Public Policy Analysis & Opinion
A U.S. House committee examines the cybersecurity insurance option
The Small Business Committee of the U.S. House of Representatives donned a sales representative’s hat when it published a report titled “Protecting Small Businesses from Cyber Attacks: The Cybersecurity Insurance Option.”
The hearing focused on the gravitas of financial risk associated with cybersecurity and cyber attacks. The consensus opinion expressed at the hearing was that the risk is significant and only imperfectly measured for transfer. Furthermore, according to one senior insurance executive, the weight of risk is more than private insurance mechanisms can carry.
Cybersecurity-related insurance is a growth sub-sector that seems poised to expand for a long time to come.
Erica Davis, senior vice president and head of specialty products errors and omissions for Zurich North American, opined: “The full range of the exposure is too broad to be covered by the private sector; not all causes of loss can be transferred to an insurance policy. Cybersecurity breaches can cause losses including property damage, bodily injury and reputational risk, and we are investigating the best way to consider these impacts.”
“In our committee’s efforts to spotlight these serious and growing threats, it has become clear that we need to think outside the box as we work to thwart cyber attacks,” said the committee’s chair, U.S. Rep. Steve Chabot (R-Ohio).
The hearing included discussions of steps that small businesses can take to mitigate the risk of cyber attack, but most of the testimony addressed the importance of insurance products to successfully recover from these Internet-based crimes.
Unquestionably, the insurance sector believes that cybersecurity insurance products are a nascent growth area. References to cybersecurity and related insurance products are so common that they sound like clichés. Cybersecurity-related insurance is a growth sub-sector that seems poised to expand for a long time to come.
Many industry advocates believe that this growth seems to belong to American insurers, although some of these American carriers have international partners. With the conduct of hearings and publication of the committee’s report, House leaders have taken affirmative steps to empower that American insurance sector.
Robert Gordon, senior vice president for policy development and research at the Property Casualty Insurers Association of America (PCI), welcomed the committee’s support. “PCI commends the committee for raising the awareness of the vital need for small businesses to protect their companies with cyber insurance. PCI encourages Congress and the Administration to coordinate cybersecurity policy among federal agencies and designate lead agencies to coordinate discussions where appropriate. It is essential that state insurance regulators are also included and all work together to avoid a conflicting patchwork of state, federal and international standards,” said Gordon.
The impetus for the hearing and report had the support of committee Republicans, but the minority party Democrats appear to have played an energetic role in promoting this effort.
U.S. Rep. Nydia M. Velazquez (D-N.Y.) is the ranking minority party member of the committee. Rep. Velazquez stated that the hearing explained the public policy aspect of a growing cyber insurance sector, beginning with the declarative statement: “The Internet has undoubtedly transformed the way small businesses operate.” Later she opined: “For the federal government, cybersecurity should be a priority. But the private sector must also stand up to the challenge and complement the existing federal resources.”
Rep. Velazquez expressed her understanding of the scale of cybersecurity risk: “In 2016 alone, more than 1.1 billion identities were stolen. This is worrisome—perhaps lethal—for companies that have a reputation of safeguarding their customers’ information and need to maintain their credibility.”
Perhaps the highest-profile hack discovered in 2016 concerned the Democratic National Committee and senior staff members of Hillary Clinton’s presidential campaign. Poor security, and surprisingly naive behavior by senior staff, allowed Russian hackers to infiltrate the Democrats’ computer systems.
Rep. Velazquez reiterated the threat to American businesses. “Small businesses that lose customer information when their security is breached suffer significant costs—financially and in the loss of customers’ trust,” she said.
The representative also expressed her understanding of the difficulty that large and small businesses face in identifying incidents of hacking. “[O]nce businesses get compromised, fully recovering from a cyber attack is extremely difficult—if it’s noticed at all. On average, small businesses that get hacked make the discovery more than 200 days after the attack has occurred.”
Nuts and bolts
Eric Cernak, U.S. cyber and privacy risk practice leader at Munich Re, U.S., provided a “nuts and bolts” perspective to the committee. Cernak echoed the belief that the cyber market will generate growing revenue for insurers.
