In our first article on the history of cyber insurance, we looked at the impact that insurance has on creation and adoption of production technology, notably in providing risk transfer to those who bear the risk of loss of capital expenditures needed for innovation.
The first cyber insurance policy was written in the late ’90s, with the emergence of mainstream Internet. These policies provided the mushrooming number of Internet companies with coverage for liabilities resulting from a third party attack.
Later on, in the early 2000s, as data privacy laws were rolled out in states across the U.S., cyber insurance policies expanded to include a variation of first party cost such as: notification costs, call center costs, and credit monitoring costs. This also included additional first party costs associated with breach loss: crisis management costs, forensic and incident response costs, breach counsel and data remediation costs.
By 2013, cyber insurance premiums rose dramatically. Events such as the Target breach triggered widespread concern. In that breach, over $41 million payment accounts were compromised and costs estimated at higher than $300 million were incurred [Target 2015 Securities report], though it is believed that total costs will be over $1 billion.
These costs included crisis communications costs, legal and settlement costs and forensic costs. Additional costs include customer churn, and brand dilution. At the time, Target had $90 million in insurance, with $10m in deductibles.[i]
The Target case reflects the wide gap between insurance risk transfer and total actual costs borne by companies. While market estimates place cyber insurance premiums in 2016 at $2.5 billion, cybercrime costs are still significantly higher, at $450 billion[ii]. This figure includes the damage of data, stolen money, business interruption, fraud, forensic costs, restoration of data and cost of reputational harm. What it does not include is declines in stock and public company valuations related to breaches, customer and employee churn, ongoing investigations, and brand dilution.
It is expected that cyber insurance spending will grow quickly in the coming years, at an estimated at 30-40 percent CAGR. As more companies become educated about their need for cyber insurance, and sophistication enters the market in the form of new and innovative coverages, a widening of breadth will exist for coverage policies.
As cyber insurance becomes more mainstream to reflect the growing reliance on technology and the convergence of digital risk with other commercial risks, brokers who want to stay on top of the game must be able to overcome some of the challenges that face this industry:
1) Manuscript forms: One of the biggest challenges facing brokers is the lack of standards in policy wording and coverage, which makes it difficult to compare easily across policies and provide support in choosing the best coverage for the client.
2) IT knowledge: A deep understanding of cyber risk relies on knowledge of IT systems, configurations, and the role employees and humans play in risk. The broker needs to educate him/herself on this area, and this takes time.
3) Staying on top of ever-changing risk: Cyber-risk attack vectors and types change on an ongoing basis. Staying on top of the latest attack vectors and types of exposures requires ongoing effort.
With the advent of digital advancements in online marketing, online relationship management tools, and even automatic ‘robotic’ consultation (chatbots), brokers need to work at staying relevant, now more than ever.
Not knowing how to broker the right cyber policy could mean not being able to grow a cyber book, but if done incorrectly, could even lead to an E&O claim, as happened in the Hotel Monteleone case[iii].
Here are six strategies that can help brokers stay on top of cyber risk:
1) Educate oneself about the latest incidents, claims, attacks: There is not a week that goes by without a newsworthy cyber event: Equifax, WannaCry, NotPetya, Yahoo!. Many security blogs provide updates on what happened and how these events unfolded. A popular one is Krebs on Security, written by investigative journalist Brian Krebs.
2) Create client cases that can be shared with clients: As brokers read these incidents, they can make a note of them and share them with clients who believe “it won’t happen to me.”
3) It’s not just about data breaches: Cyber insurance has primarily been used to cover costs associated with leakage of data records. However, events could trigger even more significant havoc within the organization. An example of this is the Maersk case, a shipping company which had a $300 million loss in profitability[iv] due to business interruption costs associated with ransomware. There are also extortion events, as was the case with WannaCry, and general network asset damage that could result from a cyber event. It is important that clients are aware of exposures that exist, even those that do not hold data records.
4) Calculate financial loss scenarios: Using a good data breach calculator can help brokers articulate to their clients the types and ranges of costs that could be expected. This, in turn, can help clients choose the optimal type and size of coverage.
5) Helping clients fill out tedious application forms: Brokers can and should educate themselves on the various application forms out in the market and help clients with questions they may not know how to answer. This involves having an in-depth conversation with underwriters on an ongoing basis, to understand why questions are being asked and how answers to those questions impact underwriting.
6) Use industry benchmarks: Having an idea of what is standard in the market related to policy transactions for various industries helps brokers relay purchase patterns to clients so they feel they are not over or under purchasing. Brokers can keep a database of policy transactions so that it is handy when the conversation arises.
Cyber insurance is one of the fastest-growing product lines in commercial insurance today and will be a key purchase for enterprises in the future, as technology becomes more prevalent and digital processes are relied on more prevalently. Brokers who invest in their own education now will reap great benefits from their efforts.
- Despite increasing risks, cyber insurance remains largely disregarded by those who need it most
- Tips to share with businesses to guard against a cyber attack
Tilli Kalisky-Bannett is a founder at CyberJack, a cyber insurance start-up based in Mountain View, Calif. She spent the majority of her career as a partner with 83North, a top-tier Silicon Valley technology-focused venture capital firm. While at 83North, Tilli led and managed investment processes for multiple portfolio companies and held Board directorships and Board observer roles across multiple companies. She received her MBA from MIT, where she graduated with Honors. In 2013 Tilli was voted top 40 under 40 in national business newspaper, The Marker.