Roll-out of cyber insurance products
Why cyber insurance?
Until recently USA has been the biggest market for cyber insurance. The main reason behind this is the legal development where the starting point was the California Database Protection Act of 2003, which required disclosure of any data security breach to each affected California customer whose Personal Information had been compromised. Following this act, many US States now have similar legislation.
And with the new EU General Data Protection Regulation (GDPR), in 2018 Europe will also get a uniformed legislation in respect of Personal Data and Breach Response. The US legal environment with respect to Personal Identifiable Information (PII) has been the primary market driver for Cyber Insurance in the US. As similar requirements have now been introduced in the European Union by means of the General Data Protection Regulation (GDPR), we are experiencing a similar demand here in Europe at the moment.
The risk of business interruption
The risk of business interruption is another important market driver. We have noted that some executives are failing to recognize a paradigm shift. Where it used to be possible to revert to manual labour when business automation failed, this option is no longer commonly available. Today process automation is integrated by means of robots and technology which can no longer be replaced after a loss by hiring workers at short notice because they will lack the knowledge, skills, tooling, and space to do the same job at the same costs.
The protection of Information Technology (IT) and Industrial Control Systems (ICS) should therefore be given top priority because as the unauthorized operation of IT and ICS may cause serious business interruptions as we have seen in recent cyber-attacks (e.g. WannaCry and NotPetya).
During these last couple of years, it has become obvious that "cyber" is part of our everyday life, with more and more things being connected with the internet and more and more business processes being dependent on access to the internet. With this connectivity and accessibility also comes the exposure for malicious tampering with your systems. With these exposures in mind, the insurance industry has responded with the development of cyber insurance products.
We cannot say that the market for these products would be mature. Therefore, the available limits and capacity are somewhat restricted. However, the products like If's new cyber products are fairly wide in coverage.
The risk is continuously growing and changing
The risk is continuously growing and changing. All companies should be working hard to evaluate the IT security of their systems and operations. The results can be seen in improved security and preparedness for attacks and other incidents, although variations in attitudes
and goals make all generalisations difficult.
For us as an insurance company, it is of paramount interest that we have a realistic view of the probability and exposure of our clients' assets that are at risk. Only then can we contribute to your risk management with adequate products and fair premiums. Cyber risks challenge our skills and ability to provide the needed assistance to customers. If P&C has invested in the underwriting and risk management skills to be able to support its clients.
If P&C’s Cyber Insurance Products
If has created three products to cover our clients’ cyber risks. The first one was computer crime insurance sold to small and medium-sized companies by If’s Business Area Commercial. It has been a success and is being developed further.
For larger enterprises and their specific needs, If provides two insurance products. The comprehensive stand-alone If P&C’s Cyber Insurance can be seen as a combination of traditional liability coverage (claims for compensation presented to the insured by third parties) and property coverage (first-party losses sustained by the policyholder itself) though with the difference that a cyber incident is the cause of loss.
The policy wording is built up of ten different coverage sections, of which some are part of the basic coverage while others are optional for the client to buy depending on the needs and exposure of the client. Each coverage section has to be tailored to the client’s needs.
The liability components are:
- confidentiality and privacy liability
- network security liability and
- media liability.
The property component
Or more correctly the first-party loss component, is
divided into:
- Restoration of data costs
- Incident and breach response
- Business interruption
- Cyber extortion
- Reputation
- Cyber crime and
- PCI-DSS Coverage (PCI-DSS – Payment Card Industry – Data Security Standard)
With regard to insurance jargon: what actually is a cyber incident? In our insurance
product, it means a malicious act (e.g., a hacker attack), computer malware (e.g., computer virus), human error (e.g., insured’s employee causing a failure of ITsystems), denial of service attack, (unplanned system outage), or theft of data occurring on or aimed at the insured’s
computer system.
If P&C Property & Business Interruption Programme’s Cyber Endorsement
In If’s studies, it has become clear that for our Industrial clients the main cyber risks are considered to be attacks or incidents through the client’s facility’s industrial control systems and consequential property losses and further losses due to business interruption.
