Perfect Cyber Storm: Finding Shelter in an Emerging Market
By John Elbl
Call it a “perfect cyber storm”—the whirlwind of variables that can come together in a connected world and lead to a wholly unexpected loss. For many insurers and reinsurers, the increasing frequency, types, and complexity of cyber attacks, the growing amount of information stored and sent digitally, and the expanding Internet of Things can coalesce to make cyber risk even more challenging to manage. Unlike the very mature property insurance market—where standard terms and policy form language have evolved over time—today’s immature and diverse cyber risk market can create problems for many insurers and catastrophe modelers alike.
Currently, policy offerings very often determine how various cyber-related scenarios might affect an insurer. It can be instructive to review a few loss scenarios from current claims, where disagreement over where coverage falls for each of these actual instances resulted in litigation:
- An employee wiring money to an account wrongly believed that the individual who told him to do so through social media was his boss.
- Business interruption occurred from a business’s lack of access to a credit card processing vendor. Although no breach may have occurred at the insured company, sensitive customer data was lost.
- Sensitive customer data was lost
- A part-time hospital employee gained unauthorized access to confidential records and discussed sensitive HIPAA information with others.
- A laptop with sensitive information was lost.
Typically, each company offers its own form of policy with a particular selection of coverages included and excluded.
Choosing a Model
Rather than making guesses about liability, companies might want to seek out tools that allow users to determine how individual coverages could be best represented within unique policy coverage frameworks. Such solutions can help companies decide if a scenario is better addressed under a cyber endorsement, E&O, D&O, GL, or any other form of policy protection. Further, it can be beneficial when a chosen modeling tool supports the application of other policies, sublimits, and additional financial vehicles so that companies can receive a more complete view of how their offerings might address a given scenario.
Property policies are frequently occurrence policies. One can often point to the exact date when an earthquake occurred, a flood overtopped a riverbank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber breach can often be identified. Unlike natural catastrophes, however, with a cyber breach, months or years can pass before its victim is aware of the activity. If a cyber liability is listed on an occurrence policy, the terms and conditions of the loss when the breach occurred would likely be applied to resolve the claim. If the cyber liability is on a claims-made policy, then the terms and conditions when the event is reported would likely be used for loss resolution.
As such, having the flexibility to state the limits and deductibles accurately as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to one that merely assumes how policy coverages are structured. Insight from insurers, reinsurers, and industry experts can help a company determine how best to model cyber risk, whether using several years of exposure data for occurrence policies or current terms and conditions for claims-made policies.
Art of Asking
The field of cyber tends to be a very competitive and rapidly expanding marketplace in which potential insureds may be diverted by having to answer lengthy questionnaires. Yet asking too few questions may allow competitors to skim the cream of the potential clientele. It’s clear that, in the context of cyber risk, obtaining appropriate information is an art form.
The importance of exposure data likely can’t be stressed enough for achieving accurate risk assessments. Consider, for example, a risk analysis for U.S. hurricanes. While most models will return a result if just the county and replacement value of an exposure are known, results will likely be highly uncertain if this is the only data input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information can be recorded, then there should be a much more accurate representation of risk and expected loss.
Different degrees of data quality will probably return analyses of varying accuracy for cyber models. For some, the minimum information required for risk assessments might be as simple as the name of the company and its revenue; and information from additional data sources can estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of the insured. Still, the collection of such data by insurers should be undertaken for even more detailed model results. If a model provider has an exposure data schema, companies are recommended to use it for the collection of such data to help ensure the information is model-ready. Once the total cyber profile is understood, a more accurate estimation of risk should be possible.
Cyber risk is still very much an emerging market, and it will likely be some time before it achieves a similar degree of standardization typical in the property market. Until it does, flexibility in risk modeling solutions should remain vital for companies to truly and accurately “own” their cyber risk.