Risk Management

The Search for Comprehensive Cyber Insurance

Many business-to-business companies are struggling with the insurability of their cyber exposure.
Robert Liscouski and Scott KannryJune 17, 2013

Cyber security has become a popular headline topic. Its increasing prominence has spawned a new awareness of risks to business from a variety of threats, including the theft of intellectual property and customer data; operational impairment and the destruction of physical property; and the exploitation of system vulnerabilities.

Despite that increased awareness, the insurance industry’s response to date largely relates to data-breach risk – specifically, breaches of personally identifiable information. Such developments have been very positive, and many firms have been aided by their insurance policies when breaches have occurred. 

But privacy is only a fraction of cyber risk, and many companies that are not consumer-facing (or touch large quantities of personally identifiable information) are struggling with the insurability of their cyber exposure. The broadening of the risk spectrum to include tangible perils makes cyber risk a game-changing phenomenon that can affect numerous lines of insurance coverage as well as escalate costs and losses far beyond those of a typical privacy breach. 

The good news is that comprehensive coverage is not far off, since the insurance industry has signaled that it is willing to deploy its risk-financing capacity behind the right framework. This will give CFOs and financially-oriented risk managers the appropriate tool to use in tandem with the controls that are being deployed by their operational risk management peers.

The Risk-Transfer World
The current cyber insurance marketplace can be summarized as follows:  

1.  Privacy coverage – This product is the most available and is effective. Policies cover breach notification, crisis management, regulatory penalties, and liability. Options range from those that allow the insured to retain their own experts to those that act as turnkey mechanisms and require the use of pre-arranged response firms. Market capacity for this coverage is substantial.      

2. Ancillary financial loss – Other forms of financial coverage is available but in more limited quantities. Policies can cover network business interruption losses, the value of destroyed information assets, cyberextortion losses and lost revenue due to the downtime of an outsourced IT provider.  

3.Consequential lost revenue – Also available in limited quantities, this product has been a recent development and complements the previous policies as it extends beyond when the cyber event ends and the firm returns to normal operations, but the negative reputational affect from the event produces customer churn and a diminished ability to meet anticipated revenues.    

Beyond these areas of defined risk transfer, coverage is either uncertain, unavailable entirely or in a quantity that matches the magnitude of the risk.  An area of increasing concern involves coverage under property and casualty policies given certain electronic data exclusions. Such exclusions could be interpreted to preclude coverage for events precipitated by “damage to data” or “corruption of data.”

Those market dynamics have resulted in vastly disparate purchasing trends. Consumer-facing industries have led the charge, and various estimates put take-up rates around 50 percent for such key segments as the financial, health-care, retail and hospitality industries. Further, certain non-business-to-consumer firms can blend elements of cyber coverage into professional liability policies. Beyond those industries and for such categories as industrial, manufacturing or critical infrastructure, firms struggle with insurability and uptake is much more limited or nonexistent.

 Another significant problem is sufficiency of upper limits of insurance. While meaningful amounts of coverage exist for personally identifiable information (PII) risks, the limited amount of other forms is often not enough to provide the catastrophic coverage that very large firms desire.

One of the biggest barriers to better coverage is the manner in which carriers are approaching cyber risk.  While underwriting for privacy and related financial loss products is good, cyber expertise with respect to more traditional products drops off significantly and is often non-existent. This dynamic is generally caused by insurers’ silo approach whereby underwriters for existing cyber products often do not collaborate with counterparts on other lines of coverage, therefore producing everything from an inconsistent methodology to shaky coverage extensions or definitive exclusions. 

Achieving Comprehensive Coverage
The path to comprehensive coverage is twofold. Most importantly, firms must commit to bolstering and continually evolving their cyber security strategy. It should be executed with an eye toward asset prioritization and the strategic deployment of protective mechanisms, the firm’s unique threat environment and the best practices of its peer group. This approach creates a resilient organization and one that underwriters are willing to back.

From the insurance industry’s perspective, carriers must move toward an approach that contemplates a few critical elements:

1. Technical underwriting: An engineering-based approach that is similar to what top property insurers utilize and one that assists clients with risk maturity. Here, the approach would involve top cyberprofessionals with expertise tied to the various domains of the underwriting framework. This dynamic is critically important in order for the insurers to gain enterprise insight into firms and confidence that risks are being expertly evaluated.

2. Underwriting framework: The methodology needs to be enterprise-wide and inclusive of both physical and IT security, with a focus on critical domains such as enterprise assets, governance, threat environment, regulatory compliance and event preparedness. Additionally, the framework needs to constantly evolve based on the changing threat climate; it will not be a standard that is instantly outdated or one with which firms can only minimally comply.   

3. Reputational link: The framework must tie heavily to and evaluate the reputational profile of the insured. Aligning readiness with reputational resilience both manages risk and maximizes corporate value. Studies have shown a positive correlation between shareholder value and reputation resilience to bad events and firms with outstanding resiliency can recover more quickly and effectively.      

4. Big data benefits: The insurance industry sits on a tremendous amount of information that could be utilized to the benefit of all parties. Numerous insurers that underwrite the cyberrisk of firms across all industries and see real-time claim activity have more insight into the risk climate than technology providers that generally focus on narrow verticals. This data should be used to evolve the framework and help policyholders bolster defenses thoughtfully.     

This approach creates the framework to allow the insurance industry to comprehensively understand cyber risk, help firms better pace the constantly evolving climate and provide truly comprehensive solutions that firms in all industries desire. 

Scott Kannry is a vice president with Aon Risk Solutions’ Financial Services Group. Robert Liscouski is CEO of Axio Global.