Cyber Insurance

The transfer of cyber risks via insurance started already in the 1990s. Early cyber insurance products covered only 3rd party liability claims. In response to the Californian Security Breach Information Act, which came into effect in 2003 and required businesses in CA to notify affected residents if their personal information was accessed by an unauthorized third party, the modern coverage scope of cyber insurance was quickly developed and introduced to the market (cf. ). In the following, we will have a look at the current coverage of cyber insurance policies, their triggers, and exclusions.

If you are interested in the up-to-date cyber insurance market figures, have a look at our Cyber Market Statistics.

Cyber insurance coverage can be divided into first and third-party coverage. While first-party coverage protects the insured party against damages it suffers directly, third-party coverage protects it against claims and fines from other parties. Typical coverage elements for first-party damages include:

First Party Damages

  • Incident Response, Forensics, and Maleware Analysis
  • Recovery of Systems and Data
  • Ransomware rectification, incl. potential payments of ransom/negotiations
  • Reimbursement of Financial Theft
  • Business Interruption caused by cyber attacks.
  • Public Relations and Notification Costs

Typical third party damages that are covered by current cyber insurance policies are:

Third Party Damages

  • Liability claims, for example:
    • Network Security and Privacy Liability: Liability claims from customers, employees or other parties due to damages incurred by the insured party, e.g., through the breach of a customer’s database.
    • Regulatory fines, for example under the General Data Privacy Regulation (GDPR) or PCI (credit card standard).
  • Media Liability: Coverage against lawsuits and the resulting damages through slander or defamation, e.g., damages caused by a breach of a corporate Twitter account that is used to spread false information by hackers.

At the heart of each insurance policy is the trigger, the requirements for the insurance policy to provide coverage. While the exact wording of what is covered still differs between carriers, even though there has been alignment in wordings in recent years, the trigger for a current cyber insurance policy might look something like this (as given in ):

“A hacking event or other instance of an unauthorized person gaining access to the computer system, [an] attack against the system by a virus or other malware, or [a] denial of service attack against the insured’s system”

An important detail for cyber insurance triggers is if some errors and mistakes on the part of the insured are permitted without losing insurance cover. This is especially important in phishing cases, where an employee or other stakeholder often enables a malicious third party in the first place.

As important as the coverage of a cyber insurance policy are its exclusions. Exclusions are used to narrow the scope of insurance policies by explicitly excluding some types of risks that would otherwise be covered. According to , the most commonly excluded risks, based on 235 analyzed policies from the US from 2009 and 2016, are:

  • Criminal or fraudulent act
  • Negligent disregard for computer security
  • Loss to system not owned or operated
  • Bodily injury
  • Contractual liability
  • Act of terrorism, war, military action
  • Act of God
  • Intellectual property Theft
  • Seizure or destruction by systems of the government

There is still a large disparity between carriers when it comes to exclusions. While some of the exclusions listed above can be re-added to the coverage for a surcharge, others are binding.

Questions about the cyber security maturity of a company seeking cyber insurance are key factors in the underwriting process. The underwriting process consists of all activities that the insurance company undertakes to evaluate and price the policy before it is written. Cyber insurance policies for medium and large-sized companies in excess of $10 Mil in coverage, or companies that have a cyber loss history, i.e. a history of noteworthy cyber incidents, usually require a cyber security audit (e.g. after ISO 27001) during the underwriting process. For small businesses with lower coverage sums, the insurer usually asks cyber security questionnaires or self-assessments. According to , for the analyzed 235 US cyber insurance policies between 2009 and 2016, the asked security questions can be summarized under four categories:

  • 1. Organizational
    • Organization: Basic information about the company, such as the type of business and the industry sector in which the company operates, as well as financial information about revenues and assets. In a few cases, the questionnaires asked the company to submit an audited annual statement. Information is also collected about the company’s past and current insurance coverage, including selected deductibles, and exclusions, if applicable.
    • Data Collection and Handling: Questions regarding sensitive or confidential information that the applicant collects, stores, processes, or for which it is otherwise responsible. Of particular interest is personally identifiable information (PII), confidential client information, or corporate intellectual property, such as SSN, credit/debit card numbers, driver license, email addresses, IP addresses, financial and banking information, medical records, protected health information (PHI) as well as intellectual property, and trade secrets.
    • Outsourcing: Questions regarding how the applicant manages its relationships with outscoring providers and the services the applicant relies on to conduct business. Given that it is common to outsource services and use third-party service providers, these questions were relatively common. Questionnaires asked the insured to list the outsourced services and provide the names of providers, and some even provided a comprehensive list for the applicant to select. Questionnaires further assessed whether security, privacy, or risk assessment was performed on the third-party provider. The history of the third-party providers is assessed, with regard to whether they were subject to privacy or security breaches in the past. Further, contracts between the insured and the third party were examined, such as whether they were structured in a way to hold third parties liable for losses resulting from data and security breaches, or whether they included an indemnity clause to transfer risk to a third party.
    • Incident Loss History: In almost all questionnaires, the insurer collected information about the applicant’s experience with regard to past security incidents. While the formulation and framing of the questions varied across the questionnaires, in essence, the following issues were addressed: (i) past data and security breaches and their impact; (ii) privacy breaches and loss of confidential information that triggered the notification of customers or employees; (iii) circumstances that could lead to an insurance claim; (iv) lawsuits and claims that are the result of an IP infringement; (v) extortions through the means of cyber, investigations by a regulatory or administrative agency.
    • IT Security Budget and Spending: Questions regarding the IT security budget and spending to provide insights into how much an insured invests in its information and IT security.
  • 2. Technical
    • Information Technology and Computing Infrastructure: Questions regarding the technology and infrastructure landscape, such as the number of computing devices, the number of IP addresses, or websites. 
    • Technical Security Measures: Questions regarding technical measures to protect against data theft and intrusions. These included questions concerning the kinds of tools used to secure the applicant’s networks and computers, including antivirus software to perform scans on email, downloads, and devices to detect malicious files or processes; IDS/IPS to detect possible intrusions and abnormalities in networks; and firewalls.
    • Access Control: Questions regarding the means and policies to secure user access, including the assignment of designated rights for users to resources. It attempts to restrict access to sensitive data on a need-to-know basis.
  • 3. Policies and Procedures
    • Information and Data Management: Questions regarding the number of records held, whether the applicant sells or shares sensitive information (i.e. PII) with third parties, and whether it processes information for third parties, including the processing or storing of credit or debit card transactions. 
    • Employee, Privacy, and Network Security: Questions concerning an applicant’s privacy policy, and information and network security policy were common but varied in detail. In some instances, the questionnaires assessed details of how a policy was implemented and tested, and whether a policy was reviewed by the legal counsel and approved by the board of directors.
    • Organizational Security Policies and Procedures: In addition to technical measures that are implemented to protect the information system in the daily business operation, organizational measures and procedures describe a set of measures to maintain and strengthen information security. Questions in this category related to penetration testing, vulnerability scanning, assessment, and management. 
  • 4. Legal and compliance
    • Almost every questionnaire includes language about HIPPA, PCI/DSS, and GLBA, but also other US federal and state laws. In some but not all cases, the questionnaires ask to provide metrics about how well the respective standards are implemented and adhered to. PCI/DSS as an industry standard for payment processing was prominent in many questionnaires. Further, questions concerning PCI/DSS commonly exhibit a significant amount of detail.

