility of the cyber offering” if the cyber (re)insurance industry suffered major losses for unintended exposures.

“That would erode the confidence in the products, and as a result limit our collective ability to provide and secure the scale of capital required in order to grow cyber into a $35bn to $40bn market and meet society’s need,” he said.

“We need to do the right things to garner and develop confidence in the market, whilst ensuring we are embedding the building blocks to provide credible, valuable and sustainable products.”