By Jessica Xieyang Qiao
Warren Buffett is not eager for Berkshire Hathaway to be a pioneer in the “uncharted territory” of investing in cyber insurance.
Yet cyber insurance is growing and evolving rapidly in response to a surge in demand and an increasing level of cyber threats.
The total cybersecurity insurance market in the U.S. reached about $3.1 billion in 2017, a year-to-year increase of 29.5 percent compared to approximately $2.4 billion in 2016 and $1.4 billion in 2015, according to National Association of Insurance Commissioners (NAIC)’s latest cyber report.
Deborah Chang, vice president of public policy at HackerOne, said cyber insurance is a budding market that made “a lot of noise” last year. That said, it remains a work in progress and faces a slew of challenges.
Cyber insurance has become the landscape of security for many businesses but individuals can get it too. The coverage reaches beyond data breaches to offer protection for cyber extortion and more common breaches such as identity theft.
“One impression I have is that filing the claim is not easy,” Chang said. “If you are the insured, no matter how big you are, the insurer or the underwriter sometimes doesn’t know how technical your claims are because the assessment process is very complex.”
In addition, there is a disconnect between the person who is responsible for buying the security tool and the risk manager who identifies and prioritizes a company’s cyber risks.
“The risk manager’s jurisdiction within a company is not the same as the person who buys the security tool and handles the eventual risk that comes back to the company,” Chang said.
Moreover, companies may need to outsource the talent that helps them quantify cyber risks, which is an additional expense, said Éireann Leverett, senior risk researcher at the University of Cambridge in the U.K.
“You need to pay out money you might use on other defenses or responsive capacity,” Leverett said. “But in general, there is a net gain in society as cyber insurance starts to show the true cost of cyber crimes, and help business or civil society organizations survive events they otherwise would not.”
Dan Cotter, partner of Latimer LeVay Fyock LLC, said while the American Association of Insurance Services (AAIS) and Insurance Services Office (ISO) are the two major policy rating bureaus in the U.S., the cyber insurance market lacks standard forms of policy language.
“Cyber policies are not written on common forms because a lot of cyber insurance coverages are not based in the U.S.,” Cotter said. “There are lots of cyber coverages from London. I think commonality is good but I don’t see it up yet.”
While the lack of standards is true in the broader sense, there are initiatives to build a common structure for data reporting regarding cyber exposures.
“We need many more, but there are standards we have already created for those who go looking for them,” Leverett said.
Another key challenge facing cyber insurance is people’s low awareness of the full scope of cyber risks they may encounter, such as data compromise or the unintended propagation of malware. Dan Shelton, president of ProCirrus Technologies, said this “lack of understanding” prevents companies from seeking adequate coverage.
“We do recommend to most of our clients to have cyber liability insurance to cover all their main threats,” Shelton said. “Most firms and most people in business really underestimate their risks.”
People tend to think of risk in terms of an external intrusion, such as when North Korea hacked into Sony Pictures back in 2014. Yet, the realistic risk factor is end users and people inside your company can mess things up.
“You don’t need to be a major retailer to be at risk. Both malfeasances from the outside or negligence and mishap from the inside can lead to a cyberattack,” said Judy Selby, principal of Judy Selby Consulting LLC.
With an increasing awareness of cyber risks at the boardroom level, coverage is being sought for protection from cyber extortion, senior executive losses, contingent business interruptions, and many other threats.
While first-party coverage includes losses incurred directly by the insured, third-party coverage comes into play when a claimant sues the insured company for damages or losses due to cyber incidents such as a personal data compromise.
“The way we do business now is so interconnected and interdependent on each other,” Selby said. “Your business may be affected if your business partner, or somebody in your supply chain, experiences an incident. The economic impact of that can be staggering. Business interruption coverage comes in for that type of situation.”
In addition to a legion of coverage plans, last year saw the development of what insureds and insurers call package services, which provide companies with a roadmap to navigate potential data breach and cyberattacks.
“So you will see pre-breach collaboration [agreeing to] services provided in the event of a breach as well as post-breach solutions,” Chang said. “That’s something that is new and you will see insurers and policies sometimes include package services as a part of the premium.”
Because cyber insurance has its benefits and limitations, it cannot replace the need for data protection but rather collaborates with other cyber management strategies, such as law enforcement, in the same way auto-theft insurers collaborate with law enforcement investigations.
“Cyber insurance and other risk management techniques work in concert, hand in glove,” Leverett said. “You should do risk management before you buy cyber insurance, and any diligent underwriter won’t sell you a policy if you don’t have firewalls that are well-managed.”