In the many years that it has been around, the property insurance market has evolved standard terms and policies that are offered by most insurers. Today’s immature cyber risk market, however, creates many challenges for insurers and catastrophe modelers alike.
No widely accepted “standard” cyber policy
Currently, how various cyber loss scenarios might impact an insurance company differs based upon its policy offerings. Here are cyber loss scenarios from current claims and some of the types of policies they might be covered under.
- Employee wiring money to an account, wrongly believing that the individual who told him to do so through social media was his boss: Crime, general liability (GL), cyber, or not covered?
- Business Interruption from lack of access to a credit card processing vendor (where no breach may have occurred at the insured company): Contingent business interruption, property business interruption, GL, or cyber?
- Loss of sensitive customer data: Directors & Officers Liability (D&O), GL, or cyber?
Each company offers its own form of policy with a particular selection of coverages included and excluded. If one of the scenarios above is not covered in your company’s cyber policy, where would your customer seek coverage?
Rather than making guesses about liability, companies should seek out tools that allow users to determine how individual coverages are best represented within their unique policy coverage frameworks. It’s also beneficial when a chosen modeling tool supports the application of other policies, sub-limits, and additional financial vehicles, so that companies receive a complete view of how a given scenario might be covered.
Occurrence vs. Claims Made Policies
Property policies are occurrence policies. Everyone can point to the exact date when the natural disaster occurred. Similarly, by checking logs, the precise date of a cyber breach can be identified but a cyber breach can occur months or years before the client is aware of the activity. If the cyber liability is on an occurrence policy, the terms and conditions of loss when the breach occurs would be applied to resolve the claim. If the cyber liability is on a claims-made policy, the terms and conditions when the event is reported would be used for loss resolution.
Having the flexibility to accurately state the limits and deductibles as they appear in a company’s policies may be paramount in any cyber risk model, as opposed to one that merely assumes how policy coverages are structured.
Data Collection
Cyber is a very competitive and rapidly expanding marketplace where potential insureds may be put off by having to answer lengthy questionnaires. However, asking too few questions may allow competitors to skim the cream of the potential clientele.
Different degrees of data quality will return analyses of varying accuracy for cyber models. For some, the minimum information required for risk assessments could be limited to Name of Company and Revenue, and information from additional data sources can estimate other relevant exposure attributes. Still, the collection of such data by insurers should.