Now into its third major phase of development, cyber insurance is no replacement for robust IT security. However, it has an important role to play as part of a holistic risk management strategy, creating a second line of defense to mitigate cyber incidents.
> Read the full publication "A Guide to Cyber Risk"
Standalone cyber insurance can trace its roots to “Y2K” and the infamous “Millennium bug”. Concerns that programming issues associated with the Year 2000 date change would cause widespread computer system failure prompted many companies to first assess the potential for cyber risk to their businesses.
As companies became more aware of their cyber exposures they began to look to their property and casualty insurers to provide cover, explains Jens Krickhahn, Practice Leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe, who has underwritten IT and cyber risks for over 16 years.
Initially, insurers such as AGCS offered separate property and liability covers for these emerging cyber risks. However, this early cover was relatively limited compared with today’s standalone product offering.
The second phase of development of the cyber insurance market came with rising privacy and data protection legislation, particularly in the US.
This saw the development of standalone cyber insurance products focused on the costs associated with data breaches. These policies evolved to include instant access to expert response services and crisis management.
The third phase of development – currently ongoing – sees an increasing awareness amongst organizations that cyber risks are not only about protecting consumer data and that breaches are not limited to the US.
Over time, the cover offered under a cyber insurance policy has become broader and more standardized. “A cohesive cyber insurance market is developing,” says Nigel Pearson, Global Head of Fidelity, AGCS.
Data breach cover
Over the past decade, an important element of cyber insurance has been the development of privacy and data breach cover.
The cornerstone of most standalone cyber insurance has been the cover for third party liabilities – such as legal or regulatory actions – as well as first party costs associated with responding to the breach. These can include the cost of notifying individuals, credit monitoring, IT forensics, public relations and crisis management and communication.
“Cyber insurance gives access to experts, such as legal, IT forensics, crisis communications and more, to help policyholders navigate their way through a breach in a professional way. This can limit reputational damage and ensure there is life after the crisis,” says Krickhahn.
In addition to this core cover, cyber insurance can also provide other useful liability coverages for the digital age. For example, media liability cover protects against litigation arising from defamatory content published on a website or through social media.
It is also possible to insure against a data breach that occurs at an outsourcing partner, such as data stored with a cloud service provider.
Cyber-crime cover, including theft of funds and cyber extortion, is also available.
Business interruption protection
One of the biggest developments in cyber insurance in recent years has been the addition of more meaningful business interruption insurance for cyber-related events.
It is now possible to purchase standalone cyber cover that either combines first party business interruption insurance cover with data breach liability or includes only a first party business interruption. It covers partial or complete business interruption following a cyber-attack or operational or technical failure.
“In the context of cyber, business interruption cover can be very broad. Not only can it cover 'business IT' computer systems, it can extend to industrial control systems used by energy companies or robots used in manufacturing, for example,” explains Georgi Pachov, Global Practice Group Leader Cyber, CUO Property, AGCS.
“With technological advances businesses are driven by data flows in real-time: logistics are tracked from supplier to customer, products are assembled using online parameters, calls are delivered over internet protocol, power is transmitted by means of demand. Any interruption of the process chain – even for a minute – could cause a severe business interruption, impacting the balance sheet of a company. Big data, data analytics, artificial intelligence, the 'Internet of Things' – it’s all about managing, understanding and making smart decisions based on the data in order to gain competitive advantage.”
It is also possible, in certain circumstances, to insure against contingent business interruption (CBI), such as the failure of IT or operational technology infrastructure belonging to a third party.
However, CBI cover for cyber exposures poses a significant risk of accumulation, so insurers can only offer limited cover, and only after detailed risk analysis requiring additional data from the insured.
Cyber risks have emerged and evolved rapidly in just a few decades, while many traditional insurance products have yet to fully adapt.
In some cases, traditional insurance products may unintentionally extend cover to cyber-related losses, although such cover is largely untested and would be limited to only certain cyber exposures.
“Traditional property and casualty insurers are now looking to examine the cover extended to cyber risks. Exclusions in traditional policies are likely to become more commonplace. Standalone cyber insurance will increasingly be seen as the main source of comprehensive cyber liability cover,” says Pearson.
One gap that currently exists between traditional and standalone cyber insurance is for physical damage resulting from a cyber-incident. For example, a fire or explosion could result from a compromised industrial control system controlling an industrial process or oil pipeline.
“One of the cyber challenges is to identify what exactly
caused a physical damage”
Physical damage resulting from a cyber-event is typically excluded under standalone cyber insurance. However, physical damage resulting from a cyber-attack is not explicitly covered under property insurances, and in many cases will also be excluded.
“One of the cyber challenges is to identify what exactly caused a physical damage,” says Pachov. “An explosion or large fire can be caused by an incompatible software, operational error or cyber attack but very often it is impossible to locate the origin of the damaged equipment.”
Litigation on the way
Standalone cyber insurance will continue to evolve as it responds to changes in both cyber risk and regulation. However, such development will bring challenges. There are a number of different policies in the market and, many have concepts and wordings that have yet to tested.
“As time passes we may well see more litigation in this area. There will be uncertainty about how courts will interpret some of the concepts. This is not unusual with new products and will result in a body of knowledge for underwriters,” Pearson adds.
And the cyber insurance market is not without other challenges. For example, as demand picks up, insurers will need a larger pool of expertise to draw on.
“There is currently a lack of knowledge in the insurance industry,”says Pearson. “We are learning quickly but there is a shortage of talent and skills. The industry needs to up its game in terms of risk assessment and expertise.”
Perhaps the biggest challenge for insurers is to manage the risks they take on as the cyber insurance market grows. An increased pool of premium and diversity of risk will be welcomed, but insurers will need to control their exposure to systemic cyber risks, like malware or a breach/outage at a large cloud service provider.
Of particular concern is aggregation risk. However, the data and modeling tools that are common place for understanding catastrophic property exposures do not yet exist for cyber risk.
“Insurance brings additional risk mitigation and compens-
ation in the event of a claim. With a property risk, you
would install sprinklers to mitigate fire losses, but you
would also buy insurance in the event of the building
burning down. The same concept applies with cyber risk”
Insurers are looking to use realistic disaster scenario testing and modeling to get a better understanding of cyber risk and what it means for their balance sheets, but this will take a few more years to develop and improve, particularly as cyber risk keeps evolving.
Greater segmentation and specialization
One likely result of a lack of claims data, and the challenge of understanding and assessing cyber risk, is likely to be greater segmentation, with some insurers seeking to specialize in certain sectors, Pearson predicts. Individual insurers are likely to better define where they have appetite and tailor their products accordingly.
“There is lots of capacity in the market, but there is still not enough data to fully understand the risk. So pricing volatility will continue and market segmentation will increase,” he says.
Role of insurance
Insurance is not a replacement for good cyber security. However, it can provide protection should the worst happen.
“Insurance brings additional risk mitigation and compensation in the event of a claim. With a property risk, you would install sprinklers to mitigate fire losses, but you would also buy insurance in the event of the building burning down. The same concept applies with cyber risk” explains Krickhahn.
“However, once you have purchased insurance, it does not mean that you can ignore IT security. The technological, operational and insurance aspects go hand-in-hand.”