Cyber coverage varies widely as insurers readjust risk appetite
Cyber insurance is a fast-developing business in America, but because the segment is still relatively new, insurers are having trouble determining exactly what type of risks they are willing to cover.
A feature on CSO Online sought to identify the potential gaps in cyber insurance and how insurers have worked to mitigate such shortcomings.
One of the major issues in the cyber insurance market is that nobody can agree on a single definition for the term, the feature noted. A recent cyber insurance survey conducted by the SANS Institute revealed that only 30% of underwriters and 38% of information security professionals believe they speak the same language. Even among insurers, the language varies from policy to policy.
"Is a privacy breach the same thing as a privacy wrongful act?," asked co-founder and chief strategy officer David Bradford of Advisen, which sponsored the study.
"Is a data breach the same as a network security wrongful act? And a lot of the language hasn't been tested in court yet," he added.
Without a baseline, both insurers and their clients could end up stumbling on each other.
"The insurance buyer has no idea about what they've got and what their risk is, and the insurance agent is also very limited in their knowledge," said Toro Consulting president Dan Weedin. "The insurance buyer has no idea about what they've got and what their risk is, and the insurance agent is also very limited in their knowledge. It's like the blind leading the blind."
Another issue that further complicates cyber insurance coverage is that the threat landscape is constantly evolving. The amorphous nature of cyber threats makes it difficult for insurers to keep up, noted Mimecast director of product management Steve Malone.
A study by Mimecast revealed that only 10% of IT experts said they believed that their cyber coverage was up to date. The study also found that of those who had cyber insurance, only 43% were confident that it covered business email compromise fraud.
"Almost half—45 percent—of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone added.
Insurance is all about measuring risk and providing an insurance solution that is evenly matched to said risk. While auto and health insurers can get by with analyzing driver and patient factors, respectively, companies that offer cyber insurance policies currently do not have a reliable way to quantify risk. Thus, prices can vary greatly among cyber insurers.
"The models just don't exist like they do in the automobile or life insurance industry," said FourV Systems vice president Casey Corcoran. "The empirical data just doesn't exist yet for insurance companies to have a robust answer for what is the liability, what is the amount I need to ensure for. And we're in a time now where IT information is increasing at an exponential rate. How do you adapt a model to something that's changing exponentially, especially in an industry that's used to writing policies for a year at a time, or longer?"
FourV is an insurance vendor that is taking an innovative approach to measuring cyber risk—instead of measuring it once when the policy is first written, the company does the assessment on an ongoing basis. The company’s approach has been likened to installing telemetric devices in a car for auto insurers to actively monitor driver and vehicle behavior to adjust risk accordingly.
Other savvy insurers are offering risk-related services to ensure that they and their clients are all on the same page when it comes to cyber risks.
"You may not necessarily have the foresight to predict every iteration [of a data breach]," said Travelers enterprise cyber lead Tim Francis. "But you can build the framework and the structure and have the resources at our disposal to try to deal with those threats when they develop. One of the things that we've done at Travelers is that we've gone out of our way to hire resources that come with non-traditional insurance backgrounds."