If has developed a cyber product as a new endorsement to fit into a property master policy covering also Business Interruption of our client. It covers nonphysical loss to electronic data and media and consequential Business Interruption.
This product covers only the Insured’s own losses to data and media as well as business interruption and is thus a first party insurance only. The insured causes of losses are:
- Unauthorised access
- Unauthorised use
- Malicious code
- Malicious act
- Denial of service attack and
- Operational and administrative error.
In addition to the actual loss, the insurance covers necessary extra expenses to minimise, avoid or reduce an interruption in service. Of course, to take out this insurance, the client needs to fill in the questionnaire describing the status of the IT Security.
The insurance terms also require the insured to comply with some safety regulations
concerning, for example, back-ups and system protection methods.
Risk Assessment
Cyber insurance could not be sold without assessing the client’s risk thoroughly. There are great variations between businesses and individual clients and the statistics of historical data in this fast-developing risk area give only a faint picture of the risk of an individual client. The assessment also offers the opportunity to appreciate a client’s investments in high-level IT security in the insurance solution.
Cyber insurance could not be sold without assessing the client’s risk thoroughly.
When underwriting cyber insurance, the risk assessment could be divided into three different levels;
- The general level of exposure of the policyholder's industry. What legal environment applies, what kind and how much personal data is typically handled within the industry and how exposed is this data?
- The level of exposure of the policyholder company itself. How complex is the group? Number of subsidiaries, data centres, important suppliers, intra-dependencies etc.?
- The level of IT Security of the company. How does the company work with identifying, protecting, detecting, responding and recovering when it comes to IT risk and data?
If P&C gathers the needed information via a questionnaire where the client responds to these specific areas. It could also be that a meeting or an interview is needed, with, for example, the IT security department of the client, to further elaborate on these topics. Based on the answers If P&C gets the risk profile of the client and this then also could – and should – interact with the policy coverage.
Different coverage elements are used, perhaps with additional sub limits and different deductible levels/waiting periods for business interruption coverage, to meet the needs and demands from the client.
Accumulation as the insurer's nightmare
One aspect where cyber insurance causes some extra concern for the insurance industry is the accumulation of risks. Primarily insurers look at each risk separately, considering the coverage and the premium.
In some cases, like damage caused by big storms, many policies can be triggered at the same time, causing larger total claims at the same time. However, in cyber risks, there are plenty of new possibilities to trigger many policies that do not even follow the laws of nature. This appears in two ways. First of all, cyber incidents may trigger different products simultaneously.
As mentioned above, a cyber insurance policy has elements of both property and liability coverage. Cyber methods can be used to cause traditionally covered fires, machinery breakdowns or other damage, or there could be specific endorsements added to the property or liability policy. The same goes for crime insurance, where one could also have coverage for some of the exposures that cyber insurance addresses.
Event exposure
The other method of accumulation, which is the most complicated to model and monitor, is event exposure. In traditional coverage, like property, it is after all fairly easy to calculate and take into account in premium modelling, even large natural phenomena, since normally they cause damage within a limited geographical area, regions exposed to flooding, earthquake and other known hazards.
For cyber however, there are no geographical boundaries for how an event would impact, something we have seen in many examples like global virus attacks. Also, since many companies today use external services, such as cloud services, there is also a risk of accumulation in this respect.
We have built our internal risk control to address this. We are continuing with all efforts to secure both your and our exposures with advanced calculation models in co-operation with our reinsurers.
Conclusions
This short article can only point out some primary features of the cyber insurance products and their underwriting requirements. This risk area with its large loss potential to individual enterprises and dangerous accumulation mechanisms requires full attention from every company to its IT security. We at If can then provide insurance solutions supporting our client’s management of risk.
Matti Sjögren
Nordic Liability Risk Management Specialist, If
Mats-Ola Jakobsson
Senior Underwriter, If
Article published in Risk Consulting Magazine 2/2017