Will Cyber Risk Be 9/11 All Over Again?
Hundreds of New York City firefighters were climbing the stairs in the World Trade Center when it collapsed, taking the lives of 2,700 people in September 2001. Many parts of the story are well known.
One part haunts us today with respect to cyber risk.
In an April Risk & Insurance® story, editor Dan Reynolds reminded us of the difficulty of helping people understand cyber risk, particularly when mass media simplifies issues and social media spreads unfounded opinions and assumptions.
Reynolds points out that the motivation of underwriters is to pay legitimate claims. Many of the electronic communication platforms create the opposite impression.
Forgotten in the complaining by policyholders, which often occurs at dinner parties and while watching Little League games, is the need for insurers to deny claims for losses they did not accept in a policy.
Insurers assess risks and accept those that cause serious financial harm. Money to cover the losses of the unfortunate few comes from small insurance payments by unharmed many.
In this respect, risk managers live every day in a conundrum: The company wants to be insured in the event of a mishap. If one doesn’t occur, many people complain about the high cost of coverage. Numerous risk managers have been accosted with statements like, “We don’t have many losses. Why are our insurance premiums so high?” Or, “I’m paying you to manage risk. Why do I have to also pay a broker?”
These internal discussions combined with mass communications distortions have spawned into the world of cyber insurance. This has two components.
The first deals with foreseeable exposures. Cyber policies on computers, terminals and tangible system components can be written using standard assessments of risk. Coverage is available.
It’s a different story with electronic liability. Everybody’s connected. A minor error in a line of computer code can facilitate hacking that compromises millions of personal records, sets off catastrophic transfers of cyber currency, cause airplanes to fall out of the skies, and maybe even launches nuclear missiles.
This reality sets up the negotiation between risk manager and underwriter. The insured must retain sufficient exposure to encourage safe handling of electronic networks and equipment. The underwriter must, with the assistance of a highly-trained specialty broker, assess uncertainty — on top of identifiable risks. After detailed discussion, a policy can be issued that does not fully satisfy all parties.
Then a loss occurs as it did at the World Trade Center. Larry Silverstein, the WTC owner, did not foresee the exposure. He insured the twin towers for $3.6 billion — half of the replacement cost of both towers. Partly because of the underinsurance, it took 13 years to rebuild the complex.
An outgrowth of the tragedy was a recognition of how insurance is tied to a complex web of risk. The $7.2 billion property damage was dwarfed by another $25 billion in life insurance, health costs, airline shutdowns and business disruption claims, not to mention lawsuits seeking insurance payments for a wide variety of other losses.
The mass media did not help. Playing on the sensitivities of the general public, some platforms created fear and expensive problems as the country sought normalcy after 9/11.
The mass media was not joined by social media in 2001. Myspace had not yet begun its rise and fall; Mark Zuckerberg was in high school; and YouTube, Snapchat, GroupMe, Tumblr or the ever-popular Twitter were not yet launched
The danger of unseen cyber uncertainty, along with highly-active media, keeps risk managers and underwriters awake at night.
What’s the biggest hidden danger? We don’t know yet. Nor did we know in 2001.
The loss of life during 9/11 was multiplied by an otherwise sound engineering decision. The building was designed to collapse down floor-by-floor to avoid falling to one side. Normally a good idea, the design did not allow warnings as different parts of the buildings failed. It probably increased the loss of life as everyone still in the building was doomed seconds after the weakest point failed.
In 2001, mass media was not so aggressive to discover factors that could inflame the public about construction design. Times have changed. Today, we await the massive hidden cyber event magnified by the mass and social medias.
Until we know more, risk managers, brokers and underwriters can only heed the recommendation of Dan Reynolds to strive for a “better understanding of how insurance can respond to cyber events.”
But that’s not all folks. Reynolds alerts us we must also be prepared to “manage a public relations challenge.” &