By Scott Kannry and Robert Liscouski
Despite increasing adoption of cyber insurance products and frequent cyber-related initiatives across the insurance and risk world, the majority of cyber risk transfer developments relate to privacy or data breach risk. Oftentimes, they deal with breaches of personally identifiable information (PII). Such developments have been incredibly positive and numerous firms have been aided tremendously by their insurance policies when breaches have occurred.
Privacy, however, is only a fraction of cyber risk, and many companies that are not consumer-facing or do not play in the PII chain are struggling with the insurability of their exposure. In its complete form, cyber risk has the potential to affect the entire spectrum of risk, from physical infrastructure and tangible assets that are vulnerable to viruses and hacking attacks to intangible assets such as confidential information and securities that are increasingly being stolen via electronic means. This makes cyber risk a game-changing phenomenon that can impact numerous lines of insurance coverage.
As a result, cyber risk transfer in its entirety is still very much undefined and has largely been approached in a shortsighted manner. Consider, for example, that while commercial cyber premiums are currently around $1 billion on an annual basis, commercial property and casualty premiums are in excess of $151 billion. It's almost unbelievable that defined cyber premiums account for a mere 1/151th of risk transfer in a modern economy where cyber risk is a top concern.
Simply put, the insurance industry needs to embrace this evolving reality, approach cyber risk in a comprehensive and consistent manner and provide end-to-end solutions that provide confidence to policyholders that the majority of cyber risk is covered. In doing so, the insurance industry can also serve as a major catalyst and facilitator for public and private enterprise to significantly improve cyber security footing.
Establishing the Baseline
Cyber Exposure Spectrum
Despite the complex nature of technology and the infinite number of things that could go wrong, there are only four types of losses in the cyber risk spectrum.
financial loss: The party that experienced the cyber event suffers financial losses or costs associated with the event. The most commonly cited examples include costs associated with data breach response, but other examples include lost income attributable to network/IT interruption as well as future lost income and reputational harm that results from a loss of customer confidence.
financial loss: A party other that did not experience the cyber event suffers financial losses or costs associated with the event. This could be a customer, business partner or unrelated third party. Examples of these losses include the business interruption losses of users of cloud services should such services suffer an outage, or the recall costs of clients of electronic component manufacturers, should such components malfunction due to the failure of embedded code. It's also worth noting that creative lawyers are constantly looking for ways to create a viable theory for data breach victims to claim financial damages.
bodily injury or property damage: The party that experienced the cyber event suffers bodily injury or property damage. This category was easily dismissed prior to the last few years, but the Stuxnet virus and various other tests by researchers on industrial assets have shown that cyber events can result in tangible damage.
bodily injury or property damage: A party other than that which experienced the cyber event suffers bodily injury or property damage. Similar to the previous category, this area of exposure is quickly emerging as a significant concern. A great example is the automotive industry, where cars have become computers and where component manufacturers and system developers are starting to consider whether cyber events could cause vehicular failure and passenger injury or death.
Cyber Risk Transfer World
With the exposure component simplified, it is necessary to understand where the cyber risk transfer world currently stands. The universe of available coverage is as follows:
breach coverage: This area of coverage is the most available and proven to work. Policies cover breach notification and crisis management, regulatory defense and civil penalties and liability resulting from a breach. Options range from those that allow the insured to retain their own breach experts, to those that act as a turnkey mechanism and require the use of pre-determined response firms. Market capacity for this type of coverage is currently in excess of $300 million, so meaningful options exist for firms of all sizes.
financial loss: Various other forms of financial coverage are available but in limited quantities (perhaps $150 million total). The most commonly discussed types include first-party network business interruption, to cover loss of revenue during network interruption; information asset, to cover restoration costs or loss of value associated with electronic data; cyber extortion, to pay an extortion threat; and contingent business interruption, to cover loss of revenue during the downtime of a critical outsourced IT provider.
loss of revenue: Currently now available in limited quantities (up to $150 million), this product has been the biggest recent development. It picks up where the aforementioned coverage leaves off, which is when the event ends and the firm returns to normal operations, but the negative reputational affect from the cyber event produces customer churn and a diminished ability to increase sales. This coverage is similar to property-based extended business interruption coverage and helps bridge the gap between projected and actual revenue in the aftermath of a cyber-event.
Beyond these areas of defined risk transfer, coverage is either uncertain or unavailable entirely or in a quantity that matches the magnitude of the risk. An area of increasing concern involves coverage under property and casualty policies given exclusions such as the following: Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic
data. Many insureds are starting to question how this exclusion would be interpreted if corrupted electronic data (i.e. a virus) causes an event that should otherwise be covered under that type of a policy.