“According to a report published by Aon titled ‘Global Cyber Market Overview: Uncovering the Hidden Opportunities,’ the global stand-alone cyber insurance market in 2016 was around $2.3 billion in premium, up from $1.7 billion in 2015, and the U.S. accounted for 90% of the 2015 market,” explained Cernak. “In the U.S., around 19% of small businesses secured some cyber insurance,” he continued.
Because the category of cybersecurity losses dates only to the late 1990s, insurers face extraordinary complexity when underwriting and pricing the product. Cernak told the legislators that insurers were using creative means to assess the risk and establish pricing:
“Due to the lack of loss data, insurers have adapted pricing, terms, and conditions from other lines of business, such as technology errors and omissions, crime, media liability, etc. Some insurers also have looked to conduct primary research and have interviewed experts in various fields, including IT forensics, attorneys, breach response service providers, public relations firms, and others. Through this process, insurers can better understand the frequency of events, how long events may take to address, and the associated costs for the various services. These figures are then converted into insurance premiums. As experience develops, these initial figures can be blended with the actual insurance claims results to refine the premiums being charged.”
Even in cases where loss data begins to build a credible statistical foundation for fair and accurate pricing, technology can change so quickly that the foundation fails. Cernak observed, “As new technologies are introduced, exposures that previously did not exist become commonplace. For example, cyber extortion was typically limited in scope to targeted attacks where the attacker threatened to release data that had been stolen or to continue with a denial of service attack unless a ransom was paid.”
The committee heard additional commentary from the carrier/underwriter perspective in testimony from Davis of Zurich North America.
Davis stated, “Most loss dollars arise from first-party privacy breach costs, such as forensics, breach coaches, consumer notification and credit monitoring.” Davis added that her company also sees financial loss arising from:
- Business interruption
- Liability lawsuits
- Regulatory fines
- Reputational damage
- Shareholder suits
Cernak testified: “Another tool insurers have deployed to improve cyber insurance products and pricing is the survey of potential customers (i.e., business owners) to understand specific kinds of concerns, the frequency of issues they face, and the costs to address them. This helps insurers prioritize which coverages to develop and include in a cyber insurance product and determine associated terms and pricing.”
Robert Luft, owner of SureFire Innovations, a network design, security, and installation company, testified on behalf of the National Small Business Association (NSBA). Luft explained how he assessed the scope of his risk of financial loss from cyber threats: “This was a simple formula: daily payroll, daily sales, and the cost to notify any individuals whose sensitive information is stored on my network. The formula I used was annual sales divided by the number of lost business days, which gave me $3,200 in effective lost daily earnings due to a potential cyber attack.”
Cernak provided a brief interpretation of the cybersecurity public policy framework. He addressed the patchwork of state and federal laws that attempt to mitigate risk and shape the scope of insurance coverage. “Many of the first cyber insurance policies focused solely on liability exposures of third parties (as opposed to those faced by the entity purchasing the coverage) and only provided a small sub-limit for costs the insured might incur in complying with various breach notification laws,” he observed.
Although it was not discussed at the hearing, there is a strong reason to question whether state jurisdiction over cybersecurity insurance products could fall to a successful challenge in federal court. As a commercial lines product, cybersecurity insurance remains outside active rate and form regulation in most states. A National Association of Insurance Commissioners model law not only “assumes” competitive markets but places impediments before regulators who wish to regulate product design or pricing. As such, commercial products may be subject to federal antitrust law and Federal Trade Commission oversight under the McCarran-Ferguson Act. The act exempts the business of insurance from federal oversight only to the extent that the activity is regulated by state law.
Kevin P. Hennosy is an insurance writer who specializes in the history and politics of insurance regulation. He began his insurance career in the regulatory compliance office of Nationwide Insurance Cos. and then served as public affairs manager for the National Association of Insurance Commissioners (NAIC). Since leaving the NAIC staff, he has written extensively on insurance regulation and testified before the NAIC as a consumer advocate.