Additional exposures may cause coverage lines to blur
ISO Emerging Issues Perspective
By Shawn E. Dougherty
For all the benefits coming from a connected world, the digital age can often show a dark underside. Cyber exposures may represent the largest global issue emerging for insurers thus far in the 21st century. Cyber is also one of the fastest-growing insurance markets—but an area in which a lack of accurate pricing and underwriting information may pose key obstacles to continued growth. Though available in the market for about 15 years, cyber insurance is by most standards still in its infancy.
Cyber insurance today generally addresses privacy breach or data breach exposures. That typically means the actual or suspected compromise of security that has (or may have) resulted in the loss of, unauthorized access to, or release of confidential data—regardless of whether that information is stored electronically or in a paper format. Such confidential information can include personally identifiable information (PII)—such as an individual’s full name, home address, place of birth, and Social Security number—or protected health information (PHI), which can include an individual’s medical records, laboratory reports, and biometric identifiers, such as fingerprints and voice profiles.
A savvy agent can take the lead in educating clients and helping them understand the differences in coverages offered in traditional insurance policies versus the newer cyber policies.
Businesses of all types and sizes—from retail operations, educational institutions, healthcare organizations, even to local, state, and federal government offices—maintain and store customer and/or employee PII and/or PHI data. And hackers have targeted many of them.
Data breach–related notification laws have been enacted in 47 states plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. There is currently no U.S. federal law regarding a data breach notification standard. A number of cyber insurance products available today focus on providing coverage to address data breach exposures and were designed primarily in response to various state laws.
Measures of the market
Some have observed that, to date, the majority of cyber insurance has been written through the nonadmitted excess and surplus (E&S) markets. Even so, coverage is becoming more common within the admitted market, especially as it expands to small and mid-sized commercial risks. According to the June 2016 Lloyd’s Cyber-Attack Strategy report, more than 80% of the Lloyd’s market cyber premium is derived from the United States.
The exact size of the U.S. cyber insurance market remains unknown, since definitive figures from all insurers have been difficult to obtain. Some insurance experts estimate the current annual gross written premium for the U.S. market may be as high as $3.25 billion and project that figure may grow to $20 billion or more by 2025. In 2015, the National Association of Insurance Commissioners (NAIC) introduced its Cybersecurity and Identity Theft Insurance Coverage Supplement designed to obtain financial information from admitted market insurers in the United States writing cyber risk coverage. In June 2016, the NAIC released its preliminary analysis. Insurers reported direct written premium of almost $484 million from stand-alone cyber policies and about $1 billion of premium from cybersecurity package policies. The take-up rate for cyber insurance (the percentage of businesses actually purchasing cyber coverage) is estimated to be between 20% and 30%—and increasing each year. Suffice it to say, the cyber insurance market likely has plenty of room for growth and represents an opportunity for insurers interested in entering the market.
Like other new markets preceding it, cyber insurance faces growing pains and challenges that have to be addres-sed for it to become more established. Some commercial insureds might even come to expect that all things perceived to be cyber-related will be covered under their cyber insurance policy—even if that policy was neither designed nor intended to provide coverage for all types of exposures. In other words, as additional cyber exposures gain in notoriety, coverage lines may begin to blur. Here are two examples:
Property damage exposures: Some cyber attacks have reportedly resulted in physical property damage. The devastating impact of the Stuxnet virus on Iran’s nuclear facilities in 2010 and the hacking attack at a German steel mill in 2014, both of which resulted in significant physical property damage, are examples. The concept of property damage resulting from a cyber attack was even the subject of an episode of the television series CSI: Cyber (season 1, episode 4: “Fire Code”), a drama in which arsonists were able to spark fires by hacking into printers. While the episode is seemingly far-fetched, researchers at Columbia University did indeed establish that such a feat is possible. Given the focus of many cyber policies on data breach exposures, a cyber policy might not be the most appropriate type of policy to cover property damage. Historically, outside of the cyber context, coverage for property losses due to fire or explosion has been addressed under a traditional commercial property or equipment breakdown policy.
Cyber crime exposures: “Social engineering” refers to types of phishing attacks in which a telephone call or email message typically arrives from a familiar number or address but is actually sent by a criminal seeking information, property, or money. “Spear phishing” and “whaling” are types of these attacks directed specifically at a firm’s senior management team with the intention of getting them to unwittingly divulge confidential information or transfer property or funds. Many such attempted attacks have reportedly occurred in 2016. For example, there have been reports of human resources executives tricked into releasing employee payroll and W-2 information, and some finance executives have been swindled into transferring large sums of money into fraudulent accounts. Both illustrate actions taken by employees at the direction of someone they thought was a senior executive of their firm but who was actually a criminal. Coverage for such types of loss might be more appropriately addressed under a commercial crime policy.
Opportunities and challenges
Virtually every commercial operation faces cyber exposures and the potential to incur significant financial losses. Those losses can have an impact on a firm’s bottom line, even to the point of threatening its financial survival. The cyber insurance market will likely continue to grow as an increasing number of businesses recognize the cyber exposures and potential losses they face from a data breach.
The professional insurance agent plays a critical role in preparing for a breach and its aftermath. A savvy agent can take the lead in educating clients and helping them understand the differences in coverages offered in traditional insurance policies versus the newer cyber policies. In this brave new world of risks and coverages, the cyber insurance market offers both challenges and opportunities for the insurance industry.
Shawn E. Dougherty is director of cyber at ISO Solutions, a Verisk Analytics business.