IQ Autumn 2017

One common characteristic of the strongest leaders is that once they know something important, they are unable to ignore it.

They don’t procrastinate – they operate.

For instance, when someone I knew was told there was a reasonable chance that he might have testicular cancer he took the snap decision to have the offending item removed immediately.

He could have waited for barrage of tests to confirm the supposition, but he wasn’t interested.

For him, the simple thought that he was harbouring something that left alone might kill him was enough to spur direct and decisive action. He made a tough call and the problem was quickly solved.

Our industry is somewhat different.

Unlike my friend, we know we are infected with a cancer, yet we are unable to take remedial action. We are petrified and paralysed. The infection has found its way into every corner of our business. Paradoxically, despite the spread, our vital organs are not affected and it is still not too late to act.

But this is a disease with no known cure, so remedial action must always be surgical and therefore painful.

Like all great emerging insurance pathogens, the loss event or events it can cause are extraordinarily hard to define. But unlike most other life-threatening agents it aggregates in a way that is unrelated to geography or to line of business.

This is the disease we call silent cyber exposure. Wherever it is not explicitly excluded it is tacitly included. We know this exposure is everywhere we look.

Contrary to the popular refrain, there is absolutely nothing golden about our industry’s silence on this issue.

Remember how silence worked out with asbestos?

At least with that slow-motion catastrophe the underwriters of the day could rely on the defence that when they wrote the business they weren’t aware that the near-ubiquitous powdery construction material was a carcinogen.

To this defence they can add the fact that the judiciary and legislators made rulings and interpretations after the fact that created retroactive insurance cover that was never intended to be offered and for which a premium was never collected.

This time there can be no such excuse. We are on alert.

It is far more akin to the US market’s relationship with terrorism prior to 9/11.

Anyone could look at Europe going back into the 1960s and 1970s and see the exposure definitely existed. Indeed, far closer to home they could see the earlier 1993 WTC attack, which had already injured a thousand and collapsed the ceiling of the PATH station below.

Yet terror cover was still silent across classes eight years later in 2001.

So what’s stopping a mass imposition of cyber exclusions? Simple – to do so in a soft market is far too painful. It would involve losing a hard core of longstanding profitable business to competitors willing to look the other way and stay silent.

There’s also the experience of Y2K and electromagnetic fields.

Both were potential systemically aggregating risks – neither of which materialised.

Perhaps there is an element of wishful thinking? Perhaps a cyber clash event won’t happen. But given what we know about the nature of the threat and the near ubiquitous interconnected exposure, I believe that to be enormously unlikely.

We know enough.

For some that is enough to act. Others need more evidence. The trouble is that in this case the evidence will be acquired very expensively, or indeed fatally.

Have a quiet Q3.

To read the Autumn 2017 issue of IQ, please click here.

Related articles