Jason Contant, online editor at Canadian Underwriter, recently noted that cyber risk coverage is expanding “from simple data breach projection into the area of business interruption-with more changes likely in store.” However, the plethora of coverages, exclusions, and conditions could wreak havoc upon insureds and intermediaries alike. Can this be reconciled?
Cyber risk driving cyber insurance …
Cyber insurance is growing rapidly. Writing in PropertyCasualty360, Jayleen Heft, Digital Editor notes that “Interest in cyber insurance and risk continues to grow as a result of high-profile data breaches.”
Using data from Identity Theft Resource Centre, Heft notes that as of 1 November 2017, there were 1,140 breaches for 2017, up from 1,093 breaches in 2016.
There are now more that 60 insurers that offer stand-alone policies, which generated US$2.75 billion in premium in 2015. At mid point in 2016, gross premiums were estimated to be US$3.25 billion. And there are significant growth prospects.
Coverage is there, but will it fit the need?
In an earlier article in Canadian Underwriter, Jason Contant noted that “lack of understanding around what is covered and how products are priced continues to sow confusion in the cyber insurance market.”
Citing industry practitioners, the challenges include:
- A general lack of understanding,
- a lack of clarity that “could lead clients to feel they have more protection than they actually do”;
- Some products offer no insurance protection, but do offer third party services;
- Confusion in utilization of specific third party service providers.
Is a comprehensive policy viable?
In 2015, Munich Re and Beazley formed an organization – Vector – to underwrite cyber with broader coverage than the norm. At that time, most cyber policies only covered third party liabilities brought on by data breaches.
But Vector sees an opportunity. As reported in Insurance Business Magazine. Paul Bantick, UK focus group leader, said:
“Every company insured through Vector has sought considerably broader coverage, in particular for business interruption and contingent business interruption….
“While these businesses have traditional property and cyber liability policies in place, they have recognized that they do not have complete protection for cyber-related events, and this is clearly an issue that boards want addressed.”
Do we need standards, or just let 100 flowers blossom?
Cyber insurance is relatively new, and there is logic to let insurers innovate. However, the complexity, and rapidly changing characteristics of cyber risk / insurance puts a serious burden on insureds and distributors.
There are some initiatives to bring standards to bear, Lloyd’s being one. And there seems to be logic to developing some characteristics and assumption that could form a basis for standards.
Last year, Deloite provided an overview of the cyber risks and required coverages for the Internet of Things (IoT). IoT refers to networks of devices, which are capable of exchanging data and executing control commands with little or no human intervention. Two examples are driverless vehicles and ‘smart’ homes.
Could this be the start for standards?
Perhaps. However, Deloitte notes that the IoT is only as good as the developers and testers. Data and commands can be compromised accidentally or intentionally. Measuring risk is a challenge.
IoT and other cyber constructs are moving at the speed of light, becoming very complex. For example, modern automobiles have 100+ million lines of code for control, navigation, entertainment, and more. Putting this into context, a Boeing 787 has around 6.5 million, and an F-22 Fighter has less than 2 million.
Are standards an opportunity or a sinkhole?
The jury is definitely out, but I’d be interested in your thoughts. We are always planning for upcoming in-person events and webinars and would like to showcase innovations in Cyber and Cyber Risk.
If you are thinking about this and would like to share, drop me a note at firstname.lastname@example.org .