Cyber insurance coverage, its value, limitations and exclusions

Peter Foster, executive vice president of Willis, and 2015 conference chairman welcomed attendees by quoting Bob Dylan and observing that, "The times — in insurance — they are a-changin'." Continuing to quote Dylan, Foster added, "For the loser now will be later to win," explaining that there will be some losses on Cyber coverage, but the insurance industry will emerge stronger.

On the positive side, Foster said, any discussion of Directors and Officers (D&O) Liability coverage now includes a discussion of Cyber issues as well. Of additional concern to businesses he added, are business interruption, privacy and data analytics — all topics that agents and brokers can use as opportunities to review coverage with their clients.

Related: Cyber: Ready for takeoff

(Editor's Note: All photos are courtesy of Advisen.)

Cyber is greatest risk

Michael Chertoff, co-founder and executive chairman of the Chertoff Group and former secretary of the U.S. Department of Homeland Security from 2005 to 2009, delivered the keynote address, telling the audience that, "Global terrorism is here to stay, and the greatest risk is not to manage risk."

Chertoff noted that of all the risks businesses face, in his view cyber is the greatest one, and the one that should get the most attention. "The fear is that a cyber attack could cause a loss of life and property as well as disruption of the global economy," he said.

Although the discussion of technology appears to be an engineering problem, he said, it's much deeper than that. Many organizations leave cyber issues to the chief information officer or chief technology officer, when they should be involving stakeholders from across the organizations and looking beyond the obvious.

Chertoff advised companies to start by understanding how their data flows in and out of the organization's systems. "For a utility company, it might be more important to focus on energy flow than customer data," he explained.

Related: 7 Cyber risk stakeholders and why they matter

Beware the botnet

As with most risks, managers are looking for ways to quantify the importance of various issues to determine the resources to allocate to specific items. They're looking for leading indicators of a data breach and ways to take effective action.

David Bradford, president, Research & Editorial Division, Advisen, and Ira Scharf, general manager, Worldwide Cyber Insurance, BitSight Technologies, presented the findings of a joint study by Advisen and BitSight, demonstrating that various sectors are strongly correlated with the occurrence of a data breach and that companies can take effective action to improve their cyber risk profile. Over a two-year period the study obtained data from 27,458 companies in 22 industries about 2,671 digital data breaches.

The study found that there were 1,389,429,313 active botnets over the two years and that 50% of the companies in the study have had one or more botnets on their network. The research showed that the presence of botnets on a network confirmed that there had been at least one breach.

A botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge.

Harnessing the numbers

A panel moderated by Bob Parisi Jr., Cyber product leader at Marsh, consisting of Neil Arklie, senior product manager for cyber and technology at Swiss Re; Paul Miskovich, senior vice president and global practice leader at AXIS Insurance; Scott Stransky, manager and principal scientist at AIR; and Julian Waits Sr., president and CEO at PivotPoint Risk Analytics, discussed the question of whether it's possible to quantify the threat of cyber risks to a business.

Arklie pointed out that, unlike most catastrophic events, cyber is a manmade event with unique characteristics to each one. All panelists agreed that to adequate assess the risk and provide solid underwriting, carriers need numbers and clear models.

Waits observed that not all systems need the same protection. For example, HVAC systems and point-of-sale systems carry different risks, so they should have different coverage. He added that "the response has to match the importance of what you're trying to protect."

Protecting crypto-currencies

The panel on crypto-currencies started with Dana Syracuse, managing director for K2 Intelligence, providing an overview of what the term means and who the players are. Amy Davine Kim, counsel with Buckley Sandler LLP, explained that although Bitcoin has become synonymous with "crypto-currency," its technology can be used by:

• Wallets.
• Transmitters and processors.
• Exchangers.
• Software providers.
• Miners.
• Distributed ledgers.

In addition to providing a virtual currency, companies are developing additional use cases for the technology. Kim explained that some organizations are using the technology to record data that fluctuates — the value of securities, for example — in a general ledger. It's a "nascent space," with a high potential for fraud.

Christopher Liu, head of cyber for the Financial Institutions Group at AIG, observed that there are currently fewer than 50 Bitcoin-type companies. It's difficult to determine what the best practices are right now. "This is a start-up industry," he said.

Panel members confirmed that crypto-currencies are the currency of choice for hackers who use ransomware to hold a company's data captive. Panel members also agreed that regulation of crypto-currencies is on the horizon. "Every state as well as the federal government is looking at regulating crypto-currencies," said Roberta Anderson, partner with K&L Gates. "New York State is first with BitLicense."

Cyber coverage for property damage

One of the most vigorous debates of the day featured Shannon Groeber, senior vice president at JLT Specialty USA as the moderator of a discussion between Graeme Newman, director at CFC, and Bill Reed, operations vice president for FM Global, on the question of whether the Property market should be covering physical damage from cyber attacks.

Reed pointed out that, depending on the terms of a company's policy, property damage might already be covered. "If you have an all-risk policy that treats data as physical property, then you do have coverage, for example, if your servers have a malfunction or their storage facility is flooded — as long as you don't have an applicable exclusion."

Newman drew a laugh from the crowd when he admitted that "The UK didn't invent much, but we did invent insurance." He believes that a separate Cyber policy including property coverage is important for efficient claims processing.

Cyber war game

Ahead of the conference, Advisen hosted a cyber-incident simulation exercise in which selected teams of experts — representing the various stakeholders in a real event — worked through a mock cyber incident in real time. The observation team critiqued the handling of the incident and reported back some best practices and key takeaways for the audience.

The video clips of the exercise that were shown to the attendees are available on the conference website.

View from the top

The conference closed with a panel of top insurance executives, moderated by Bill Keogh, CEO of Advisen, discussing their perspectives on the Cyber insurance market, the issues that most concerned them, and the way cyber business fits into their overall strategic vision.

The members of the panel — Peter Beshar, executive vice president and general counsel for Marsh & McLennan Cos.; Eric Joost, chief operating officer for Willis North America; Jack Kuhn, CEO of Endurance; and Mike Smith, chief operating officer, Global Commercial Insurance, AIG — shared the following observations:

• The interconnected world increases risks but no one doing business without the Internet.
• There is a significant human component to data breaches. It's not going away.
• As an industry, we need to focus on systemic risk and engage leadership, especially CEOs.

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.