Visualize: Insights that power innovation

Visualize: Insights that power innovation

How the ISO Cyber Insurance Program is evolving to meet the cyber exposures of today—and tomorrow

By Stephen Whelan  |  February 2, 2021

The world may be preoccupied with the pandemic, but the world’s cybercriminals have stayed laser-focused on sustaining a relentless barrage of attacks on businesses of all sizes. Just one form of cyberattack, ransomware, experienced a shocking 715 percent increase in 2020.1

When we launched the ISO Cyber Insurance Program, we knew this was a dynamically evolving environment, and we committed to evolving with it. To that end, we’ve just filed several significant enhancements to the program that can help insurers respond to today’s cyber risk exposures.

A solid cyber foundation: New cyber policy forms

One of the most significant changes we’re making is to the number of base policy forms in our cyber offering. We’re consolidating from the current five to two. One base policy form is designed for small-to-medium-sized enterprises with under $250 million in revenue, while the second is geared toward larger corporations and financial institutions with more than $250 million in revenue.

The policy language in both forms has been enhanced to better reflect evolving cyber risk exposures. For example, the form doesn’t refer to one cyber “loss” but to the more specific types of losses or expenses (such as “cyber extortion loss”) the form is now designed to address. For both forms, first-party coverages are now provided on a discovery basis.

Another major enhancement concerns cloud computing. With businesses moving decisively toward public cloud infrastructures, we’re updating the definition of “computer system” in the two base cyber policy forms to specifically include those operated by an authorized third-party (e.g., a cloud provider) with respect to an insured’s own data.2 We’re also updating the definition of a “cyber incident” to include a hacker attack and a directed denial of service attack (DDoS) with an option to address coverage for a DDoS targeting a cloud provider that affects the insured.

We’re also offering several new exclusions, modifying existing ones, and adding optional endorsements for both forms, including:

  • An exclusion for Payment Card Industry (PCI) fines and penalties, and an optional endorsement to address those losses.
  • A new, optional endorsement for media liability to address exposures related to defamation, libel, invasion of privacy, and copyright infringement, among others. This optional endorsement contains policy language that’s consistent with the (now withdrawn) Media Liability and Information Security Policy form—one of the five cyber forms consolidated in this update.
  • Because some cyber losses may not be detected or reported immediately after they occur, we are introducing a new, optional endorsement to allow insurers to apply a retroactive date instead of the inception date for the start of first-party coverage. This will enable insurers to extend coverage to policyholders for losses they incurred prior to acquiring their policy.

Enhancing cyber loss costs and rating factors with new data

With the costs of data breaches and other forms of cyberattacks rising, ISO cyber loss costs data and rating factors can be used to price limits up to $100 million.3 Additionally, we’ve nearly doubled the size of our cyber dataset through the acquisition of additional cyber incident data. This data will help us further hone our advisory prospective cyber loss costs. Reflecting recent trends, particularly the increasing frequency of cyber losses, the newly filed loss costs will likely be increasing.

Meeting today’s cyber insurance challenge

These changes to the ISO Cyber Insurance Program will help insurers offer their customers a robust cyber risk transfer solution aligned with the risks they’re facing in the marketplace today. The updates to the ISO Cyber Program are expected to have an effective date of late 2021.

To learn more, please email me at Stephen.Whelan@verisk.com.

  1. “Threat Landscape Report 2020,” BitDefender, < https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf >, accessed on January 12, 2021.
  2. Eric Knorr, “The 2020 IDG Cloud Computing Survey,” InfoWorld, June 8, 2020, < https://www.infoworld.com/article/3561269/the-2020-idg-cloud-computing-survey.html >, accessed on January 12, 2021.
  3. ”Cost of a Data Breach Report 2020,” IBM, < https://www.ibm.com/security/digital-assets/cost-data-breach-report/ >, accessed on January 12, 2021.

Stephen Whelan is director of product development, management and professional liability, Verisk. He can be reached at Stephen.Whelan@verisk.com.