Insuring Cyber Risk – Concerns about Coverage

It is fair to say that cyber insurance is in its infancy in Australia. Businesses, brokers and insurers are still working out the best way for insurance to protect against cyber risk while ensuring the insurance model is sustainable. Protecting against emerging risks is an integral part of the insurance proposition – so how does the insurance industry continue to help businesses and the wider economy manage cyber risk?

Insurers’ concerns fall into two categories – concerns about scope of coverage, and concerns about managing the risks. In this article, we explore these concerns and offer some thoughts about how the insurance industry can respond in this rapidly evolving world.

Is it insurable?

Cyber risk has similar features to existing insured risks. So why should cyber insurance be an issue for insurers? The key concerns about insurability are:

• The non-random nature of cyber losses. More and more we are told that experiencing a cyber breach is “inevitable”.
• The difficulties with proving and measuring loss
• Predictability of losses is low, due to a lack of data and the evolving nature of the risk.

While these attributes make it more difficult to insure, as an industry we have successfully managed them for other classes (workers’ compensation, business interruption, crime, D&O).

Most of the insurability problems can be reduced, if not eliminated, by establishing coverage deductibles and limits, as well as clear-cut definitions of cyber risk. Over time, the insurance pools will become larger and more data will be available.

How do we define coverage?

While cyber insurance is a new product, we have already seen 16 product offerings in Australia. It has been a long time since a new general insurance product was last launched, and most market players have not experienced the journey to maturity for a new product. At this stage, there is no standard product or wording for cyber insurance – even in the US and Lloyd’s, where the business has been written for a number of years.

Most current cyber policies offer some combination of first-party coverage – protecting against losses suffered by the insured – and liability coverage, protecting against claims by third parties. The trigger of a cyber policy varies across product offerings. Some policies are triggered by an event that results in a ‘loss of data’ or a ‘claim’ against the insured. Some policies provide a broader level of cover and are triggered when a cyber or data incident occurs.

The coverage offered by some policies is fairly limited at this stage. We see insurers excluding coverage where losses arise due to human error, unencrypted data, intellectual property, unsecure websites access, bodily injury and property damage. At the same time, we observe relatively low cover limits of (say) $10 million being offered.

There is no right answer to defining cyber insurance coverage. However, insurers should look to strike a balance between the needs of the business (seeking broader coverage) and the needs of the insurer (wanting to limit loss potential).

What are the overlaps with other insurances?

Traditional insurance products typically exclude cyber-related losses, and therefore current products offer little cover for cyber-related losses. Cyber insurance is intended to cover the gaps in traditional insurance coverage, as well as covering new risks which are emerging in the digital age.

The table below summarises the cyber-related covers offered by different insurance types.

Property and Liability insurance do not usually cover cyber-related losses, due to cyber exclusions, but some policies which do not have the exclusions will be exposed to cyber-related claims. In some cases, there is uncertainty around coverage for cyber risks, and outcomes will depend on the framing of a claim and potentially on a court decision.

Cyber security insurance covers most of the gaps in traditional products. At this stage, it is typically being offered as a stand- alone product, but as the market matures we may see cyber coverages incorporated into traditional products (essentially, removal of cyber exclusions).

There are some overlaps between cyber insurance cover and more traditional products – for example, crime and management liability policies. We expect these overlaps will be managed in the same way as overlaps between general liability, professional indemnity and D&O – i.e. through negotiations or court decisions

Do we need to provide help as well as money?

While most businesses are aware of cyber-crime risk, most do not yet have the expertise to deal with an incident. Some insurers provide expert assistance as part of their product offering – among other things, this helps minimise claims costs. Assistance may be provided by law firms, IT Forensic, Public Relations, IT Security, Privacy Compliance and Business Income Adjusting.

The approach of providing help as well as money is not unique in the current insurance market, but has been done in the (distant) past: when property insurance was first introduced in the 1800s, fire trucks were provided by the insurers.

Perhaps we will see insurers providing less in the way of assistance, as businesses develop experience and skills in dealing with cyber incidents. At this stage assistance appears to be valued by policyholders and is beneficial in reducing cyber losses.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.