Even before a global wave of ransomware attacks in mid-Maydemonstrated the vulnerability of organizations large and small,many corporate buyers were already losing sleep over the lack ofclarity and certainty in their cyber insurance coverage forproliferating digital exposures, judging from the attention devotedto such concerns during the recent Risk andInsurance Management Society (RIMS) annual conference.

Indeed, caveat emptor — let the buyer beware — seemedto be the unofficial theme of the numerous cyber risk seminarstaking up a large portion of the event's extensive educationalprogram. During one heavily attended session after another, riskmanagers, attorneys, brokers, and consultants warned howchallenging it would likely be to secure sufficient and reliablecyber coverage in this promising but problematic market.

Related: Insurers must adapt to underwrite mutating cyberrisks

Lack of clarity and certainty

Insurers have a lot at stake here since cyber appears to be oneof the industry's biggest opportunities for organic growth. Withnew cyber exposures manifesting themselves all the time, increasingdemand for risk-transfer solutions could offer insurers a chance toexpand the overall property-casualty premium pie, rather than keepfighting one another for a bigger slice of what's already availableto cover more routine exposures. However, predictions ofexponential growth are unlikely to be realized unless insurers canoffer clients true peace of mind about rapidly evolving cyberthreats to their people, property, reputation and bottom line.

During the RIMS conference, the titles of a few of the sessionsprovided not-so-subtle hints of what's keeping risk managers up atnight. One focused on "Protecting your board directors andexecutives from a cyber nightmare." Another related "tales from thecyber trenches," offering tips on how to avoid having claimsrejected. Buyers were warned about potential "trapdoors" and"landmines" in policies that could leave a company exposed if theirrisk manager doesn't cross every "t" and dot every "i" whilenegotiating coverage for this rapidly evolving risk.

Based on all the nervous chatter at the conference, it appearsthat cyber insurance is perceived by many prospectivebuyers as a potentially hazardous trip into the unknown, inpart because policy terms and conditions are largely untested — andnot just for new stand-alone policies. Standard property andcasualty coverages — including directors and officers, professionalliability, and business interruption — are often "silent" oncyber risks, not explicitly stating whether or not policyholdersare insured. The result may be a mismatch of expectations thatcould prompt cyber claims disputes down the road, while stuntingthe growth of this nascent market until such fundamentaluncertainties are settled.

To avoid coverage misunderstandings, buyers were encouraged torun cascade scenarios and conduct gap analyses assessing how theirrisk management and insurance programs might respond in a cybercrisis. Another precaution might be to purchase wrap-aroundcoverage as a supplement to current policies that are silent oncyber risks, rather than assume such exposures are alreadyincluded.

Single attack can prompt claims under multiple policies

One other key takeaway echoed repeatedly during the RIMSconference is that cyber security is not "just" a tech problem.Instead, it's a classic enterprise risk management challenge.That's because cyber exposures can put an entire operation at risk,affecting people and property, undermining a company's reputationand stock price, as well as creating regulatory compliance issues.A single attack can prompt claims under multiple policies. Riskmanagers should therefore engage with leaders across theirorganization, including IT, legal, operations, and talent, to makesure they are covered if worst comes to worst.

Related: How risk modeling propels the cyber insurancemarket forward

Last but not least, brokers were often cited as key players inthe cyber risk process, and not just to help identify potentialgaps and compare coverage options. Some spoke about brokersproviding unofficial "sleep insurance" for buyers, under the theorythat errors and omissions coverage might offer somerelief if a client is left exposed.

By the end of the three-day conference, risk managers attendingthe RIMS cyber sessions had likely been scared straight, not onlyabout the potential consequences of suffering a breach, but also ofinadvertently ending up uninsured.

Cyber risk is anything but routine

Working with their surrogates — the beleaguered chiefinformation security officers — risk managers have the unenviabletask of securing a company's data and operating systems, remainingvigilant in the face of an ever-widening range of attacks and beingresilient to recover quickly in case of an incident. A big part ofresilience usually involves transferring risk to insurers. This ishow risk managers routinely handle other standard property andliability exposures.

Related: Charting the evolving role and authority of thechief risk officer (CRO)

But from what I observed at RIMS and learned in my own research,cyber risk is anything but routine at the moment. The lack ofclarity and certainty could make cyber insurance a harder sell thanit should be for such a highly publicized exposure, while perhapsdriving buyers into alternative risk-transfer vehicles, such asself-insured captives, risk retention groups, and capital marketsecuritization.

How might insurers go about overcoming these and other obstacleshindering the cyber market's development? For additional insights,see the research report I recently published on Deloitte University Press, co-authored by mycolleague, Adam Thomas, a principal in Deloitte's Cyber RiskServices team, on "Demystifying Cyber Insurance."

Sam J. Friedman ([email protected]) isinsurance research leader with Deloitte's Center for FinancialServices in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.