Challenges of the Cyber Gray Area
Jul 27, 2016
Editor's Note: As an emerging market, cyber insurance is complicated by a lack of standardization. With no widely accepted "standard" cyber insurance policy yet in place, companies are faced with having to navigate uncharted territory—the cyber gray area—when unprecedented cyber events occur. Knowing which policy types may or may not cover cyber claims and having flexible tools for analyses can help organizations make policy and pricing decisions for better cyber risk management today.
A multitude of factors continue to position cyber risk as the emerging threat of greatest concern for insurers and reinsurers. The increasing frequency, types, and complexity of cyber attacks; the growing amount of information stored and sent digitally; and the expanding Internet of Things (objects with network connectivity) in an ever more connected world make cyber risk all the more challenging to manage. For insurers and reinsurers, however, concern around this newer hazard extends to business operations. As an emerging risk, cyber suffers from a lack of standardization that leaves the industry navigating an operational gray area full of incongruities—especially when faced with unprecedented events—which necessitates flexibility in cyber risk management tools.
Defining Cyber Risk
To start, there is no one standardized definition of cyber risk, which poses policy and pricing difficulties. A joint report from the government and the insurance sector of the United Kingdom defines cyber risk as "the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise."1 A similar definition is provided by the CRO Forum, which says that cyber risk "covers the risks of doing business, including managing and controlling data, in a digital or 'cyber' environment."2 However, many cyber policies AIR has studied would cover the loss of information from paper records, as they are written to address the protection of information and would respond accordingly, regardless of the type of media used. The Federal Financial Institutions Examination Council (FFIEC) narrows the scope to include only the fiscal sector in its definition: "the disruption, degradation, or unauthorized alteration of information and systems that support the services [provided by financial institutions]."3
The reputation element is added by the Institute of Risk Management, which defines cyber risk as "any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems."4 The Geneva Association definition of cyber risk addresses the soundness of data: "operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems."5 Some organizations find the risk too complex to define simply, like ISACA, which states that cyber risk "is a group of risks, which differ in technology, attack vectors, means, etc. We address these risks as a group largely due to two similar characteristics: A) they all have a potential great impact B) they were all once considered improbable."6
Cyber Policies and "Hidden Coverage"
There is currently no widely accepted "standard" cyber insurance policy in the industry, leaving many carriers to write their own. What is and is not covered varies from provider to provider. This creates confusion not only for those potential insureds seeking cyber coverage, but also for the carriers offering standalone cyber liability policies or endorsements. Pricing varies greatly, exposure is difficult to assess, and competitive or market rate analyses are challenging at best.
The explicit nature of cyber policies, typically written by exclusion first and inclusion second, has also led insureds to seek coverage under cyber liability policies for anything not specifically excluded from them—a form of "hidden coverage" that may not be taken into consideration when pricing decisions are made. This is primarily due to the evolving nature of the risk.
A second type of "hidden coverage" that has surfaced is for cyber-related losses under non-cyber policies. If an insured has a loss that is not covered in their cyber endorsement, they will usually try to "find" coverage under their other traditional policies, such as (but not limited to) Errors & Omissions (E&O), Directors & Officers (D&O), Commercial Crime, or Commercial General Liability (CGL). For example:
- If a mistake was made by an insured and a cyber event occurs, then a lawyer could construe E&O coverage under a "mistake."
- If a weakness in cyber security or breach is known by senior management and not repaired, a cyber event could trigger D&O due to active non-repair.
- If hardware containing sensitive data is stolen or misplaced, or an employee performs illicit actions with data or funds in a digital environment, resulting fiscal losses may be covered by a Commercial Crime policy.
- If there is uncertainty about whether a loss is covered under a cyber policy or whether it is even due to a cyber event, it could fall under CGL.
Occurrence vs. Claims Made
Yet another aspect of cyber liability risk is the structuring of policies. Whereas everyone can point to the exact date when an earthquake occurs, a tornado touches down, or a hurricane makes landfall, cyber events are not always so straightforward. While some cyber breaches are identified soon after they occur, others may go undetected for months or even years. If the cyber liability is structured as an occurrence policy, then the terms and conditions of the loss at the time of the breach would be used to resolve a claim. A claims-made cyber liability policy would use the terms and conditions at the time the event was reported for resolution.
Not If, But When and How
The massive gray area surrounding cyber risk means that it's not a matter of if your company will encounter a cyber claim, but when it will happen and how it will be covered. It will take hundreds of actual claims and litigations before cyber policies become standardized. That ball started rolling years ago and continues to gain speed. According to a global study by the Ponemon Institute, the total average cost of a data breach today is USD 4 million—an increase of 29% from 2013.7 How a particular loss scenario might impact your company differs based upon the wording and structure of your policy offerings. Table 1 relates a few examples of actual loss-causing events for the impacted businesses and the policies under which they may be covered.
|Real-World Cyber Event||Possible Coverage Lines|
|An employee was misled into wiring money to an account, believing that the individual who contacted them through social media was their boss||Crime |
|A company suffered business interruption when it could not access their credit card processing vendor because the vendor suffered a breach||Contingent BI |
|Sensitive customer data was lost or misplaced by a business||D&O |
|A part-time hospital employee gained unauthorized access to confidential records and discussed HIPAA-protected information with others||D&O |
|A laptop containing sensitive information was lost or stolen||Crime |
Managing Your Cyber Risk
The standardization of cyber policies remains years away, but the need for cyber risk management is evident now. To provide effective risk management tools for this emerging and diverse market today, AIR prioritized flexibility in our Verisk Cyber Exposure Data Standard and Open Source Cyber Scenarios, allowing each company to specify cyber perils and policies relevant to their offerings rather than make broad-brush assumptions about what is applicable. Any cyber-related loss can be mapped to any policy protection form offered in the Verisk Cyber Exposure Data Standard—including cyber, E&O, D&O, CGL, and more—and analyses can be performed using your own SQL queries or AIR Open Source Cyber Scenarios. Policies that inure to the benefit of other policies, sublimits, and other financial vehicles are also supported. Utilizing our current suite of tools, you can gain valuable insight into your cyber exposure and make more informed policy decisions to address many of today's cyber risk management challenges and own your risk.
We are also actively engaging clients and industry experts to collaboratively study several years of exposure and claims data for occurrence policies, as well as current terms and conditions of claims-made policies. As AIR continues the development of our probabilistic cyber model, maintaining flexibility for companies to specify unique parameters applicable to their policies remains paramount.
1 UK Cyber Security: The Role Of Insurance In Managing And Mitigating The Risk
2 Cyber resilience: The cyber risk challenge and the role of insurance
3 Cybersecurity Awareness (www.ffiec.gov)
4 Cyber risk and risk management (www.theirm.org)
5 Insurability of Cyber Risk
6 A simple definition of cybersecurity (http://www.isaca.org)
7 IBM infographic: 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute