Where Cyber Insurance Underwriting Stands Today
By: Insurance Journal, June 2015
“You would think the first question to ask would be: Do insured parties understand the elements and limitations of coverage?” said Kevin Kalinich, speaking on cyber risk. “The real first question is: Do the insurance companies understand?”
Kalinich, global practice leader for cyber/network risk, at consulting firm Aon Risk Services, was a panelist at the Standard & Poor’s Ratings Services 2015 Insurance Conference this week in New York where experts stressed the importance of underwriters working together to gain a better understanding of the market so they can properly assess and price cyber risk.
Demand for insurance covering cyber attacks is mounting and the risk is evolving rapidly, panelists noted. A number of U.S. insurers are testing the waters but panelists said that even the insurers with larger market shares have thus far been cautious due to the lack of actuarial data available in this nascent market. They have been writing policies with low limits and a slew of exclusions such as excluding damages resulting from data handled by an external contractor.
Current Marketplace
Right now, a handful of players — American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. — dominate the market for cyber insurance, but panelists said clients are looking to buy more coverage than insurers are willing to offer.
As the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This will remain difficult, Kalinich said, because the threat is evolving fast. He said two decades of reliable data are needed to feed models.
“We’re much farther along than we were two years ago; we have much better information now,” he said. “But it’s not a static model. It changes over time, and in two years it will be much better.”
Regulators have taken steps to guide insurers toward a consistent approach to the market. The National Association of Insurance Commissioners (NAIC) recently adopted guiding principles for insurers underwriting cyber risk.
Regulators Involved
The NAIC is also developing a set of best practices for insurance company examiners to test protocols and processes, as well as a consumer bill of rights so that consumers know when data has been hacked.
“The primary issue— the cornerstone of the whole effort-— is making sure we are seamless in information sharing,” said Adam Hamm, the North Dakota insurance commissioner and chair of its NAIC Cyber Taskforce. “The good news here is that that is happening. There’s a substantial amount of work being done to ensure that we’re working together and collaborating.”
So far, risk assessment has been inadequate because initiatives don’t specify the need for aggregated estimates of maximum possible loss, said Aon’s Kalinich. For example, if an insurer covers 1,000 companies, half of which share a particular risk, it’s difficult to gauge the aggregated risk, he said.
Relation to Other Lines
At the same time, it’s important for insurers and clients to understand where stand-alone cyber insurance fits with other lines–coverage could fall under a property/casualty policy, for example.
“If there’s a cyber attack that causes tangible damage to property, it could be covered under your property policy,” Kalinich said. “If there’s an attack that causes tangible damage to a third party, your general liability policy could cover it.”
Currently cyber insurance is written on a claims-made basis and primarily covers third-party liability in the U.S. First-party coverage (covering the cost of investigating and securing the site of the technology breach, as well as losses) is available only sparingly in the U.S.
With large retailers such as Home Depot and Target, banks such as JPMorganChase and Citibank, and health insurers Anthem and Premera Blue Cross all suffering cyber breaches, experience shows no company is safe.
National Security
Jason Healey, director of the Cyber Statecraft Initiative for the international affairs think tank the Atlantic Council, looks at the issue from a national security perspective.
“From that perspective, none of the attacks have been big,” Healey said. “One of the reasons I don’t think cyber-attacks have been that bad yet is that it’s relatively easy to bounce back from them.”
He said it does not appear anyone has died from a cyber-attack. “Essentially, what’s lost are ones and zeroes, and it’s really easy to replace ones and zeros,”he said.
Yet with the increased linking of concrete-and-steel structures–such as power grids–to the cyber world, there’s an increased danger that people could be hurt or killed, and that an economy could suffer irreparable damage, according to Healey.
“It’s going to get worse before it gets better–without a doubt,” Healey said.
Lax Controls
Kalinich said he sees little coordination within companies themselves. He related a tale in which Aon visited a client and found that 19 percent of employees were still using their system’s default password–which was “PASSWORD.” When advised of this, the company implemented a policy to force workers to change their passwords to access the system. During a visit six months later, Aon discovered that 23 percnt of employees had their new passwords on notes stuck to their computers.
Hamm agreed that better intracompany coordination is essential. “If this is an issue that stays in your IT department, you’re probably not going to be around much longer,” he said.
Healey warned that risks change quickly and hackers have become sophisticated. “It used to be that those with intent didn’t have capabilities and those with capabilities didn’t have the intent; that has changed,” he said. “I think we’re coming up on the Internet’s most dangerous moment.”
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008