Written by Peter Davy
The last five years have seen enormous change in the cyber insurance market. Peter Davy takes a look at the development of cover and policy wordings in this fast growing market
Cyber security threats continue to grow at a pace. A growth industry, a recent McAfee report for the Centre for Strategic and International Studies estimate that it costs the global economy more than US$400 billion a year. One need not look far for proof of this reality. Home Depot’s breach in September affecting 56 million payment cards was bigger than even last year’s unprecedented attack on retailer Target; Shellshock, the flaw in software on Unix-based operating systems discovered the same month, could be bigger than the Heartbleed bug that panicked security professionals in April.
The risks also continue to evolve. Earlier this year, a Lloyd’s report, Autonomous vehicles – handing over control, looked at the risks of hacking to driverless cars. And meanwhile, Europol warned this month it expects a rise in “injury and possible deaths” from attacks to critical safety equipment, citing a report predicting the first “cyber murder” by the end of the year.
“The threats are changing very, very rapidly, with new risks literally popping up every day,” says Bob Morrell, chief executive of risk management technology provider Riskonnect. “Vulnerability is everywhere.”
Reports of incidents will decline, he expects, but only because they become so commonplace. “Does the news cover car accidents all the time?” he asks.
From reimbursement for notification costs and third party liabilities in the case of security breaches, to protection for cyber extortion and non-physical business interruption caused by network outages or data losses, the range of cover continues to expand. According to industry analyst Advisen, there were 38 new cyber insurance products in 2013 alone.
In September, Lloyd’s carrier Brit launched cover for cyber attacks causing property damage and business interruption to companies operating critical infrastructure and industrial machinery; broker Marsh launched its Cyber Gap policy offering property cover for the oil and gas industry; and AIG’s CyberEdge PC policy, meanwhile, is broader still, offering a variety of businesses cyber protection on an excess and difference-in-conditions basis, filling gaps in property, casualty, energy, aerospace, marine, environmental, healthcare and financial lines policies.
“We are providing traditional coverage for cyber events where they might be excluded under traditional policies,” explains Jamie Bouloux, head of cyber products for EMEA, at AIG.
Businesses are also increasingly willing to look at taking cyber cover, says Bouloux. Across its cyber lines the company had 1,500 submissions in all of 2013. In the first half of this year, the figure was 1,200. Policies actually bound in the first half were also 75 per cent of the total policy count last year.
Cover has also been getting more affordable and simpler as capacity in the market increases. Broker Sutcliffe & Co launched a cyber policy for SMEs with AIG last year, for example.
“Five years ago buying cyber insurance was almost more trouble than it was worth for an SME because of price and complexity of the application, with 20 page proposal forms and a minimum premium of £5,000 or £10,000,” says the broker’s director Duncan Sutcliffe. “It has now become far more user-friendly and commoditised to a degree.”
There are a number of other drivers for greater interest, too. One is growing awareness of the inadequacy of traditional cover. In the US, the Insurance Services Office earlier this year released its standard contract exclusion for notification costs, credit monitoring expenses and public relations costs associated with data breaches for general liability covers. Other markets and lines are taking a similar approach.
“There are exclusions in the London market that flat-out exclude any type of property damage arising due to or through the use of computer systems,” says Bouloux.
Government and regulatory pressure also plays a role. The UK’s National Cyber Security Programme (NCSP) has raised awareness of the cyber threat, the National Audit Office said last month, while the forthcoming EU Data Protection Regulation will introduce a requirement across the EU to notify individuals where the security of their personal data has been compromised – a requirement that has helped drive uptake of insurance in the US. It also proposes fine of up to five per cent of global turnover or €100 million for failure to comply with the requirements of the regulation.
“Under the current regime in the UK the maximum fine the Information Commissioner’s Office can impose is £500k, so it’s quite a jump,” says Adrien Grady at lawyers Cameron McKenna.
Nevertheless, overall uptake of cyber insurance among businesses remains limited. A survey of Marsh’s client this year’s shows only 14 per cent having taken out cyber policies.
“By this time next year we might see quite a change in the take-up rate, but right now we could not say it is a mass market product in Europe,” explains Stephen Wares, the broker’s cyber risk practice leader.
Getting to grips with cyber risk
At least part of the reason is the difficulty businesses have in evaluating their risks. It is not just a question of detecting intrusions, but also evaluating the risks and potential impacts across the business. While IT teams may understand the risks, the understanding is more limited in treasury, audit or an independent risk management functions
“Boards are aware they need to take it seriously, but they’re just not sure what the next step is,” says Tom Draper, technology and cyber practice leader at broker Arthur J Gallagher. The issue is with quantification. If one cannot quantify the risk, it is difficult to work out what limits to buy.
This is, however, beginning to be addressed. At cyber intelligence and response company Sedena Networks, co-founder Martin Jordan, says his firm is increasingly being hired by internal audit teams determined to evaluate weaknesses in their network, which shows the need to understand the risks is moving beyond the IT function.
The change is at least partly due to brokers. Draper says much of its work involves promoting communication between IT and risk management functions and the board. Likewise, other brokers are using Monte Carlo simulations to identify the likely frequency and severity of potential cyber events to quantify their impact.
The benefits go much beyond simply enabling risk transfer, says Aon’s global cyber practice leader Kevin Kalinich; the analysis helps businesses identify uninsurable risks, such as reputation damage, as well as enabling them to identify the outside expertise they may need – a key aspect to limiting damage.
“We’ve found if you only begin to respond to a privacy and security breach after the event the costs are dramatically higher,” explains Kalinich. “If you already have in place legal experts, IT forensics experts, investigation teams, call centre providers and a business interruption response plan the losses are much lower for the same breach.”
Technology can also help in driving understanding and responses across businesses. The challenge, particularly for large businesses, is not just detecting possible intrusion across a variety of disparate systems; it is collecting this information, combining it with outside sources on the evolving risks and getting this information to the right people, according to Brenda Boultwood, senior vice-president of industry solutions at governance, risk and compliance solutions provider MetricStream.
Only by doing so can organisations have a holistic view of their exposures, says Boultwood, and systems can help with this – as well as automating and tracking responses to incidents and weaknesses identified to ensure they are followed through.
“Just like you might track an audit issue across the firm, it is about treating these incidents with that same level of internal rigour,” Boultwood explains.
Such an enterprise-wide approach is vital because since total protection is impossible, cyber security must be a balancing act.
“IT will just say no and want to turn off systems since that’s totally secure, but the business needs to make decisions on what is acceptable and what is not. All players have to work together and have a meaningful discussion about what the risks are, whether they need to invest, and where they need protection and to make things less convenient,” she says. “Enterprise risk management is a key mechanism in making all the players work together and having that discussion.”
This article was published in the September 2014 issue of CIR Magazine.
Download this article in PDF format
Click here for more features
Contact the editor