Cyber risk exposures have evolved dramatically over the past several years, and in 2016, risk management executives named cyber attacks as the top emerging risk to their business. It is vitally important for claims professionals to understand and be aware of the developing risk exposures and insurance products that are being marketed to address them.
But the term cyber itself invites the questions: What is “cyber,” what are some of the key risk areas that are evolving around cyber risk, and how is it important to claims professionals?
The International Risk Management Institute (IRMI) defines cyber as, “A type of insurance designed to cover consumers of technology services or products. More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities such as selling on the internet or collecting data within its internal electronic network.”
Key cyber risk claim implications
1. It's not just cyber liability — Cyber risk is often narrowly categorized as “cyber liability.” Third-party liability was the focal point of cyber risk in years past, but clearly first-party property insurance has emerged as a key area. First-party insurance offerings include loss of digital assets, business interruption and extra expense and cyber extortion. One example of property-driven cyber attacks involves the 2016 Iran oil field fires and resultant property losses that have tentatively been linked to malware attacks.
2. Wearables — The explosion of wearable devices such as Fitbits and Apple Watches has created new cyber risk concerns related to linked application access from the devices, as well as individual data from the devices themselves. Claims personnel should be aware of the potential exposure for employee-based group policies (group health; group life) that provide incentives to acquire, wear and upload personal health and fitness data. There is also a potential data risk when “connected employees” use corporate e-mail or groupware accounts from smart watches. Claims in either situation could be initiated on the loss of confidential information and typically provide coverage for the consumer.
3. Medical devices — Imbedded medical devices (IMD) such as insulin pumps, pacemakers, defibrillators, etc., are an increasing area of concern for cyber risk. Recent events, such as Johnson & Johnson's warning to users of cyber intrusion potential, illustrate the possibility for abuse. One key implication for claims organizations is to look for aberrant data that is reported from or to the devices, and to any potentially related cyber-driven claims that might be aligned with IMD data intrusion.
4. Intellectual Property (IP) theft — IP theft has occurred for years, but the ease of accessing data and information via digital means is resulting in an increased risk. Claims organizations require more awareness of this potential type of loss, and should coordinate closely with underwriting to understand the level of claim reserve to establish. The loss of intellectual property and the policies that provide potential coverage can be confusing. First-party IP theft policies (generally issued as Specialty Lines commercial products) are becoming more available, but reviewing the existing Commercial General Liability and Professional Liability policies for relevant coverage is also necessary.
5. Professional Liability/Tech E&O Insurance — Tech E&O is designed to cover providers of technology services, whereas cyber policies focus on consumers of technology products and services. The confusion happens because cyber insurance policies offer a number of the same insuring agreements as Tech E&O policies. Claims professionals should confirm what policies are held by the customer submitting a cyber claim, and indicate the coverage focus for the Tech E&O and cyber policies.
To address cyber insurance growth potential and the related challenges in managing cyber risk it is vital for underwriting, claims, risk control, product management and actuarial to communicate and help each other make solid business decisions. Coordination of claim response, representative claim reserve amounts and feedback regarding existing policy language represent opportunities for insurers.
Tom Rubenacker (Thomas.Rubenacker@tcs.com) is the property casualty domain lead for North America in the consulting practice of Tata Consultancy Services (TCS), with 30 years of experience in business and technology consulting.