The intricacies of cybercoverage are of growing interest to technicalprofessionals — so much so, in fact, that the June meeting ofthe International Information System Security CertificationConsortium (ISC²)’s New York Chapter was devoted toCyber insurance.

ISC² provideseducation and certifications in IT security. The CertifiedInformation Systems Security Professional (CISSP) is perhaps theirbest-known certification.

The audience for the two sessions presented were techprofessionals — and it was clear from their questions pepperedthroughout the presentations and in Q&A that Cyber insurancecoverages and the claims process were both of keen interest toattendees.

While much attention is focused on data-related cyber theft,Mike Cavanaugh, vice president and director of production atApogeeInsurance Group, noted that bodily injury, property damage andbusiness interruption are emerging as cyber-related risks tobusiness. The increasing connectedness of insecure devices (i.e.,the Internet of Things) is increasing the probability of thesethreats.

Most insureds, Cavanaugh said, don’t realize their GeneralLiability policies probably don’t cover physical damage caused bycyber attacks. Also noted: What we’ve all seen in the media— that audacious thefts of money and securities throughfunds-transfer fraud is also on the rise.

Perhaps the most interesting point underscored by Cavanaugh isthe evolving role of cyber insurance providers less as purveyors ofpolicies and more as cyber risk consultants. This was a point madelater by David T. Vanalek, director of U.S. Professional Liabilityfor Markel, in hispresentation.

Both speakers noted that underwriters are striving to get moreaccurate pictures of their clients’ risks, and to do this they arehiring staff with deeper domain expertise in information technologyand legal issues. They each encouraged insureds to seek outcarriers that have IT security experts on their cyber insuranceteams.

Here are some key takeaways from the ISC² Junemeeting.

Key takeawaysfor insureds:

• If you handle personal data, financial data, or healthcaredata, you need cyber insurance.
• Organizations handling personal healthcare information areincreasingly targeted by cyber criminals
• Ransomware/cyber extortion attacks are likely to increase dueto the widespread availability of the software tools – and theirlow cost.
• Evaluate your potential cyber insurance provider carefully (seebelow for some specific tips).
• Cyber criminals use information to create detailed profilesthey can use in personalized attacks.
• If you’re in healthcare or any other industry where hackeddevices can cause bodily injury, be sure your cyber policies coverbodily injury.
• Cyber insurance is a service not just a product. It’s not arisk transfer relationship — it’s a risk managementrelationship.
  
  

Key takeawaysfor insurance professionals:

• Cyber insurance is not widely adopted by small and mid-sizedbusinesses, which presents an opportunity for carriers, agents andbrokers equipped to serve these companies.
• There’s not much historical claims data available for carrierswriting cyber policies — so there’s always an element ofuncertainty in the underwriting process.
• The largest companies involved with underwriting anddistributing cyber insurance coverages have adopted a professionalservices model — consulting closely with clients on theircyber risk throughout the lifecycle of their relationships.
• Underwriters of cyber risk need a keen understanding of varioussecurity standards and protocols — and the risks associatedwith each.