The Management Series

To sign up for our newsletter, please click here.

Nov 2017

Making Sense of Cyber Insurance

Cyber insurance sales are growing at a decent clip, but given the growing threat of attacks and the potential for huge losses, analysts still see the possibility of doubling or even tripling sales in the United States in the next few years. However, “the industry has a long way to go to reach those lofty predictions,” warns the Deloitte Insights website in an article titled “Demystifying Cyber Insurance Coverage.”

“Many commercial enterprises have yet to purchase a cyber policy—or if they have, their coverage tends to leave them underinsured.”

Deloitte cited a Council survey that said just 29% of U.S. businesses had bought cyber insurance as of October 2016.

So what is holding the market back?

Deloitte pinpoints various factors from the point of view of both the insurance industry and prospective buyers.

Consumers, the report says, often don’t understand the threats they face or the insurance coverage available. Buyers are often hesitant because cyber insurance could be spread out over different types of coverage, is hard to understand, and is subject to an evolving legal landscape. Moreover, the policies generally aren’t standardized.

Insurers, on the other hand, don’t have enough data to weigh risk adequately, are nervous about the ever-changing and unpredictable nature of attacks, can have tunnel vision that leads them to offer a narrow range of products, and can be spooked by the possibility of catastrophic losses.

The prospect of multiple losses due to one attack—an “aggregate attack”—is especially high on the list of insurance company concerns.

“One of the insurers we spoke with wondered what would happen ‘if tomorrow a website host is hit with a denial of service attack or is hacked. What if they’re unable to service their clients? All those who have their websites on that platform might not be able to do online business while the third-party server is offline,’” Deloitte says.

“There’s a real aggregation risk there,” the report adds. “How do we know whether our cyber insureds aren’t all in one basket—cloud, website host, e-mail server, software-as-a-shared service?”

Deloitte offers numerous possibilities for improving the market. One particularly intriguing notion is “creating comprehensive, holistic programs that span a buyer’s cyber risk life cycle to complement traditional risk-transfer provisions.”

The idea is to include risk prevention services and real-time monitoring as part of a package, which would allow insurers to offer lower rates for people taking such preventive measures.

In the article “The Ever Expanding Scope of Cyber Risks: All Policy Lines Beware,” the cyber law blog at Sedgwick warns that insurers can be on the hook for cyber-related losses even if they don’t have a cyber product line.

“Other lines—less deliberately and often inadvertently—get caught up in claims that arise from cyber risks and are faced with requests to cover claims of economic losses, property damage or bodily injury,” Sedgwick warns. “Virtually every insurer has been faced with a claim they never anticipated, which arose from what can be described as a cyber event because it involved use of or affected a computer system even tangentially.”

Sedgwick pinpoints several examples of other vulnerable lines. Here are two examples:

  • Theft coverage faces claims caused by fraudulent fund transfers made via computer or computer scams.
  • Employer liability “may see claims from employees disciplined or terminated because of cyber events and perceived fault.”

Sedgwick urges insurers to assure underwriters and claims personnel are trained to take cyber risks into account for all lines.

“Often, identifying a potential cyber-related claim and consulting with internal talent experienced in addressing such risks can be key to controlling the risk and exposure both on an individual and aggregate basis for the insured, the insurer, and the reinsurer,” the cyber law blog says.

The Council’s Cyber Watch newsletter recently addressed the limited amount of available data on cyber attacks and the problem it poses in “Wanted: More Data in Cyber Insurance.” There are multiple reasons for the lack of data. “Not only are organizations hesitant to report cyber events in fear of reputational loss, insurance companies are skeptical to share incident data with each other for competitive reasons,” The Council wrote.

Cyber Watch notes that “while the insurance industry has historically stayed at arms-length from government regulation,” The Council supports some efforts to spur the collection of more and better data, chiefly a national law requiring the reporting of data breaches so they can be compiled and researched in one central data bank.

comments powered by Disqus