When looking at potential cyber exposure, evaluating what to model can be challenging. Obviously, one would include any standalone policies or endorsements adding in specified risk, but is that all the risk that could exist with cyber?
Cyber is a curious exposure for a couple reasons:
- Companies may not want to advertise that they've been breached. Fortunately, since AIR is using primary insurance company losses to calibrate the probabilistic model, this hesitancy is implicit in our output. However, this does change over time.
- If an insured is looking to make a claim, they will be trying to find coverage wherever it exists. As cyber events don't have the same history as other perils, various covers can come into play, depending on the scenario. Some examples:
- If a social media breach occurs, would the loss be covered in a cyber policy/endorsement? Crime policy? General Liability?
- If a loss of data leads to a financial loss arising from the illicit sale of customer's personally identifiable information (PII), would that be covered by a cyber policy/endorsement or General Liability? If directors and officers knew about the IT weakness, could that lead to a Directors & Officers Liability claim?
The multiple types of scenarios result from how new the cyber market is. Understanding how various policies will react to live claims is an ongoing development, and policy wording is being tested by insureds and insurers regularly. In a few years, this process will likely be well understood; but right now it's still very new.
In light of the still-developing understanding of how policy wordings will be applied, how should such a risk be modeled?
For cyber, AIR has taken the approach to model individual perils. To fit each peril into a company's liability tableau, various perils may be customized and grouped together in specified financial structures. This also allows each company to run multiple scenarios to see various policy situations. Hence, an insurance company can run a scenario for business interruption that is applied to a cyber standalone policy, property policy, general liability policy, or any other coverage. Applying various terms and conditions allows each company to determine what its breadth of potential exposure to business interruption would be.
Understanding one's policy structure and how policies are likely to react to risk is a key role for a catastrophe manager. Being able to communicate what risk could befall a company assists with better forms, underwriting guidelines, and accumulation practices. Understanding how policies behave and operate allows you to own the risk.