More than just insurance, cyber
provides critical support for vital operations
By Joseph S. Harrington, CPCU
Cyber insurance has been around in some form for a little more than 25 years. Over that period, one could say that it has evolved to work like a cross between property/casualty insurance and health insurance.
To be sure, cyber insurance is officially a P-C line whose premiums and losses are reported as such on annual statement forms promulgated by the National Association of Insurance Commissioners (NAIC). As a P-C line, cyber insurance covers losses to property (intangible data and information, for the most part) and liability for injury and damage to others (mostly compromises of confidential information).
That said, cyber risk and cyber insurance have several core features that distinguish them from other types of property and liability risk and coverage:
- Cyber values at risk (data and information) grow and fluctuate much more rapidly than those for tangible property.
- Cyber property settings (hardware, software, and networks) evolve much more rapidly than those for tangible property.
- The perils causing loss to cyber property change quickly; some subside or disappear while new ones arise.
- Cyber liability can apply even without evidence of a loss to a third party.
- Cyber insurance is a specialized, non-standardized coverage sold to non-specialists.
Regarding the last point, attorneys, physicians, engineers, human resource professionals, and other specialists presumably understand the nature of their professional and managerial risks, and are generally capable of assessing the merits of that coverage in differing policy forms.
Cyber insurance, on the other hand, is acquired by owner/operators of all types of enterprises, most of whom are not specialists in IT or insurance. They must make the most of a purchase they are strongly advised to make—and often required to make as a condition for entering certain contracts.
Given that cyber insurance is a specialized coverage purchased by non-specialists, it’s not surprising that it shares some characteristics with health insurance, which is also coverage for conditions most people don’t have the training to understand.
Most P-C professionals will be quick to note that health insurance, as commonly understood in the United States, is not really insurance; rather, it is healthcare financing. Whereas first-party property insurance generally seeks to avoid costs of maintenance while covering costs of loss by external factors, health insurance funds basic care to reduce the probability of serious injury or illness.
“Cyber is the most important coverage out there for agents and brokers.
Your clients are not only purchasing insurance, they’re purchasing
access to highly experienced vendors to assist during a cyber event.”
Senior Vice President
Risk Placement Services
Something similar has happened with cyber insurance.
Simply put, there is no cyber policy worth considering that does not include access to specialists who monitor insured systems for vulnerabilities and who help respond to incidents. Just as no health insurer would cover you without knowing your health conditions, no cyber insurer will underwrite an account unless it can be assured that its client’s systems are well-maintained, regularly updated, and reinforced in the event of a cyber-attack.
Keeping with the health insurance analogy, when you enroll in a health plan, you typically do so with a physician connected to a network of specialists. You are told early on to consult your primary care physician to seek a referral to an “in-network” specialist. Otherwise, if you simply go to a specialist on your own, you may find that you have reduced coverage or no coverage at all.
Along the same line, Nick Carozza, a senior vice president for Risk Placement Services, reminds insurance agents and brokers that a cyber policyholder isn’t just buying insurance, but is also buying access to a range of cyber services.
“Cyber is the most important coverage out there for agents and brokers,” he says. “Your clients are not only purchasing insurance, they’re purchasing access to highly experienced vendors to assist during a cyber event.”
Even in the absence of a loss or claim, Carozza says these vendors provide valuable support to insureds, including periodic scans for “open ports” and other system vulnerabilities, plus monitoring of the “dark web” for stolen proprietary or client information.
Beyond this remote monitoring of online security, vendor partners of cyber insurers also provide valuable training to client staff in implementing and maintaining security measures that are often required as conditions of coverage.
To test employee responses to threats, cyber services undertake simulations of “phishing” and “social engineering” attacks, in which cyber criminals impersonate authorized persons to gain access to protected information. These vendors also monitor adherence to “call back” protocols, which are requirements that any online directive for releasing money or information be confirmed by a live phone call before being executed.
Report without fear
In Carozza’s estimation, many cyber insurance buyers could give more consideration to the services provided when purchasing a policy. He estimates that fewer than 10% of cyber insurance buyers make full use of the security services available to them. A major reason for this, he says, is that most insureds rely on internal IT teams or existing service providers to maintain their cyber operations, often overlooking additional vendors they can access.
Carozza notes that participation by a company’s IT team, internal or external, is helpful when completing lengthy, complex, and detailed applications for cyber coverage. Given that, he finds that the most effective approach to cyber risk management is to extend that information sharing through the entire lifecycle of a policy and its renewals.
Carozza emphasizes that, unlike with other types of insurance, cyber insureds need not fear that reporting a loss or potential loss will necessarily impact their premium. “When a cyberattack happens, put your carrier on notice immediately,” he urges.
“If a loss is reported but nothing is paid out, that’s not a bad thing,” he adds. “On the contrary, most cyber insurers will think, ‘This is a good client that wants us to know what’s happening.’”
Indeed, a common mistake Carozza sees among cyber insureds is to take action in response to an event or perceived threat, only to learn later that the action taken does not qualify for coverage because the insurer was not informed beforehand.
According to Carozza, most cyber policies require the insured to contact the carrier or a carrier-affiliated service as soon as the insured is aware of a breach or some other online threat. Acting first and contacting later can cost coverage, but all too often, Carozza finds “there’s a disconnect in that insureds are not aware of their obligations before making a claim.
“Understand, this is typically among the most stressful events in a business owner’s professional career,” he says. “While it’s understandable that they would want to turn to familiar partners to help them through the crisis, that doesn’t absolve them of their responsibility to seek the guidance of their insurer before they do.”
Limits on limits
Agents and brokers have an important role to play in helping their cyber clients identify the additional IT resources available through their cyber policies, Carozza says. They also have an important role in helping cyber insureds get the most of their insurance proceeds.
Although cyber insurance policies are not standardized to the extent of commercial auto, liability, and property policies, cyber policies commonly provide a series of insuring agreements for different types of first- and third-party losses, with each of them subject to an individual or categorical sub-limit.
Given these sub-limits, a cyber insured may be unpleasantly surprised to learn that its recovery for a cyber loss was considerably less than the total amount of insurance provided by the policy. “The insured might think it has $1 million in coverage,” says Carozza, “but sub-limits on first-party coverages can drastically restrict the amount of recovery.”
In all, the real value of a cyber policy lies in how its limits and support services align with the operations and risk profile of a client. That amounts to great opportunity for diligent agents and brokers seeking to capitalize on the ample opportunities presented by the fastest growing line of insurance. n
For more information:
Risk Placement Services
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.