For almost 30 years, cyber insurance has covered the losses and expenses associated with a growing range of cyber perils. Despite some uncertainty about its responsiveness, cyber insurance is an essential component of a comprehensive cyber risk management programme.
Data breaches. Notification costs. Third-party liability. Business interruption. Cyber extortion. Reputation damage. The potential cyber and technology exposures that businesses face continue to expand — as do the economic losses they can cause.
So it’s no surprise that cyber risk now ranks among the top five concerns for companies. And as recognition of the risks increases, more companies are purchasing cyber insurance to take advantage of the expanding protections it provides.
Despite the growth in uptake, the value of cyber insurance has recently been the subject of considerable debate within the insurance industry, some of which has played out in the media. The discussion has, in many cases, not reflected fairly on the role of cyber insurance in reducing the economic impact of risk.
The debate has often conflated cyber policies with property and casualty, and crime policies, particularly around how these policies do or do not respond to cyber claims.
In reality, cyber insurance is a reliable, cost effective way to transfer the risks companies face from their increasing use of data and technology. And standalone cyber policies will generally respond to those risks.
Increasing Appetite, Claims, and Payouts
As the range of cyber risks and coverages has expanded, so have purchase rates of standalone cyber insurance. The number of Marsh clients buying dedicated cyber insurance has doubled over the past five years, with nearly 40% now purchasing cyber policies (see Figure 1).
And the development of broader coverage offerings is attracting a wider range of buyers; purchasing among Marsh clients has risen by an average of 15% annually since 2016, with highest growth among the hospitality, manufacturing, education, and power and utility sectors.
Cyber insurance claims, and claim payouts, are rising in tandem with purchases. According to CreditSights, US-domiciled insurers paid cyber claims of $394 million in 2018, up from $226 million the previous year. And NetDiligence reports that the number of claims submitted for inclusion in its Cyber Claims Study, which analyses claims to cyber insurers, rose by more than 40% in 2018 over the previous year.
Individual insurers have reported similar trends.
- AIG says it handled more than 2,000 cyber claims globally in 2018
- Beazley handled more than 3,300 data incidents in 2018 (more than 10,000 since 2009)
- In 2018, specialty cyber insurer CFC paid more than 1,000 cyber claims and expects that number to increase by 50% in 2019
- Hiscox dealt with more than 1,000 cyber-related insurance claims in 2017, a 1700% rise over 2013.
This point to an increasing recognition of cyber risk as a top corporate concern and of cyber insurance as an effective and responsive way to cover cyber event losses.
Conflation of Cyber, Property, and Crime Policies
Despite increasing appreciation for cyber insurance, some organisations still expect – mistakenly – that cyber losses will be fully covered under non-cyber (property, casualty, or crime) policies.
The issue stems from the fact that cyber risk as a peril can result in multiple forms of loss that have not traditionally been explicitly excluded under property, casualty, and crime policies. This has created what is known as “silent cyber” — the unknown exposure in an insurer’s portfolio created by a cyber peril that has not been explicitly excluded.
As insurers have seen a rise in unexpected claims under non-cyber policies, “silent cyber” is now being more closely monitored and cyber risk increasingly excluded from traditional insurance lines.
Along those lines, several insurers have issued clarification of their intent to only cover cyber perils in cyber policies. In early July 2019, Lloyd’s issued a new mandate requiring its market underwriters to ensure that all policies either explicitly affirm or exclude cyber cover, in an effort to eliminate non-affirmative or “silent cyber” risks from property policies as of January 2020, and from liability coverages a year later.
We have recently seen some high-profile disputes where insureds have sought to recover cyber event-related losses from their property policies, and insurers have denied coverage.
Regardless of the merits of those cases, such disputes point to the importance of obtaining cover under an affirmative cyber policy that is tailored to a company’s specific cyber exposures and thus offers the best chance for insurance to respond.
In addition to this much-needed clarity of intent, standalone cyber policies offer other valuable benefits, such as reimbursement for costs to engage experts to assist with post-event forensics and response management, and even pre-loss prevention and risk management tools.
Adaptive, Responsive Market
As cyber threats evolve and become more economically damaging to businesses, the cyber insurance market remains adaptive in responding to buyers’ needs. As traditional insurance lines retreat from covering cyber events, cyber insurance is becoming an increasingly vital tool.
By working with a knowledgeable broker or advisor, organisations can design a standalone cyber insurance programme that is tailored to their unique risk profile and risk tolerance.
Critical Truths about Cyber Insurance
The pervasive use of technology to power business and connect supply chains creates ever-greater cyber exposures and vulnerabilities for companies of all sizes and in all industries. Inaccuracies and misunderstandings around cyber insurance include:
MYTH - "Cyber insurance does not cover human error”
TRUTH: While cyber insurance was primarily designed to address malicious cyber incidents, it has evolved to cover a wide range of operational and human risk. This includes; social engineering, accidental disclosure, loss of a laptop or device, rogue employees, and failed updates or system migration. Generally, cyber policies do not exclude coverage for accidental errors or omissions, and many affirmatively cover such losses through system failure or administrative error coverage grants.
MYTH - “Data breach costs focus on legal liability”
TRUTH: Data breach insurance is the most established aspect of cyber insurance and coverage is broad, particularly for first-party breach response costs, which can include legal, crisis management, call centre, forensics, credit monitoring, and notification expenses. Cyber insurance will generally also cover the expenses associated with business interruption and data loss events.
MYTH - “Insurers dictate which incident response providers and advisors are used”
TRUTH: While most cyber insurers have a recommended panel of service providers (legal counsel and vendors), many are willing to accommodate an insured’s existing or preferred providers. Some insurers will even allow policyholders to have absolute discretion in their choice of vendors.
MYTH - “Business Interruption cover is limited”
TRUTH: Business interruption cover has evolved considerably to reflect the nature of how companies function today. Cover will typically extend to the overall financial impact to the business, beyond just the duration of the cyber event. Many policies will also cover losses resulting from a system failure or technology disruption at an insured’s IT vendors or within its supply chain.
MYTH - “Cyber insurance excludes recent technology or system upgrades”
TRUTH: A robust cyber insurance policy can contemplate system upgrades, where such best practice is the most cost-effective solution. Cyber insurers embrace insureds that view security as a journey, not a destination.