Insurance industry minds are grappling with ever-evolving cyber-risks and resulting liabilities, including mounting levels of regulations and increasingly costly disruption caused by cyberattacks.

An international cyberattack at the end of June hit a number of global companies and caused major insured losses. The loss at one of the affected companies is still being calculated, but could be close to $1 billion.

Meanwhile, various global regulations, including some with fines as high as 4 per cent of a company’s global annual turnover, are causing uncertainty for companies and insurers.

These were two key talking points for a panel of insurance industry executives at the Bermuda Captive Conference, held at the Fairmont Southampton this week.

One of the panellists was Kerr Kennedy, executive director, advisory, at EY Bermuda. He ran through a list of regulators from the US to Asia-Pacific, including China, Australia and Japan, and Europe, who have introduced cybersecurity regulations or are in the process of doing so.

Significantly, two will come into force next year in Europe, one being the EU’s General Data Protection Regulation.

Mr Kennedy warned: “It has teeth. From a fines perspective it is 4 per cent of annual turnover or €20 million, whichever is the higher, if you are found to fall foul of the requirements.”

The data protection regulation aims to give more ownership of a person’s personal data back to the owner of the data themselves as opposed to companies. It is centred on the EU, but its implications are global. Any company or organisation which processes, collects or transmits personal data of any EU resident will fall into the scope of the regulation, which comes into effect on May 25, 2018.

Mr Kennedy said: “It has been recognised that companies have not been doing enough to get ready for this.”

He mentioned a survey that had 31 per cent of respondent companies stating they were already compliant, but further investigation showed that only 2 per cent actually were.

Another panellist, John Masters, assistant vice-president, financial lines, AIG Bermuda, referred to a meeting with a top information security officer at Aon, who stated that on day one of the GDPR no one would be 100 per cent compliant.

Mr Masters said for a global company such as a bank or energy producer with annual turnover of $100 billion, a 4 per cent fine would be “huge money”.

He added: “Clients are concerned about how GDPR is going to be enforced. It leads to uncertainty on the insurance side; are fines resulting from GDPR going to be insurable or not?”

Mark Owen, vice-president, insurance services, Aon Captive and Insurance Management, wondered about global standardisation of regulations. With individual states, countries, and economic blocs implementing their own regulations, global companies face the challenge of being aware of and meeting the different compliancy thresholds.

Mr Owen said the barrage of legislation creates uncertainty. However, he noted that companies could benefit from placing some of their cyber-risk liability into their own captive.

“Innovation is the biggest thing. As the market develops you can work with that and put it in the captive,” he said.

“One of the biggest things is when something happens you need money pretty much straight away in order to deal with a significant loss and putting teams on the ground. You have to have the ability to manage the losses. A captive gives you the scope to do that; it can pay for a lot of that very quickly.”

He said a further benefit from a captive featuring some cyber liability component is having “skin in the game”, giving a company an added incentive to reduce its risk. And a company can share the overall risk liability with an insurer.

“You can put the first element of that risk through the captive and the markets sit behind with a full understanding of how that is being developed. That’s how you can harness the market as well as using the captive to take some of that risk,” Mr Owen said.

Andrew Halls, senior underwriter with JLT Insurance Management (Bermuda), said when there is a captive involved in a cyber programme the company’s related insurance rates often start to decrease.

He said “every little thing helps” and added that net retained risks in a captive tend to be first-party coverage, giving the captive owner the ability to pay quickly and have better control of their claim.

The expanding breath and depth of cyberattacks and resulting insured losses was also discussed. Mr Masters mentioned the impact of the NotPetya computer virus on pharmaceutical company Merck.

The company experienced a network cyberattack on June 27 this year that led to disruption of its worldwide operations, including manufacturing, research and sales operations. In its most recent earnings statement, the company said it still does not understand the full magnitude of the impact as it is in the process of restoring manufacturing operations.

Merck was among a number of companies whose global operations were disrupted by the cyberattack. Others affected included FedEx, AP Moller-Maersk and Mondelez.

Speaking about Merck, Mr Masters said: “They have a huge property programme in place that does not exclude business interruption coverage relating from a cyber event. They have cyber liability in place, so likely that will respond first, but then the property programme will be on the hook. Who knows, it could be a $700, $800, $900 million, or a billion-dollar loss to the market which, when it was putting that property programme in place, was not contemplating the cyber exposure, or if so the market was not pricing for it.”

Referring to risk aggregation, where cyber and property coverage is combined, he said: “There was not enough contemplation of those events that could happen that could lead to an unforeseen billion-dollar loss in the market.

“This is the first of many. It will be interesting to see how the market evolves within the next 12 to 18 months.”

The panel moderator was Noel Pearman, senior vice-president and cyber product leader at XL Catlin.