Cyber, Cyber, Cyber

Where do we find Cyber Liability risk? How do we measure Cyber Liability exposure?  More fundamentally, what is Cyber Liability?

Once upon a time, insurance underwriters and risk management departments, mostly at financial, healthcare, retail and technology companies, worked to manuscript complex policy forms with thirty page applications to address the exposure presented to the network security of companies accumulating vast amounts of sensitive customer information. The chief threats were often viewed as teenage hackers out for sport and criminal enterprises out for more nefarious purposes.  But all that has changed.  Technological advancements are embedding themselves more deeply within our personal lives.  There are broader security concerns created by the shifting world political and economic order.  The daily reality of terrorist threats is with us permanently.

So where is Cyber Liability risk?  Yes, we know it’s in the network systems of almost every financial institution, healthcare provider, government agency and retail company we deal with.  But it’s also in the cars we drive and the cars that will soon drive us.  It’s in our smart homes.  It’s in the airplanes and trains we travel in; the laptops, cell phones, credit cards and theme park bracelets we use; and it’s no longer science fiction to imagine that it will soon be in computer chips embedded within the human body for health and efficiency purposes.  In short, Cyber Liability risk is everywhere.

How do we measure it? That’s a serious challenge.  In theory, the only way to underwrite Cyber Liability risk successfully is to underwrite the entire supply chain.  Some of the largest and most visible Cyber Liability incidents and losses have resulted from vendor failure somewhere in the supply chain.  The old adage that a chain is only as strong as its weakest link applies when it comes to Cyber Liability.  Other losses come from employee negligence.  Employees are a vital part of the Cyber security chain.  For all the concern about sovereign governments attempting to steal secrets or disrupt U.S. commerce; the fact remains that many if not most Cyber Liability claims stem from vendors and employees failing to comply with basic information safeguarding procedures.  Small companies struggle in particular with Cyber security as they often lack the financial resources to address the issues.  Many don’t even know where to start.

Here is where Cyber Liability insurance comes in.  One of the sometimes overlooked benefits of purchasing Cyber Liability coverage is the application process itself.  For smaller companies and professional service firms that may not have the financial resources to spend six figures on a consulting study, the insurance application provides a pretty good roadmap for the areas to start with to at least get the basics done correctly.  This point was made at the recent FEI Summit by Michael Becher, an Audit Committee Member at First Merchants Corporation.  Some Cyber Liability insurers even offer an hour or two of basic IT consulting work just to identify immediate system vulnerabilities.  This can start the process of partnering with a Cyber security firm to address system issues as the business grows.  Plus, it’s no surprise that more and more large companies are requesting if not demanding that their smaller vendors show evidence of Cyber Liability insurance.

If we look at the development of the Cyber Liability insurance market; it reminds a lot of insurance professionals of the 1990’s development of the stand-alone Employment Practices Liability (EPL) market.  As the perceived risks grew due largely to expanded worker protections from discrimination and harassment under federal and state law; the Casualty market made it pretty clear it didn’t want the risk.   Stand-alone EPL grew rapidly as the last vestiges of available coverage were squeezed out from the Casualty market.  To some extent, the same is true for Cyber Liability insurance as exclusions are being added to Casualty and other policy forms to eliminate or at least reduce coverage for claims that might otherwise be covered.  Although there have been some recent decisions concerning what are thought to be (at least by the policyholders and their attorneys) covered Cyber Liability claims under Casualty and other policies and there will continue to be litigation along these lines; the trend is pretty clear in terms of underwriting intent.  Underwriters want Cyber Liability (as they define it) covered under a stand-alone form with separate underwriting and capacity guidelines.

I would argue, though, that the evolution of EPL and Cyber Liability insurance is very different.  EPL exists within the context of a single area: the employer-employee relationship with the limited exception of discrimination against or harassment of third-party customers.  That makes EPL easier to define, analyze and measure.  As mentioned at the outset, Cyber is very different.  It’s everywhere and arguably cuts across every single exposure area of commercial insurance.  So the demand for Cyber Liability insurance can and will come from everywhere.  The insurance penetration opportunities are enormous.  Law firms, accounting firms, the neighborhood CPA who does your individual or family taxes, the university your son or daughter attends, and the non-profit you contribute to with a credit card payment all have to address the risk.  It’s no wonder that overall Cyber Liability premium growth in the past few years is spoken of in terms of multiples rather than the extremely tepid growth of most of the commercial insurance market.

The challenge for insurance underwriters and brokers is how to meet the demand in a responsible way.  I believe this presents the greatest opportunity and challenge for the specialty insurance market for the foreseeable future.

I say that for several reasons.  The first is that we are now fully immersed in the internet of things and a world in which the law still favors the individual consumer despite the fact that an increasing number of people behave on social media in a way that voluntarily and practically, if not as a matter of law, waives their privacy rights.  We expect the companies we deal with to protect our information, even as we go on line and let the world know where we are, when we aren’t home, what cars we drive, where we bank, shop and spend our days in very real time.  We leave a trail of on-line clues as to where a financial or physical threat can find us and our personal information.  But the law favors us as consumers and individuals, at least for now.  So the burden is on the companies and professional service firms we deal with to protect us and our information.

The next reason is that there are as of yet no “rules of the road” for Cyber Liability insurance claims.  This takes time to develop.  For those who recall the earlier days of public D&O and disputes over allocation, capacity issues, and other policy provisions, whether express or implied, it took some time and required a fair amount of coverage litigation to develop a set of working rules and clarity in terms of how a D&O policy is intended to respond.  In the case of Cyber Liability, I feel it may take longer for the rules to be agreed upon.  As one highly respected coverage attorney recently commented at an Advisen Casualty Conference, the term “Cyber” itself means different things to different people, often depending upon whether you are an underwriter or a purchaser of the coverage.  Hacking into a system…sure, that’s Cyber.  A lost or stolen laptop that falls into the hands of the wrong party…maybe. Computer tapes that are supposed to be destroyed but again get lost or fall off a truck and into the wrong hands…  At this point, there are a lot more questions than answers.

Finally, the Cyber Liability policies I have reviewed often look as though they were written by computer security experts.  The terminology is foreign to most buyers of insurance.  Just recently I put two of the policies side by side.  They purport to cover pretty much the same thing.  One base form was about 10 pages in length; the other more than 30 pages.  That’s a red flag.  If the authors of the policy forms differ that widely in terms of how coverage intent and restrictions are to be expressed; imagine how confusing it will be for the buyer.  I expect to see a lot of coverage litigation unless someone convenes a consortium of insurance companies and buyers with the express purpose of coming up with a set of agreed-upon basic principles and definitions for coverage language.  Otherwise, underwriters and policyholders will see each other in court more often than should be the case for the health of the industry and development of the Cyber Liability insurance market.

I have to confess that for a long time; I was not bullish on Cyber Liability insurance.  The ratio of time spent educating potential customers as to their risk factors and the insurance options far outweighed the number of times a customer actually purchased Cyber Liability insurance.  Times have changed.  Customer demand for coverage is growing dramatically.  So are the risk factors as the world gets more complicated.  How we as insurance professionals respond to the demand/supply challenge will determine whether the size of the Cyber Liability insurance market eventually overtakes other, more established markets, such as EPL and quite possibly even D&O.  Exciting times ahead.