By: Matthew Knowles
In the past, we’ve blogged about cyber risk, but mostly from the perspective of the lengths we go to protect your information, and how you can protect your information. However, there is another perspective; that of the insurance broker and insurance carrier. What are insurance carriers looking for when deciding to insure your company? What exactly is the risk they are taking when insuring you? How do you know if you have the right coverage and the right amount of coverage? These questions and more are answered by our friends at Knowles Insurance, a Scranton-based insurance broker. Today’s author, Matthew Knowles, specializes in cyber insurance. He will discuss what he considers when obtaining cyber insurance coverage for a company like yours.
From an insurance perspective, when we refer to cyber risk, we are referring to two different exposures. First, we are referring to the risks associated with the collecting and handling of sensitive information (whether held online or offline). Second, we are referring to the risks associated with the use of, and reliance on, technology.
Cyber risk is difficult to manage through insurance for various reasons.
A) It is a non-stationary risk, meaning it is constantly changing and evolving
When attack methods and styles change so do the costs associated with a cyber-incident. The goal of insurance is to cover these costs. As a result, insurance coverage must evolve as the risk grows and changes.
B) Cyber risk can be systematic
Cyber risk does not have geographical limitations. While the interconnectivity of our economy is beneficial by eliminating geographical boundaries and creating efficiencies it also involves substantial risk. This risk has the potential to be systematic. Systematic meaning that one cyber event can have a downstream impact on thousands of organizations anywhere in the world. Its systematic nature goes against the basic premise of insurance because insurance is built on the spread of non-correlated risk. When risks become correlated, they become harder to insure. Insureds and insurers are both trying to figure out how to manage this.
C) The cyber insurance marketplace is not uniform
Coverage forms and policy language are not standardized. Each carrier has its own unique language and policy structure. A common inconsistency among policy forms that is becoming very relevant today is the language around acts of cyber war/terrorism. Some policies exclude coverage for acts of cyber war while some do not. With the increased threats around potential nation state sponsored cyber-attacks, it is important to understand how your policy addresses acts of cyber war/terrorism.
D) The cyber insurance marketplace is disrupted
Over the past 10 years, insurance carriers were quoting for market share. Their pricing did not align with the level of risk they were insuring. When losses began to mount over the past two years, the insurance carriers lost profitability. As a result, they had to change their strategy. All carriers are managing the market correction in different ways. Some carriers are looking for 100% premium increases, some are looking to remove very important coverages, some are looking to increase deductibles, some are only now offering very low limits, some are adding significant exclusions, and some are doing a combination of all the above.
E) The importance of risk management controls
Insurance carriers are now paying closer attention to risk management controls and procedures. Certain controls are being required of organizations to receive coverage. Many of the controls carriers are looking for take time to implement. These are not items that can be implemented a few weeks before your insurance renewal.
It is very difficult to manage an evolving risk in a disrupted market. So how do insureds go about managing this risk?
- It is important that your broker clearly identify and quantify the exposure
To properly address cyber risk, organizations need to first understand what their risk is. The best way to do this is through in-depth-risk quantification. Risk quantification is the use of large amounts of data to predict loss frequency and severity for an organization. Unlike other areas of insurance such as general liability, auto liability, and D&O liability, cyber risk is changing rapidly. Cyber risk is so new and evolving that unless organizations are very deliberate about identifying their exposure, they are guessing when it comes to investment in cyber risk management and cyber insurance. When an organization looks at concrete data about peer-group cyber-loss frequency and severity, it can translate the risk into financial terms; it can specifically understand how the risk can affect its bottom line. The data allows organizations to make informed decisions about how much coverage to purchase and how much to invest in cyber risk management. The correct use and interpretation of data is essential to properly manage this risk.
- Risk Management controls need to be examined prior to going to the marketplace
Working with a broker that understands the impact of certain controls allows insureds to prepare for the renewal months ahead of time. The broker can analyze the renewal applications six (6) months prior and determine areas that will be problematic for the insurance carriers. The client can then address these issues ahead of time. If this procedure is not in place, there is a strong possibility that an insured will have limited or no options.
- Once your exposure is identified, your broker must match the exposure with the insurance coverage
Cyber insurance is not one size fits all. Your broker must understand the different coverage forms and offerings of the insurance carriers. To find the correct carrier partner it must understand how the different insurance carriers are managing the market correction.
Mergers & Acquisitions Considerations
Another question I often receive from organizations is how to manage their cyber insurance when being acquired or when acquiring an entity. Even if a seller has cyber coverage in place it is very important they buy an extended reporting period (ERP) policy after the deal closes. This will cover organizations for claims that are made against them after being sold for acts prior to being sold. In most cases, the acquiring entity’s insurance policy will only cover the sold entity for acts after the date of close.
Here is an example: a bank has a cyber-incident in May of 2020. As a result of that incident, personal identifiable information was compromised. A bank customer then brings a claim against the bank in June of 2021, but the bank was sold in January of 2021. To have coverage for this claim the acquired bank must purchase an extended reporting period policy.
I would recommend that organizations work with a cyber-insurance specialist to ensure they are properly managing this dynamic risk.
Cyber risk is real for organizations of all sizes across all industries. Threats, both internal and external, evolve, and morph every day. Make sure you are in the best position to be insured for this risk by discussing details with your insurance broker on a regular basis.
Matthew Knowles is the Cyber Risk Practice Leader at Knowles Insurance in Scranton, PA. He can be reached at www.knowlesins.com.