For almost 30 years, cyber insurance has covered losses and expenses associated with a growing range of cyber perils. So why is there continued skepticism about its responsiveness? It’s time to correct the record: Cyber insurance is an essential component of a comprehensive cyber risk management program, and a worthwhile investment for businesses.
Data breaches. Notification costs. Third-party liability. Business interruption. Cyber extortion. Reputation damage.
The potential cyber and technology exposures that businesses face continue to expand — as do the potential economic losses they can cause. So it’s no surprise that cyber risk now ranks among the top five concerns for companies. And as recognition of the risks increases, more companies are purchasing cyber insurance to take advantage of the expanding protections those policies offer.
Despite the growth in uptake, the value of cyber insurance has recently been the subject of considerable debate within the insurance industry, some of which has played out in the media. The discussion has, in many cases, not reflected fairly on the role of cyber insurance in reducing the economic impact of risk. The debate has often conflated cyber policies with property, casualty, and crime policies, particularly around how these policies do or do not respond to cyber claims.
But the facts are clear: Cyber insurance is a reliable, costeffective way to transfer the risks companies face from the increasing use of data and technology in business operations. And standalone cyber policies will generally respond to those risks.
As the range of cyber risks and coverages have expanded, so have purchase rates of standalone cyber insurance. The number of Marsh clients buying dedicated cyber insurance has doubled over the past five years, with nearly 40% now purchasing cyber policies (see Figure 1). And the development of broader coverage offerings is attracting a wider range of buyers; purchasing among Marsh clients has risen by an average of 15% annually since 2016, with highest growth among the hospitality, manufacturing, education, and power and utility sectors.
Cyber insurance claims, and claim payouts, are rising in tandem with purchasing. According to CreditSights, US domiciled insurers paid cyber claims totaling $394 million in 2018, up from $226 million the previous year. And NetDiligence reports that the number of claims submitted for inclusion in its Cyber Claims Study, which analyzes claims to cyber insurers, rose more than 40% in 2018 over the previous year.
Individual insurers have reported similar trends:
These figures point to an increasing recognition of cyber risk as a top corporate concern and of cyber insurance as an effective and responsive way to cover cyber event losses.
Despite increasing appreciation for cyber insurance, many organizations still expect — mistakenly — that cyber losses will be fully covered under non-cyber (property, casualty, or crime) policies. This confusion has been exacerbated by inaccurate or misleading commentary in, and by, the media.
The issue stems from the fact that cyber risk as a peril can result in multiple forms of loss that have not traditionally been explicitly excluded under property, casualty, and crime policies. This has created what is known as “silent cyber” — the unknown exposure in an insurer’s portfolio created by a cyber peril that has not been explicitly excluded. As insurers have seen a rise in unexpected claims under non-cyber policies, “silent cyber” is now being more closely monitored and cyber risk increasingly excluded from traditional insurance lines.
Along those lines, several insurers have issued clarification of their intent to only cover cyber perils in cyber policies. In early July 2019, Lloyd’s issued a new mandate requiring its market underwriters to ensure that all policies either explicitly affirm or exclude cyber cover, in an effort to eliminate non-affirmative or “silent cyber” risks from property policies as of January 2020, and from liability coverages a year later.
We have recently seen a few high-profile disputes where insureds have sought to recover cyber event-related losses from their property policies, and insurers have denied coverage. Regardless of the merits of those cases, such disputes point to the importance of obtaining cover under an affirmative cyber policy that is tailored to a company’s specific cyber exposures and thus offers the best chance for insurance to respond.
In addition to this much-needed clarity of intent, standalone cyber policies offer other valuable benefits, such as reimbursement for costs to engage experts to assist with post-event forensics and response management, and even pre-loss prevention and risk management tools.
As cyber threats evolve and become more economically damaging to businesses, the cyber insurance market remains adaptive in responding to buyers’ needs. As traditional insurance lines retreat from covering cyber events, cyber insurance is becoming an increasingly vital tool.
Organizations should look past the erroneous myths about cyber insurance and look to gain a more objective and accurate view of the broad and expansive protections that cyber coverage can offer. By working with a knowledgeable broker or advisor, organizations can design a standalone cyber insurance program that is tailored to their unique risk profile and risk tolerance.
The pervasive use of technology to power business and connect supply chains creates ever-greater cyber exposures and vulnerabilities for companies of all sizes and in all industries. Inaccuracies and misunderstandings around cyber insurance do a disservice to every organization that could benefit from cyber coverage but may be dissuaded from purchasing it. Some of these myths include:
Myth: “Cyber insurance does not cover human error.”
Myth: “Data breach costs focus on legal liability.”
Myth: “Insurers dictate which incident response providers and advisors are used.”
Myth: “Business Interruption cover is limited.”
Myth: “Cyber insurance excludes recent technology or system upgrades.”