Role of Traditional Insurance

  Infrequent Frequent
Not Serious Don’t Insure “cost of doing business”
  • Fix problem
  • Can buy insurance, but would cost more than risk
 
Serious  Best case for buying insurance
  • Out of your control
  • Insurance probably impossible to get or too expensive
  • Plays a crucial role in understanding, managing and mitigating risks arising from emerging domains and evolving technologies
  • Facilitates innovation
  • Uses the past as prediction for the future - two basic models:
    • Fire model - individual houses catch on fire at a fairly steady rate
    • Flood model - an infrequent large-scale event affects large numbers of people at a fairly steady rate

Cyber...

... does not follow either "fire" or "flood" model
... cannot use past information (actuarial) to predict the future
... incidents happen at irregular rates in varying scale (single breach to "class breaks")

business man in dark suit holding tablet computer facing up. image of cyber-globe above the tablet. Security keyhole lock symbol on globe, Right hand is pressing the lock.

Today's Cybersecurity Insurance

Designed to mitigate losses (transfer risk) from a variety of internet-based, cyber incidents and risks relating to IT infrastructure and activities

  • Typically excluded (or not specifically defined) from traditional general liability policies
  • Few US companies have adequate cybersecurity insurance
    • Historically, purchasers included: Technology, Media, Telecom (TMT) and professional services
    • Recently, companies that deal with PCI / PII / PHI data – retailers, financial institutions, healthcare are increasingly utilizing cybersecurity insurance
  • Historically, policies dealt with data breaches and third-party liability coverage:
    • Costs associated with breach class-action lawsuits or settlements (only)
  • Recently, more first-party liability coverage includes:
    • Online extortion payments
    • Facilities rentals during an attack
    • Lost business due to systems failures, cloud or web hosting provider outages due to IT configuration errors
  • Changing the “intent of coverage” from cyber exclusion to cyber coverage
    • Stand-alone cybersecurity policies cover gaps
Cyber umbrella with digital number rain falling on it

Why We Need Cyber Insurance

  • Most technology vendor contracts don’t allow users to pursue litigation
    • Even if it was a software failure
  • Quantity of class action and derivative suits will increase
    • Need market solution that align incentives for businesses to maintain robust set of data protection measure
    • Need to reduce the burden on corporations as litigation proliferates
    • Need a compensation system for victims
  • Investing in prevention and mitigation of cybersecurity breaches has diminishing returns
  • Need a means for transferring cybersecurity risk associated with potential future breach
  • Prove than an organization is resilient and secure enough to work with
    • Having insurance can act as a branding mechanism

Cyber insurance risk mitigation roles

  • Engineering risks
    • Understand risk factors, develop insights, common metrics and scalable solutions
  • Channeling corporate risk
    • Assuming corporate cyber risks
  • Managing systemic risks
    • Promote cyber resilience to prevent cascading, single points of failure and aggregation risk
  • Harnessing collective security insights
    • Analyze data across industries by being central repository
    • Enhance information sharing and exchange
  • Shaping broader risk trends
    • Financial incentives to change behavior
  • Harmonizing risk-related standards and practices
    • Apply standardized tools, metrics and norms for assessing vulnerabilities
    • Research and share sources of aggregation risk

Cybersecurity Insurance Problems

Corporations...

  • Believes they won’t be victim of an attack
  • Don’t know how policy premiums are estimated 
  • Lack of clear wording on what exactly is covered
  • Cannot compare coverage across carriers
  • Unclear “minimum required practices” conditions
  • Unclear compliance requirements for standards and procedure
  • Lack of claim filing experience
  • Brokers lack deep expertise
  • Misunderstanding of first vs. third-party limits
  • Inadequate coverage for compliance based fines
  • Exclusions (i.e., social engineering attacks)
  • Lack of policy that provides holistic / multifaceted coverage / response

Insurance companies...

  • No underwriting standards
    • Inconsistent, limited, uncertain and ad hoc product offering
    • Lack of standardization
    • Should not be retrofit of existing product (i.e., terrorism)
  • Vague/unclear policy language and endorsements
    • Often riders to general liability policies
  • No “actuarial” table but…
    • Some costs identified (i.e., credit monitoring, hiring forensics firm, incidental expenses)
    • Constantly evolving nature of cyber = historical data not useful?
  • Aggregation risk harder to measure
    • Interconnected platforms and shared service providers
  • Estimating loss on data theft harder to calculate
    • Reputational damage and/or loss of customer trust

Let us help you with cyber insurance

Cyber Insurance