What Cyber Exposures and Coverage Gaps Keep Risk Managers Up at Night
By: Amy O’Conner, Insurance Journal, April 2018
Risk managers are very concerned about the cyber risks facing their companies and are heavily investing in protection against cyber attacks with the blessings of their boards and CEOs, a major shift from even just 10 years ago when convincing a company to worry about cyber was a big challenge for risk managers.
However, the new challenges for them include getting the right coverage from the insurance market and ensuring their companies have enough coverage in the event of a major breach, three risk managers on a recent panel at Advisen’s Cyber Risk Conference in San Francisco said.
Jimmy Kirtland, vice president of Voya Financial, said in the early 2000s, convincing CEOs or CIOs to consider cyber insurance or put proper cyber controls in place was a battle, but that is no longer the case.
“I have become our CIO’s best friend because I am protecting what he is protecting,” he said.
I’m just never sure I have the coverage that I need; that always concerns me.
The cyber insurance buying process between risk managers and the industry has also improved as the cyber market has matured.
“The quality of the questions and the quality of the discussions between the insurers and the insured are much better,” said Katherine Fithen, managing principal consultant for Secureworks. “We know better what to talk about; we know better how to articulate what our data is, where it is, and how it’s protected.”
Steep Learning Curve
But as the cyber market has evolved and more coverages and competition have developed, so have the threats to businesses. Companies that are newcomers to buying cyber insurance often face a steep learning curve in trying to figure out what coverages they need and how much they should buy.
David Little, senior vice president of Global Risk Management at the Las Vegas Sands Corp., said his company was a latecomer to the cyber market, buying its first cyber policy back in 2012. It wasn’t until it had a significant loss a year later that the company realized the amount of coverage it had was considerably less than what it needed.
“That was a wake-up call for everyone… we realized we needed to get smart about this,” Little said. “Since that time we’ve realized we didn’t really understand this risk and how it applied to us. Now there’s a lot more work done to understand that this is a big issue for us, and we need to do what we need to do to take care of that.”
Little said part of that work includes visiting the London insurance market, which he did recently, to learn about the cyber coverages currently available, as well as what risks are on the horizon that the company should be preparing for.
He said the relationship with his broker and cyber underwriters has been critical.
“One of the most important things I did was that I interviewed a lot of brokers and I found someone that really matched my perspective of what I thought the future was going to be. That has made a tremendous amount of difference for us because they have been a partner with us in all of this also,” he said.
Policy Differences
Christaan Durdaller, executive vice president and Cyber & Tech team lead for Atlanta-based INSUREtrust, and moderator of the Advisen risk manager panel, said there are more than 120 different players in the cyber market and that is a challenge for agents and brokers, and their customers.
“I think there’s still a lot of difference in each policy form and what it is designed to cover. It’s important to dig into the policy and understand what it covers,” Durdaller said. “Each policy varies carrier by carrier and it’s important buyers understand that.”
He said with such a knowledge gap in the cyber market and misinformation about where coverage like business interruption responds, as well as emerging risks such as reputational threat, having a relationship with a knowledgeable cyber broker has become essential for risk managers.
Fithen said protecting her company from cyber risk is a team effort across the board – from the internal operations to its insurance underwriters – and that’s the way it must be.
“It is a team effort now, I think we’ve really grown and learned to understand that,” she said. “We’re learning to talk to each other in languages that each company can understand so we can partner with each other and really get a handle on this.”
The risk managers agreed that the insurance industry also plays a vital role in helping them determine what their cyber exposures are, including when it comes to outside risks like the vendors they work with.
Supply Chain Impact
Durdaller said many companies are unaware of the data a vendor they contract with could have access to – either related to the company or its customers – and the impact of a supply chain-related breach.
When asked about what future cyber concerns keep them up a night, Kirtland said vendors getting into the company network and “causing chaos” is one of his main concerns, along with the ever-changing nature of cyber risk.
“What keeps me up at night is the stuff we’re not prepared for, that we don’t even know is out there,” he said.
Little said his biggest concern is the “incongruous nature” of cyber exposures and how it overlays with his company’s cyber insurance programs.
“I’m just never sure I have the coverage that I need, that always concerns me,” he said. “[And] with the advent of artificial intelligence, how it’s being put into so many different things, I think there might be a loss that I just can’t envision right now, and I’m really concerned and interested in how it evolves and affects our industry.”
The risk managers’ opinions differ on whether the insurance industry is offering the right cyber coverages and limits to respond to companies’ needs, or if they are holding back for fear of large claims.
Kirtland said considering that every insurance company writing cyber is likely to get hit with a large claim at some point, he thinks the industry is doing a good job at keeping up with the risk and hitting their “sweet spot” in the cyber market.
But Little said he worries that many in the insurance industry don’t understand the true risk, especially to the industry itself. He said there is a lot of room for improvement, particularly on the claims side, which he described as “horrific.”
“I don’t think they understand the aggregation, I don’t think they understand the totality of the risk. I think there’s a lot of just getting money and premium in the door,” he said. “I’m disappointed, I think there’s a lot of capital out there that’s gonna get hit.”
Durdaller said balancing new players in the market with those who have adequate cyber experience is a constant balance for brokers, but the good ones know which cyber markets to turn to.
“It’s important that you highlight to your broker what’s important to you. I think you just need to be having those conversations with your broker and addressing the market accordingly,” he said.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008