In the many years that it has been around, the property insurance market has evolved standard terms and policies that are offered by most insurers. Most standard homeowner's insurance policies, for example, include coverage for the structure of the home, personal belongings, personal liability, and additional living expenses. Today's immature and diverse cyber risk market, however, creates many challenges for insurers and catastrophe modelers alike. I'm highlighting just three of them here, and how they are addressed in AIR's upcoming cyber risk model.
No widely accepted "standard" cyber policy
Currently, how various cyber loss scenarios might impact an insurance company differs based upon its policy offerings. Here are a few cyber loss scenarios from current claims and some of the types of policies they might be covered under. In each of these real-life instances argument over where coverage falls has resulted in litigation.
- An employee wiring money to an account, wrongly believing that the individual who told him to do so through social media was his boss: Crime, general liability (GL), cyber, or not covered at all?
- Business Interruption from a business's lack of access to a credit card processing vendor (where no breach may have occurred at the insured company): Contingent business interruption, property business interruption, GL, or cyber?
- Loss of sensitive customer data: Directors & Officers Liability (D&O), GL, or cyber?
- A part-time hospital employee gained unauthorized access to confidential records and discussed HIPAA sensitive information with others: D&O, GL, or cyber?
- Lost laptop with sensitive information: Theft, GL, or cyber?
Each company offers its own form of policy with a particular selection of coverages included and excluded. If one of the scenarios above is not covered in your company's cyber policy, where would your customer seek coverage?
Rather than assuming (perhaps mistakenly) what your liability may be, the AIR data schema provides flexibility by allowing users to determine how individual coverages are best represented within their unique policy coverage framework. Users can decide for themselves if a scenario should be classified as a cyber endorsement, E&O, D&O, GL, or any other form of policy protection offered. Naturally, policies that inure to the benefit of other policies, sub-limits, and other financial vehicles are supported within the financial engine.
Occurrence vs. Claims Made Policies
Property policies are occurrence policies. Everyone can point to the exact date when an earthquake occurred, a flood overtopped a bank, or a hurricane made landfall. Similarly, by checking logs, the precise date of a cyber breach can be identified. Unlike natural events, however, a cyber breach can occur months or years before the client is aware of the activity. If the cyber liability is on an occurrence policy, the terms and conditions of the loss when the breach occurs would be applied to resolve the claim. If the cyber liability is on a claims-made policy, then the terms and conditions when the event is reported would be used for loss resolution.
Rather than AIR assuming how your policy coverages are structured, we recognize in developing our cyber liability model that having the flexibility to accurately state the limits and deductibles is paramount. Also, we are actively polling clients and industry experts to determine how best to model the risk, whether with several years of exposure data for occurrence policies or current terms and conditions for claims-made policies.
Cyber is a very competitive and rapidly expanding marketplace in which potential insureds may be put off by having to answer lengthy questionnaires. However, asking too few questions may allow competitors to skim the cream of the potential clientele. Obtaining appropriate information is undoubtedly an art form in the context of cyber risk.
Stressing the importance of exposure data quality has long been a focus at AIR. While the U.S. hurricane model, for example, will return a result if only the property's county and replacement value are known, model results will be highly uncertain if only this data is input. If the exact address, its distance from the coast, type of construction, year built, and other pertinent information is recorded, then the expected loss will align to a much more accurate representation of risk.
Likewise, the bare minimum information needed by the upcoming AIR cyber model is Name of Company and Revenue. Using additional and highly detailed information from our data partners, AIR can estimate the cloud provider, DNS server, credit card processor, security protocol, and industry segment of the insured. Still, the collection of such data by insurers should be undertaken and AIR has provided an exposure data schema for ensuring that the information is model-ready. Once the total cyber profile is understood, a more accurate estimation of risk is possible.
Cyber risk is still very much an emerging market, and it will likely be some years before it achieves the degree of standardization seen in the property market. Until it does, AIR will continue to work with companies to ensure that the AIR cyber model evolves to meet their various needs.