As reports about cyber risk in the press and board agendas abound, companies are looking to manage that risk. Even with mitigation, risk always remains.
A cyber insurance program covering those losses is increasingly seen as part of the solution.
Insurance solutions have been brought to market by innovative insurers. Still, risk managers are frustrated at the lack of available coverage at reasonable terms, while insurers marketing the coverage are frustrated that the market has not taken off. Brokers are stuck in between.
In time, cyber risk will support a vibrant new insurance market. For insurers, barriers to offering more economical coverage include the lack of claim history to use in pricing, and a hard to quantify clash potential. How cyber is covered depends on the needs of the insured.
Here coverage is often included as part of the package. Standard limits are often low, but increases can be purchased. It's important to understand what the actual risks are based on the insureds technology platform, how exposed the systems are, and system access points. For most small business riders, the options aren’t as extensive as for large business, but the needs are usually less unique. If needs are unique, flexible products described below can be used.
A good analogy of how cyber insurance works is boiler insurance. In both lines, a significant part of the premium is devoted to engineering the risk. For boiler, physical inspections are part of underwriting. For cyber, detailed questionnaires are often used to understand insureds’ risk management policies.
Coverage is available from many insurers for various aspects of cyber risk covering both first party and third party losses. For mid-sized to larger businesses, these are structured in modular coverage parts, so a buyer can elect just the coverages they feel they need, and not pay for coverages they don’t need. Typically third party coverages include:
- Regulatory Investigation Expense: Often regulatory fines can’t be covered, but insurance for the expense to defend against regulatory actions is available.
- Breach or Loss of Data: If data is lost, suits for damages can result, which could be class actions. Note there is also first party cover for remediation and notification expenses.
- Media Liability: As on-line information increasingly replaces traditional sources such as newspapers, television, and radio, losses due to infringement are possible.
First party coverages include:
- Crisis Management Expenses: Often the insurer provides the vendor to manage a loss event, and other expense associated with an event such as data loss. This high quality management of the loss event protects both the insured and the insurer from further losses.
- Breach of the Network: This includes both remediation expenses and notification to third parties whose data may be compromised.
- Extortion: If a cyber-criminal accesses and encrypts data to charge a ransom for the release, this covers the ransom, and other restoration expenses.
- Business Income and Extra Expense: Similar to property policies, this can be covered subject to agreed waiting periods.
Other first party coverages that can be available include data restoration expenses, computer fraud, or fund transfer fraud.
Of course, all of the coverages may be subject to an aggregate limit of liability, in addition to the specific limits of liability for each coverage part. Be sure to check if the defense costs on third party coverage is limited or in addition to the limit.
Coverage for cyber events from insurance that isn’t cyber-specific is rare, but there is some. Inland marine forms on an all risk basis could cover property losses from cyber events. However, the standard property forms specify causes of loss. Only if a cyber-event triggers a property peril that is covered, such as an explosion, or fire, the property form may provide coverage. The standard General Liability form is usually issued with endorsements that exclude cyber coverage. Directors and Officers insurance (D&O) may cover suits against D&O’s resulting from a cyber loss. Overall, insurance that isn’t specific to cyber can’t be counted on to cover cyber exposure.
A market for cyber risk is developing. The pace of development is frustrating for both buyers and sellers. Insureds need to stay informed on the risks and coverages, and insurers need to stay creative with the coverage and pricing. As cyber coverage is complex and insurers approaches vary, insureds should seek the advice of a qualified broker.
Chris Nyce, FCAS, MAAA, is a principal in KPMG’s Actuarial Services practice. He specializes in helping insurance companies quantify and manage the many risks they face. He can be reached at firstname.lastname@example.org.