Today's top stories

Want good cyber insurance? Read the fine print

Experts describe the cyber insurance industry as “healthy and growing.” But they also say that, given a relatively short history of risk and claims data, pricing and exclusions can be all over the map

magnifying glass contract
Credit: Thinkstock

One of the main reasons to buy insurance is to prevent the cost of an accident or other disaster from breaking the bank. But what if simply buying insurance threatens to break the bank?

That scenario is starting to worry some organizations, for several reasons.

First is the simple but powerful market force of supply and demand. More and more organizations, spooked by regular stories of catastrophic breaches – such as the compromise of more than 1.5 billion Yahoo! accounts, which took down its acquisition value by a reported $350 million – are seeking insurance. And when demand rises, the price tends to do so as well.

Another factor is that cyber insurance is still a relatively new field – it was very much a niche business until less than a decade ago. So it lacks a lengthy and comprehensive history of risk and loss, in comparison to things like vehicles and housing, which have yielded generations of data to provide what insurers call “actuarial credibility.”

Cyber insurers are still figuring out their risk exposure. And as a number of experts point out, with threats expanding and changing rapidly, so are the risks.

“Cyber is a peril that is changing faster than insurers can collect experience data,” said Andrew Coburn, senior vice president of RMS. “Take the new loss process around ‘cyber-physical’ attacks, which can cause property damage, such as building fires.”

He and others also note that the explosive growth of the Internet of Things (IoT) – with estimates of 20 billion or more connected devices in use within three years – is a part of that changing peril, making for a rapidly expanding risk landscape that has yet to be measured.

There is also the reality that cyber attacks many times involve multiple targets.

“The major threat to the insurability of cyber is that a systemic attack, such as a cyber attack on the power grid, could cause a catastrophic loss, with many insureds hit by the same event,” Coburn said.

With that kind of uncertainty, erring on the side of caution tends to lead to higher prices, more exclusions that limit coverage – or both.

“Cyber insurance is a nascent industry,” said Robin Gottschalk, insurance producer on Insureon's technology desk. “So, while complex models are forecasting costs, realized costs can be much different. They can vary widely because there are more incidents than insurance companies are forecasting or because the incidents are more expensive than anticipated.”

Steve Durbin, managing director at the Information Security Forum, called risk measurement, “hugely complex,” and said many insurers are still struggling with cyber risks because of a lack of “significant data and trend analysis.”

Cyber, he said, “is one of the fastest moving and changing industries we have ever seen. New threats emerge that are difficult to defend against, and it is even more difficult for insurers to predict accurately a premium that provides appropriate cover at a price that is both affordable and delivers value. As a result, we continue to see premium volatility and exclusions.”

Indeed, given a lack of granular data, several experts say it is crucial for organizations seeking coverage to comb through the fine print, so they don’t end up paying for what Lynda Bennett, chair of Lowenstein Sandler’s Insurance Recovery Group calls “illusory” coverage.

“Exclusions in cyber policies are a significant challenge, especially because exclusionary language is often embedded in the definitions section of the policy and elsewhere,” she said. “There are some policies that have so many enumerated exclusions and hidden exclusions in the definitions section that companies must carefully evaluate whether the insurer intends to provide any coverage at all.”

Gottschalk said she has not seen any “meaningful increase” in premiums in the small-business segment. But, she said, “costs could vary drastically between those and larger businesses. Because cyber insurance covers a wide range of costs incurred from a data breach, including credit monitoring services and investigation fees, insurers could be increasing premiums on larger businesses.”

In short, experts say given the complexity and uncertainty of the market, their best advice to those looking to buy cyber insurance is: Don’t try it alone. Seek professional help – both to figure out what kind of coverage you need, and to help comb through the fine print.

This requires, “knowledgeable risk managers, brokers and coverage counsel,” said Elliott Kroll, a partner at Arent Fox and chair of the firm’s Insurance Practice Group.

He said a number of recent court decisions have demonstrated that, “even large, sophisticated companies have failed to adequately assess the coverages provided by the cyber policy that they purchased in connection with their risk profile.”

Bennett agreed. “The market remains very much in flux and there are many traps for the uninformed,” she said. “Policyholders must conduct careful diligence before soliciting quotes from insurers.”

Stephen T. Raptis, a partner in the insurance recovery practice at Manatt, Phelps & Phillips, has a list of recommendations for his clients, which could be summarized as: Do your homework and don’t be shy about negotiating. They include:

  • Review specimen policy forms – very carefully – from multiple insurers to get the broadest coverage possible, paying special attention to language that could signal coverage gaps.
  • Use the most favorable language from each form as leverage when negotiating with competing insurers.
  • Be as complete and accurate as possible when completing the policy application. Don’t be afraid to ask broker or insurer for additional explanation or help in simplifying the application process.
  • Seek out insurance brokers that are experienced in placing cyber policies.
  • Pay close attention to any “retroactive date,” which may eliminate coverage for losses arising from events that precede it. Seek to have the retroactive date backdated as far as possible.
  • Be wary of war and terrorism exclusions that eliminate coverage for cyber attacks from foreign countries with political, religious or social motivation, or for personal gain.
  • Be wary of open-ended exclusions applicable to a policyholder’s failure to follow minimum required security practices or its own security protocols.

None of the experts surveyed said they expect cyber insurance to become unaffordable. Most of them described the industry as “healthy and growing,” although Greg Reber, CEO of AsTech, called it, “the ‘Wild West’ right now in this market. Awareness and fear is going up quickly and companies are turning to insurance to assuage their fear.

“But supply is there, and pricing is finding its feet,” he said.

Indeed, Durbin cited a prediction last fall from Allied Market Research that the cyber insurance industry would see a CAGR (compound annual growth rate) of 28% from 2016-2022, to $14 billion.

There is also general agreement, however, that the health of the industry for both insurers and their customers will depend in significant measure on transparency from both sides.

Policies, they said, need to have less ambiguity about what is covered and what isn’t. And buyers need to be transparent about their own risks and security posture. “Companies have to take their self-assessments seriously when they complete them,” Reber said “There are already case studies of insurance companies refusing to pay claims due to inaccuracies in the self-assessment.”

One way to help, with both consistency and transparency, would be to standardize the policy forms, Kroll said.

“Cyber insurance in the U.S., at this point, is generally only available from surplus lines or non-admitted carriers,” he said. “As such, it is not subject to state rate-and-form regulations.”

That, plus a lack of “credible actuarial data” means each insurer uses a different policy form.

“Since cyber insurance is becoming more mainstream, it may be time for state insurance regulators to provide a process, through rate-and-form review, so admitted insurers can easily offer cyber insurance coverage. This should lead to more uniform policy forms and wordings,” he said.

All of this will take time, of course, but,“cyber insurance is not going away,” Reber said. “I think it’s as healthy as can be expected in these early phases of the industry, and will become more stable with time – after more data and case studies can be applied.”

Add your fine print to our comments section on Facebook.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web