All of this has resulted in vastly disparate cyber insurance purchasing trends. Consumer-facing industries have led the charge, and various estimates put adoption rates around 50 percent for key segments: financial, healthcare, retail and hospitality. Additionally, certain business-to-business firms (those that play in the PII chain) can blend cyber coverage into commercial E&O policies. Beyond those industries and for categories such as industrial, manufacturing or critical infrastructure, firms struggle with insurability and uptake is much more limited or nonexistent.
Another significant problem is limits sufficiency. While meaningful amounts of coverage exist for certain risks (mainly PII related), the limited amount of other forms is often not enough to provide the catastrophic coverage levels that very large firms desire.
Lastly, the current manner in which carriers are approaching cyber risk from an underwriting perspective is problematic. While underwriting for privacy and related financial loss products is good, expertise on more traditional products drops off significantly and is often non-existent. This dynamic is generally caused by insurers' silo approach whereby cyber underwriters often do not interact with their counterparts on other lines of coverage, therefore producing everything from an inconsistent methodology to shaky coverage extensions or definitive exclusions.
The Way Forward
The ideal solution would be $1 billion or more of "Cyber Complete" coverage that would span the entire spectrum of exposure as identified above, except for those areas that are incredibly difficult to insure or entirely uninsurable. Coverage would be structured as catastrophic protection with substantial retentions (similar to those taken on property programs), and insureds would maintain the ability to infill such retentions with smaller exposure specific policies where achievable.
Given the size of the program, an industry syndicate structure could work best, with other critical components as follows:
expertise: An approach similar to what top insurers in the property world deploy -- engineers that evaluate and assist clients with risk and that just happen to offer insurance. In this case, the approach would involve a central group of top cyber professionals with expertise tied to the various domains of the underwriting framework and subscribed to by all participating carriers. This dynamic is critically important in order for the insurance carriers to gain confidence that all risks are being evenly and expertly distributed.
framework: We believe that the underwriting and policy compliance framework needs to be enterprise-wide and inclusive of both physical and IT security, with a focus on critical domains such as enterprise assets, cyber governance, external and internal threats, regulatory compliance and event preparedness. This will allow for a more comprehensive analysis rather than a focus on granular elements such as firewalls and antivirus software, which is too often the case currently. Additionally, the framework needs to constantly evolve based on the changing threat climate; this will not be a standard that is instantly outdated and one that gives firms the ability to achieve minimum compliance and check the box.
component: It is important that the framework ties heavily to and evaluates the reputational profile of the insured. Aligning cyber readiness with reputational resilience both manages risk and maximizes corporate value. Studies have shown a positive correlation between shareholder value and reputation resilience to bad events, and firms with outstanding reputation rankings can recover more quickly and effectively from significant cyber events. Our research also shows that the market puts a premium on firms that consistently exhibit strong organizational controls, so utilizing a dynamic framework linked to reputation and backing it with a comprehensive insurance product will signal resiliency to the market and therefore increase the shareholder value to the firm.
4. "Big Data" benefits: The insurance industry sits on a treasure trove of information that, if used appropriately and with the right precautions, could be utilized to the benefit of all parties. Numerous insurers that underwrite the cyber risk of firms across all industries and see real time claim activity have far more insight into the macro cyber climate than most security providers that generally focus on narrow verticals. This data should be used to evolve the framework and by establishing certain compliance thresholds, policyholders would be incented to continually improve their security posture in order to maintain coverage. Currently, however, there is no industry-wide information sharing mechanism, nor do most insurers even interact with their insureds until subsequent policy renewals.
This approach not only creates the framework to allow the insurance industry to better understand cyber risk and provide comprehensive cyber solutions, it also allows the industry to play a critical role in current efforts aiming at strengthening cyber infrastructure.
President Obama recently signed an executive order that directed the National Institute of Standards and Technology (NIST) to establish a cyber-framework for critical infrastructure. While this is a step in the right direction, skeptics would consider the proposed framework as just one that will quickly become outdated. The information sharing component could allow the insurance industry to partner with NIST and collaborate with trend data to develop a framework that facilitates government backed liability waivers.
Secondly, Congress has already started the process of re-authorizing the Terrorism Risk Insurance Act, which expires December, 2014. An unanswered question is whether a renewed version of TRIA will include protection for cyber insurance, which is currently lacking. It seems reasonable to argue that a better understanding of the risk from an underwriting standpoint and dynamic thresholds for policyholders to maintain coverage could provide Congress the confidence to give the insurance industry this critical ultimate backstop.
It's time for the industry to evolve.
is vice president of Aon Risk Solutions.
ROBERT LISCOUSKI is principle of
Convergent Risk Group
May 7, 2013
Copyright 2013© LRP Publications