The frequencies of questions asked varied considerably between the analyzed policies. This effect was likely enhanced, as in the seven-year span from 2009 to 2016 the entire cyber insurance industry evolved. For more detailed information, we highly advise reading .

A great hurdle and growing concern for insurance carriers are silent or non-affirmative cyber. In contrast to all affirmative cyber policies discussed so far, that explicitly provide protection against cyber incidents and their related damages, silent cyber describes the exposure of insurers to cyber damages in traditional property and casualty lines of business. A property example of a silent cyber incident is a fire that is started after a hacker manipulated the temperatures of a blast furnace in a steel mill or the loss of a week production of a food manufacturer because a ransomware attack has disrupted the cold chain by disabling the refrigerators. While these claims are essentially based on a cyber incident, and would likely be covered by most affirmative cyber policies, they might also be covered within an existing fire or loss of production insurance. This essentially means that every P&C carrier is already incurring cyber-related losses, even though it might not even be offering affirmative cyber coverage.

So far, there is little academic research into silent cyber and insurers are struggling with the challenge. The two papers that currently (end of 2020) explicitly address silent cyber are , which proposes a framework to make silent cyber risks transparent for insurers, and , which analyzes the German market for affirmative and silent cyber wordings and products. The best available information on general sentiment towards silent cyber is , an annual survey by Willis Tower Watson since 2017. In the 2019 edition, 600 industry practitioners and experts gave their assessment of the exposure to silent cyber.

While it is hard to come up with an estimate for the total damages that are caused by silent cyber, the claims paid out in the wake of the ransomware attack by NotPetya in 2017 show the severity of the problem. While the insurance industry paid out in total $3.15 Trillion to affected companies, 90% of this sum came from traditional, non-cyber policies, as reported by . As the global P&C premiums are around $3 Trillion, even an average additional loss of 0.2% of gross written premiums due to the premium calculation unaccounted silent cyber risks is enough to match the current global affirmative cyber premiums. It is, therefore, likely that the current silent cyber damages are eclipsing the losses incurred by affirmative cyber.

Silent cyber will certainly be a heavy area of interest for future research, as it has serious implications on the approach to underwriting affirmative cyber for insurers. While an existing P&C portfolio of a large insurance carrier is an advantage in the acquisition, especially for package policies, its silent cyber exposure, which is likely correlated with its affirmative cyber exposure, creates a risk aggregation problem that should, at least in theory, curb its appetite for additional cyber risks.

There are a number of insurance lines of business that are related or often underwritten in conjunction with cyber on the so-called blended policies. Sometimes there is an overlap between different types of insurance.

  • Technology Errors and Omissions Insurance (Tech E&O)
    • Tech E&O covers technology providers, e.g. software developers or infrastructure providers, against liability if their products cause damages to a third party due to errors or omissions in them. Tech E&O is a variant of general E&O insurance, for which many different business sectors have their own type of products tailored to the respective liability risks that doctors, consultants, and other professionals face. Tech E&O is often blended with cyber risks.
  • Media Liability Insurance
    • Media liability policies cover the policy-holder, usually a company or professional active in the industry, related in some way to media (newspapers, broadcasters, bloggers, etc.) against defamation, libel, copyright infringement, plagiarism, etc. Media liability is the most current cyber policy but also has a coverage element. However, in order for the media portion of a cyber policy to trigger, a triggering cyber incident has to be the cause of the respective. An example would be a hacker that gets access to a corporate Twitter account and uses it to spread racist content.
  • Directors and Officers Liability Insurance (D&O)
    • D&O insurance covers individuals from personal losses if they are sued as a result of serving as a director or an officer of a business or other type of organization, for example for wrongful acts, negligence of duty, or errors in judgment. Additionally, it also covers the legal fees and other costs the organization may incur as a result of such a suit. Perhaps somewhat surprisingly, cyber is increasingly a D&O risk if a cyber incident results in reputational, business, and financial harm. A good summary of the interface between D&O and cyber and it’s history is given by .

References