(Image credit: Adobe Stock.)
This past year, we’ve seen the prevalence and impact of cyber risk with incidents such as the Dyn DDoS attack and the proliferation of the WannaCry, Petya, and NotPetya ransomware viruses. Surprisingly, the insurance industry has not been affected by these events despite cyber’s status as one of the top growth segments.
Unlike the very mature property insurance market—where “standardized” terms and policy language have evolved over time—today’s incipient and diverse cyber risk market poses challenges that must be overcome before insurers, in general, can play a larger role in helping to manage this risk.
Currently, policy language very often determines how various cyber-related scenarios might affect an insurer. It can be instructive to review a few loss scenarios from current claims, where disagreement over where coverage falls for each of these actual instances resulted in litigation:
- An employee wiring money to an account wrongly believed that the individual who told him to do so through social media was his boss.
- Business interruption occurred from a business’s lack of access to a credit card processing vendor. Although no breach may have resulted at the insured company, sensitive customer data was lost.
- A part-time hospital employee gained unauthorized access to confidential records and discussed sensitive HIPAA information with others.
- A laptop with sensitive information was lost.
Typically, each company has its own policy form language with unique coverages included and excluded.
Choosing a Model
Rather than relying on judgment about liability, companies might want to seek out tools that help users determine how individual coverages could be best represented within unique policy coverage frameworks. Such solutions can help companies decide if a scenario is better addressed under a cyber endorsement, errors and omissions (E&O), directors and officers (D&O), general ledger (GL), or any other form of policy protection. Further, it can be beneficial when a chosen modeling tool supports the application of other policies, sublimits, and additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given scenario.
Property policies are frequently occurrence policies. Often the exact date can be pinpointed when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber breach can often be identified. Unlike natural catastrophes, however, with a cyber breach, months or years can pass before its victim is aware of the activity. If a cyber liability is addressed on an occurrence basis, the terms and conditions of the loss when the breach occurred would likely be applied to resolve the claim. If the cyber liability is addressed on a claims-made basis, then the terms and conditions at the time a claim is made would likely be used for loss resolution.
As such, having the flexibility to account for the limits and deductibles as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to one that merely assumes how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data for occurrence policies or current terms and conditions for claims-made policies.
Art of Asking
Cyber tends to be a highly competitive and rapidly expanding marketplace in which potential insureds may be diverted by having to answer lengthy questionnaires. Yet, asking too few questions may allow competitors to skim the cream of the potential clientele. It’s clear that, in the context of cyber risk, obtaining appropriate information is an art form.
The importance of exposure data likely can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for U.S. hurricanes. While most models will return a result if just the county and replacement value of an exposure are known, results will likely be highly uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then a much more accurate representation of risk and expected loss can likely be achieved.
Different degrees of data quality will probably return analyses of varying accuracy for cyber models. For some, the minimum information required for risk assessments might be as simple as the name of the company and its revenue; and information from additional data sources can estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of the insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready. Once the total cyber profile is understood, a more accurate estimation of risk should be possible.
Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property market. Until then, flexibility in risk modeling solutions should remain vital for companies to truly and accurately “own” their cyber risk.