Earlier this month, I had the pleasure of attending the HB Litigation NetDiligence® Cyber Risk & Privacy Liability Forum in Santa Monica. In addition to enjoying the wonderful California fall weather, I had the opportunity to listen to many experts talk about various timely cyber-related issues.
One of the most interesting sessions I attended was “Cyber Risk – The London Perspective” with panelists Graeme Newman (marketing director at CFC Underwriting Ltd.), Chris Cotterell (CEO at Safeonline LLP), and Robert Parisi (senior vice president at the FINPRO unit of Marsh).
Besides the candid back-and-forth banter, I was very interested in hearing Mr. Newman’s perspective regarding the difference between the cyber insurance market in the United States and the market in the U.K. and Europe. He indicated that the London market is fairly robust and growing, with a good number of Lloyd’s syndicates currently or starting to offer cyber insurance. He was also quick to point out that there’s a difference between the expectations of insureds in the United States and those in Europe — and the insurance policies made available in each of those markets. He rather boldly stated that policies designed for the U.S. cyber market simply wouldn’t work in the U.K., Europe, and perhaps the rest of the world. This certainly grabbed my attention. And though initially surprising, his further explanation made perfect sense to me.
Newman noted that the U.S. domestic cyber insurance market’s primary coverage focus has been on data privacy, specifically first-party reimbursement costs (for example, expenses related to notifying affected customers, performing forensic analyses, and offering credit monitoring). That’s because U.S. cyber insurance policies were designed to respond to the patchwork of state data breach notification laws enacted across the country. Currently, 47 states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam have such laws; only three states — Alabama, New Mexico, and South Dakota — don’t.
In other parts of the world, though, data breach notification laws are perhaps years away from gaining acceptance and enactment and, at the end of the day, may not be consistent. The cyber coverage focus there has been more on business interruption, property damage, supply chain, and cyber crime.
Whether you agree or disagree with him, I think Newman certainly puts forth an interesting perspective and raises some important issues for consideration.
While ISO has developed and introduced both a stand-alone cyber insurance program and optional cyber coverage for use with its businessowners program — both designed for the U.S.-admitted insurance market — Newman’s comments gave me a lot of food for thought about what changes might need to be considered and are perhaps necessary for cyber insurance products that can be used outside of the U.S. domestic market.
If you want to enter the cyber insurance market or learn about any of ISO’s various cyber insurance product offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.