March 28, 2019
Fuzzy Language Limits Cyber Adoption
Insurers must solve the language problem to remain relevant, providing broad coverage for the cyber peril on the insurance lines it affects.
In a late February blog post, Insurance Thought Leadership.com editor Paul Carroll urged the industry to “watch your (our) language!” and to “get our talk – our vocabulary – straight.” While he focused on examples of inaccurate word choice impairing customer perception of insurers and their products, his point is equally relevant when talking about the cyber insurance segment. Nomenclature matters for insurers and their customers alike. Two industry terms that are being used inconsistently and are often conflated in the cyber markets are “silent cyber” and “cyber as a peril.”
“Silent cyber” relates to an insurance policy that does not affirmatively include or exclude coverage for losses arising out of the cyber peril. Such a contract causes uncertainty. For example, if a hacker manipulates connected devices or systems and causes property damage, will your property policy cover the losses? If a hacker or a human IT error brings down a power grid or causes a dam to flood, would a business interruption policy respond? Historically, insurers did not price for these events in their rates, as these events weren’t relevant when the policy language was written. Property policies also often don’t price for, nor address, extra-terrestrial invasions in the language; while there is a non-zero possibility of a Martian landing, we are reasonably comfortable that it is okay to be silent there.
But loss events from the cyber peril that affect a variety of property and casualty policies are becoming more apparent every day. A few examples include Stuxnet, the 2015 Ukraine power outage, Saudi Aramco’s 2012 hack and NotPetya. Understandably, more insurers are reviewing their various P&C contracts to ensure contract certainty on policies with potential exposure to cyber events. Forward-thinking insurers are inventorying policies to determine where silent exposures exist and amending policy language to affirmatively exclude (using language like CL380) or affirmatively cover (and price for) losses from the cyber peril. While competitive pressures can make this exercise a real challenge, insurers that get this right will have better certainty on exposures, manage capital more efficiently and be better-equipped to innovate on products that cover the various losses that can emanate from the cyber peril.
See also: Cybersecurity for the Insurance Industry
Insurance policies are contracts of adhesion drafted by the insurer, so ambiguity will often be interpreted in favor of the insured by the courts, due to the asymmetric influence the insurer has over the language. Next, consider that a property policy can have limits as high as $1 billion, while the typical affirmative cyber insurance policy limit is below $25 million. We can see why it is a benefit to the market for insurers to have certainty (by ending the silence) on large property policy limits with potentially catastrophic exposure.
Brokers and risk managers need to ensure that the organizations they represent have adequate coverage (in terms of coverage scope and policy limits). Brokers are expanding physical coverage on traditional cyber policies as well as adding cyber, as a covered peril, on adjacent P&C policies. Reinsurance carriers and brokers are also making new reinsurance products. These efforts will benefit the market at large in the form of more robust policies that are underwritten and priced with a conscientious evaluation of the covered perils.
Insurers are moving swiftly to offer cyber coverage. About 150 insurance companies have booked premiums for such insurance, up from about 100 last year. Only about 50 carriers offered cyber coverage four years ago. This activity all matters because cyber is a virtual and existential business risk that, for the most part, insurance products don’t adequately address yet. The industry needs to solve this problem to remain relevant by providing broad coverage and limits for the cyber peril on the variety of insurance lines it affects. Teams across insurers are collaborating to provide appropriate line-specific and cyber-specific expertise to approach the problem.
And greater attention from regulatory institutions and rating agencies is likely ahead in terms of inserting stronger language in regulations to address cyber risks and holding conversations with insurers. Lloyd’s of London, which its CEO says has a 20% to 25% share of the multibillion-dollar cyber insurance market, is requiring its syndicates to report quarterly on their cyber exposures.
Companies, however, have been slow in adopting cyber insurance due to its complexity and limited coverage. Calling them “cyber” policies implies coverage for a wider variety of exposures than the policy actually contemplates. Again, nomenclature matters. While the majority of companies subject to data breach regulations, like large financial institutions, healthcare, retail and hospitality companies, purchase coverage, total market penetration is only about 15% in the U.S., with small business being the lowest adopters. Outside of the obvious statement that no one is immune to a costly data breach, there are several reasons for insurers to engage with cyber insurance and promote the coverage to businesses. The significant factors include:
- The explosion in the number of devices connected to the internet, which is expected to reach 200 billion by 2020 — from just 2 billion in 2006, International Data Corp. estimates. Each of those devices is a point of entry for a cybercrook, and every employee interaction with the internet poses a potential threat of a breach.
- Automation of business operations and processes that makes critical elements of a company’s infrastructure and systems vulnerable to cyberattacks and should be part of any risk management plan. Manipulation of this connected infrastructure could cause physical effects arising out of the cyber peril.
- Rapid development of more sophisticated cyberattacks, including ransomware, supply chain attacks and formjacking – inserting code into retailers’ websites –making it tough to respond with countering technology. Ransomware payouts alone in 2017 reached $5 billion, according to Cybersecurity Ventures.
Like insurers, companies and their brokers should be inventorying their own policies to evaluate the scope of coverage on their “cyber” policies, as well as evaluating coverage for the cyber peril on all of their P&C policies to ensure there are no surprises at the time of a claim.
As technology continues to advance, insurers need to find ways to adapt quickly and create innovative products that properly protect their customers from the exposures that are relevant today. Collaboration is needed within insurance companies and across all parties in the insurance value chain to properly protect insurers and insureds from this existential business risk.