Cyber Insurance: An Opportunity to Improve Business Resilience
Cyber insurance may be the one segment of the insurance industry that doesn’t fit our preconceived notions of the business. Ordinarily, when describing insurance, you might use words such as steady, sedate, or even dull. Policies undergo little change from year to year, predictable claims are submitted, payouts are promptly issued, and insurers earn a good rate of return.
There is not much change in the makeup of the companies that are offering insurance, agents generally have limited interaction with their customers and infrequently have an impact on business-critical matters, and seldom do you see headline news stories coming out of the industry.
It’s a different ball game with cyber insurance. The constantly evolving cyber threat environment, the rapidly increasing number of claims filed, the emergence of new competitors, and the fact insurers have only been operating in this segment for a couple of decades has created a dynamic environment.
The difficulty of projecting where cyber threats will be coming from in the future along with limited historical data for use in developing analytical models to project future risk exposure has caused a constant reworking of policy commitments. On top of this, insurance industry leaders are having difficulty projecting the long-term trajectory of the market.
Even the White House has stepped into the fray, generating news coverage on the issue of the recent wave of cyber attacks and highlighting the contribution insurance can play in building cyber security. At its recent White House summit of tech, financial services, insurance, energy, and education leaders, the administration called on the insurance industry to develop ways of incentivizing businesses to deploy and maintain good cybersecurity practices.
Actually, there is one aspect of the cyber insurance business that mirrors more traditional lines of insurance and that’s reliable payments on cyber incident claims. Cyber insurers have demonstrated a consistent track record on this score and that’s important for those considering adding this coverage for the first time.
The Business Environment
A prime cause of the increased exposure is driven by the ongoing digital transformation of business. As companies increasingly deploy digital technologies in an effort to achieve competitive advantage through faster product development and rollouts, operating efficiencies, and customer experience, their exposure and vulnerability to cyber threats grows as well.
The Covid-19 pandemic has had a dual impact on the increase in cyber vulnerability. Many companies have sped up their digital transformation plans in an effort to create greater efficiencies in their product and service delivery models.
According to a Munich Re survey, 33% of C-level respondents report that they have accelerated digitalization due to Covid-19. As a result, companies have struggled to bring their security practices along as rapidly. On the user side, more remote working has resulted in an increase in phishing attacks that often exploit workers’ interest in updated information on the pandemic.
State of Cyber Insurance Coverage
Despite the worsening threat environment, most small and medium sized businesses do not carry cyber coverage. According to a study by CyberScout, even though 76% of SMBs experienced a cyber attack, only 31% had cyber insurance. The report highlights the fact that businesses that are already under financial pressure in responding to the pandemic are struggling with prioritizing investments in cyber security practices and insurance.
The Evolving Threat Environment
According to an analysis of threat reporting by Dark Reading, ransomware and phishing will continue to be the main types of cyber incidents through 2021. The most prevalent attacks can be categorized according to five classes of incidents: human factor, malware, denial of service (DOS), web application, and password. These events have multiple impacts on business operations.
Cybereason examined ransomware attacks and found that 66% of companies attacked experienced a significant loss of revenue, 35% of businesses paid a ransom between $350,000 and $1.4 million, and 53% reported damage to their brand and reputation. As described below, cyber insurance helps recover the costs of all these factors.
Dealing with Uncertainty
In this uncertain environment, insurance companies, including majors such as Zurich, are adding structure to the cyber risk engineering processes by using frameworks such as the Cybersecurity Framework (CSF) developed by the U.S. National Institute for Standards and Technology (NIST).
This framework is a voluntary initiative created through the collaborative efforts of industry and government. The framework consists of standards, guidelines, and practices for organizations to better manage risks. Companies such as Axios have developed standalone risk management platforms based upon the NIST framework. These platforms include an insurance stress testing function to help companies figure out which coverages are most relevant to their unique risk profile.
The NIST Cybersecurity Framework provides a common vocabulary for risks and controls, allowing for more productive discussions among underwriters, brokers, and companies looking to obtain insurance. The framework facilitates conversations between insurance risk specialists and C-suite and board members by minimizing IT jargon.
Of note is the fact that nearly three-quarters of the security controls are non-technical in nature. A great emphasis is placed on roles and responsibilities, training, security procedures, incident response and communication.
Working with the NIST Cybersecurity Framework involves five functions. The purpose of the Framework is to provide a comprehensive view of the lifecycle for managing cybersecurity. The five functions consist of:
- Identify – Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities.
- Protect – Develop and implement appropriate safeguards to ensure delivery of services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Cyber Insurance and Business Resilience
Cyber insurance companies and their agents are also responding to the demands of this market environment by playing a proactive role in preparing their clients to defend against and respond to cyber attacks.
For example, Coalition, a cyber insurer and one of the participants in the White House summit, announced that it will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization. Others are deploying more technology than is ordinary for the insurance industry. Corvus, for example, is applying a combination of AI, IoT, business intelligence and data analytics to better gauge cyber risk.
These developments present an opportunity for companies to augment the cyber security component of their business continuity planning process and further refine ongoing investment activities in things like network infrastructure, multi-factor authentication, and data backup to avoid and prepare for the aftermath of data breaches and losses.
Cyber insurance provides companies with the financial resilience to complement its investments in operational resilience. Cyber coverage enables companies to recover revenue losses experienced and pay for the expenses related to recovering from a data breach so that these costs will not materially affect ongoing operations or lessen a company’s competitive positioning.
Defining Cyber Insurance
Cyber insurance pays a range of costs associated with a cyber incident such as ransomware, social engineering and denial of service. As you’d expect in a market that is changing so rapidly, there is no standard cyber insurance policy. This variety puts the onus on the buyer of insurance to compare policy provisions carefully.
