Navigating the rising tide of latent cyber insurance claims

Munich Re cyber underwriter for global clients Timothy Marshall believes vigilance and strategic action is needed to address latent cyber claims

In 2015, a pivotal class action lawsuit was filed against Facebook, igniting a legal dispute over the alleged violations of the Illinois Biometric Information Privacy Act (BIPA).

By 2021, this had concluded with a staggering settlement of $650mn.

Alongside this landmark case there have been a number of similar litigations against industry giants such as ADP, Six Flags and TikTok, the stark findings of which have been exacerbated by the Illinois Supreme Court’s interpretation of BIPA, deeming each instance of illegal processing as a separate violation. These developments serve as a sobering reminder of the evolving landscape of cyber insurance.

The trajectory of these cases highlights a concerning trend in the industry — the rise of latent claim developments that increase in potential after several years due to modifications in legal precedent and regulatory strengthening.

This also serves as a harsh reminder that cyber insurance has a casualty element and might not be as short-tail as it may be convenient to believe.

As such, we as an industry need to be vigilant as we cannot quickly manoeuvre on these long-tail issues as we did so successfully with ransomware. The question is “how do you know whether a potentially positive-looking underwriting year has large latent claims waiting in the tail, years after notification?”

Additionally, an example of the most recent trend of litigation is pixel tracking. This code, embedded in websites to track user behaviour, has raised significant privacy concerns.

Pixel tracking is heavily used online — including on hospital system websites, which allegedly resulted in several cases of patient appointment information and other protected health information being disclosed to third parties. Because of the highly personal and private nature of the information these claims have an uncomfortable character, meaning claims arising from pixel tracking usage on healthcare websites could become very costly and drag on for years.

For different reasons, business interruption claims seem to also be contributing to the elongation of the cyber insurance tail due to some of the complexities cyber brings to business interruptions.

Here, delays typically centre around the collection and assessment of the right information to quantify income loss. The market generally is seeing both settlement inflation and an increase in time from incident to settlement for business interruption claims.

The combined challenges of evolving privacy litigation and business interruption are thus undermining the narrative of a shortening cyber tail. This belief has been widely held in recent years, creating a perilous future for insurers as large claim costs can emerge years after the policy inceptions, or indeed the claims events.

Considering these emerging challenges, any claims with latency, such as privacy-related actions, require heightened vigilance. As these can spike so long after the policy inception, it is exceedingly difficult for insurers to react swiftly to emerging trends, unlike those in ransomware where events are (more) immediately visible.

With the limited history around the development pattern of cyber, any significant jumps in incurred claims on older underwriting years have an outsized leverage on any future projection.

Therefore, insurers that have suffered large late losses might face questions to justify the performance of younger years being different. We advocate for a holistic understanding of these claims, emphasising the importance of client dialogue in deciphering the underlying causes of latent development in claims.

Insurers are encouraged to engage in dialogue with reinsurers, shedding light on the circumstances surrounding these claims.

By understanding the intricacies of each case, insurers can accurately assess risk and refine underwriting strategies accordingly. It is also important for the industry to embrace structured data collection. By capturing detailed causes-of-loss, insurers can proactively analyse emerging trends and anticipate future challenges.

This proactive approach mitigates the risk of being caught off guard by evolving loss patterns, ensuring the sustainability of the cyber insurance market.

In conclusion, the era of latent cyber insurance claims demands change in thinking in the industry's approach. We must remain vigilant, adapt to emerging trends, and foster collaboration with clients to navigate this evolving landscape.

By embracing data-driven insights and strategic partnerships, insurers can effectively mitigate risk and safeguard the future growth of cyber insurance.