The awareness of the risk of cyber attacks is steadily rising, thanks to a seemingly endless stream of high profile attacks in recent years.
Experts believe that incidents like the Target breach in 2013, the Sony hack in 2014, the Dyn attack in 2016, and the recent WannaCry ransomware attack will only become more frequent, and that a truly catastrophic cyber event is on the horizon. Cyber criminals are becoming more sophisticated, and attacks are happening on a larger scale, affecting a wider range of targets. These digital bandits also are harder to detect and stop than ever before.
Still, the penetration of cyber insurance is estimated at less than 30% among businesses in the United States, where about 90% of premiums are currently being underwritten. Many buyers are skeptical of the value of cyber insurance, especially in the absence of a "standard" policy that would enable them to compare coverage and pricing. Others who have a better grasp of the possible losses they face may be unable to obtain sufficient coverage, at least not without adopting costly and unrealistically stringent security measures.
The lack of standardization presents many difficulties for insurers as well. There is a sizable gray area surrounding whether a loss event would be covered and under what policy. Given the limited take-up of affirmative cyber coverage, the potential for an event to trigger losses from "silent cyber" in a traditional line of business is a growing concern for insurers and regulators alike.
Cyber's gray area
As an emerging line of business, there is a significant uncertainty in how cyber losses will be paid out. Cyber liability policies are typically written by exclusion first and inclusion second. In the aftermath of a loss-causing event, insureds may seek coverage for anything not specifically excluded from their policy — a form of "hidden coverage" that may not be taken into consideration when policies are priced.
Another type of hidden coverage is the possibility of having to pay out cyber-related losses under non-cyber policies, often referred to as "silent cyber." With the limited take-up of affirmative cyber policies, insureds who experience a cyber incident may seek payment for losses under one of their traditional policies, including property, errors and omissions, directors and officers, commercial crime, and commercial general liability.
For example, if an employee is instructed to wire money to an account, by someone he wrongly believes to be his boss, would it be covered under commercial crime, commercial general liability, cyber, or would it not be covered at all? Or if a business’ credit card processing vendor is taken down by malicious activity, but no breach happened at the insured company itself, would lost revenue by covered under contingent business interruption, property business interruption, commercial general liability, or cyber? What if sensitive customer data is stolen — directors and officers, commercial general liability, or cyber? These are actual scenarios that have resulted in litigation to determine if the insured should be covered, and under what policy.
The urgent need for risk management
The cyber gray area means that it's not a matter of if a company will encounter a cyber claim, but when it will happen and how it will be covered. It will likely take years and hundreds of actual claims and litigations before cyber policies become standardized. However, the need for effective risk management is evident now.
In the meantime, how should insurers proceed?
One key first step is to adopt a shared language when talking about the exposure. Unlike for property risk, there is no standard set of exposure data that is collected at the point of underwriting. The Verisk Cyber Exposure Data Standard helps to address this issue by providing a uniform method for data transfer across the insurance value chain, containing the critical parameters that must be captured to assess a company’s risk from cyber attacks. Some insurers might only require the industry and revenue of a potential insured, while others may spend weeks interviewing IT staff and require comprehensive questionnaires to be filled out before deciding whether the risk fits with the portfolio’s underwriting guidelines. Using and industry-wide cyber data standard would not only help underwriters differentiate risk based on commonly understood data elements, but can facilitate the transfer of risk through the insurance value chain.
To effectively manage the risk from silent cyber, insurers should consider all organizations to be at risk of cyber-related losses (including non-profit organizations, hospitals, utilities, and governments), regardless of whether it has affirmative cyber coverage. Data on attributes that can affect the organization’s cyber vulnerability, including revenue, industry, number and types of vulnerable data assets, data storage and transfer methods, and cybersecurity measures, should be captured.
In the absence of standardized cyber coverages and policy wording, insurers should test various payout scenarios, mapping losses not just to cyber policies, but to potentially applicable business interruption, errors and omissions, directors and officers, commercial general liability, and other policies, depending on the makeup of the portfolio and scenario being analyzed.
Resilience is the goal
There is much room for growth in the cyber insurance market, and improving take-up will help businesses and communities become more resilient to the potentially catastrophic impact of cyber-related losses. Cyber risk management is still a nascent discipline, but with the increasing availability of promising tools that can help measure the risk, insurers can be more confident in offering more of the essential protection that society needs.
Scott Stransky is an assistant vice president and principal scientist at catastrophe modeling firm AIR Worldwide. Stransky led the research and development of AIR’s recently released cyber application, ARC (Analytics of Risk from Cyber), which helps insurers measure aggregations of cyber risk within a portfolio, and estimate potential insured cyber losses.