Most cyber insurers offer two types of coverage: first-party and third-party. First-party policies cover the claims you make for breaches of your company’s network and will pay for the costs to:
- Restore and recreate the compromised data
- Hire experts to help you fix a problem and gain control of the issue
- Repair your hardware systems and software
- Recover income lost due to the breach
- Pay extortion costs
- Notify vendors, customers or regulatory entities about the loss
- Restore the personal identities of affected customers
- Supply credit monitoring services and identity theft protection for customers affected
- Hire a specialist to conduct a forensic investigation to find the source of the attack
- Pay public relations expenses
Under your first-party provisions, your cyber insurer will also step in and take on some of the administrative burdens of recovering from a breach. These services include:
- Informing your customers of the breach and about how you are responding
- Notifying the proper authorities of the attack to start an investigation and ensure compliance with data breach laws, which vary by state and global region
- Supplying a negotiator to communicate with those making the ransom demands
Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, health care companies, financial services, and retailers. If your company handles sensitive data for a client and it is compromised in a cyber incident, your company could be held legally liable. To absorb costs associated with these legal proceedings, third-party coverage will pay the legal costs necessary to litigate a variety of issues including:
- Privacy lawsuits brought by customers or employees who allege that you were responsible for the data loss
- Allegations of libel, slander or copyright infringement that arise because of the data breach
- Allegations of breach of contract on your part
- Settlement costs
- Court-ordered damages
In addition to these legal costs, third-party insurance will cover the expenses associated with responding to regulatory inquiries and any resulting regulatory fines and penalties.
Technology Errors and Omissions Insurance (Tech E&O)
Tech E&O insurance differs from cyber insurance in that it is designed specifically for providers of technology products and services and covers situations when there is some form of negligence on the part of the technology provider which causes financial harm to their users.
For example, a company might sue a technology provider for harm caused by missed project implementation deadlines or if it recommends the wrong solutions. In these cases, a tech E&O policy will cover the legal costs to defend against the accusations including court costs, attorney’s fees, settlement expenses, and any judgements ordered.
In the case of a cyber event where there is negligence on the part of the technology provider, the provider would make a claim for recover legal expenses under its tech E&O policy. However, if there is no negligence, then the claim would be made under its cyber insurance policy. These fine points create a gray area for tech companies, highlighting the vital role an insurance agent can play in working out adequate coverage without duplication.
Business Owners Policy (BOP)
Small business owners can add a limited degree of cyber liability coverage with an endorsement to their BOP and the payment of an added fee. These policies will generally cover the third-party legal and notification expenses described above but none of the first-party costs you incur. The payouts on the third-party costs tend to be limited to $100,000, which could be quickly exhausted in notification costs alone.
Commercial Property Policy
Commercial Property Policies protect physical property owned by a business. These policies will typically include some coverage for computers, often as part of broader coverage for electronics. While premises hardware damage is included, there’s rarely protection for software and data, and no coverage for data stored in the cloud.
What Insurers Will Expect
Before engaging with an insurer or broker, it pays to ensure that you are following certain basic practices. These practices should include:
- Maintaining a written cybersecurity policy
- Providing security training for employees
- Deploying firewalls and antivirus software
- Installing software patches regularly
- Using strong and complex passwords
- Encrypting mobile devices that interact with sensitive data
- Reviewing and responding to security monitoring alerts on a constant basis
Don’t Get Rejected
While most cyber claims are paid, insurers can deny a claim if it could have been easily prevented or if a company cannot provide evidence that it did everything to follow the requirements of the policy. In these cases, keeping detailed documentation of company policies and practices is a necessary procedure.
The full value of claims can be denied because cyber policies have individual limits for specific insuring clauses and subclauses, so a careful review of these terms at the time policies are negotiated is important. In this regard, particular attention should be paid to the ransomware provisions of a policy. The ability to anticipate your company’s potential exposure to extortion demands, lost income, and asset restoration will enable you to ensure payouts will meet your needs.
Social engineering claims have been rejected if employee negligence can be shown, so as social engineering attacks continue to grow and evolve, it is important to negotiate a separate social engineering clause rather than just having a computer fraud/forgery clause.
Some insurers have rejected Personal Card Industry, or PCI, fines and assessments. These are fines that were created and are assessed by the Security Standards Council of the credit card industry when financial services companies fail to provide adequate protection to consumers and businesses against data theft and fraud.
Another cause for denied claims occurs when a company makes a claim against their policy when another company is at fault for the breach. These issues have to be litigated rather than covered under insurance.
Finding Cyber Insurers
There are a variety of companies competing for the fast-growing premiums generated in this market, which have doubled since 2015 to over $3 billion. All of the large traditional players, such as AIG, Travelers, Chubb, CNA, and Liberty Mutual, are taking part in the cyber insurance market in a substantial way.
A new breed of company focused on the cyber insurance segment has also emerged in the last few years. These new entrants, such as Coalition, Resilience, At-Bay, Cyberdot, CyberScout and Corvus are leveraging technology to deliver their services and take a proactive stance in helping customers understand and anticipate the changing threat environment and offer a good match for SMB customers seeking cyber insurance.
Facing Up to the Threat
As the volume of cyber attacks grows and the nature of the incidents continuously evolve, engagement with a cyber insurer offers resources to meet this challenge. By delivering updated threat data, platforms to test cyber incident readiness, and frameworks for building protection, cyber insurers can be another component in your business continuity planning. And by rationalizing your insurance policy coverages, your insurer can make sure you carry optimal coverage to provide the peace of mind that your company will have the financial resources to bounce back from a cyber incident as completely as possible and limit damage to your competitive position.