While cybercrime has increased dramatically, cyber insurance has struggled to rise to meet the threats. After the devastation of attacks such as NotPetya, interest in cyber insurance has spiked dramatically. However, even as interest is growing, the cyber insurance field is still new, evolving out of ‘silent cyber,’ and elements remain confusing for both brokers and risk managers. A recent blog featuring Nick Economidis, vice president of eRisk at Crum & Forster, and comments by Mark Silvestri, a cyber insurance expert working with RubiQon Risk & Insurance Services, shine a light on important elements to consider in this time of increased threat.
Cyber insurance evolved to fill gaps left by traditional Property and GL but has yet to find its full potential. While cyber is becoming more common, a lack of standardization is leading to widely varying policies. In describing the history of cyber, Economidis asserts that, “Cyber exists as a line of business because traditional lines of business were unable and/or unwilling to adapt their coverage to the changing exposures. A big part of that problem was the market-standard contracts that you have for general liability and property insurance, where it’s very hard to make changes to those contracts because you have to get everybody to agree.”
For all of cyber’s promise, in order for cyber to thrive in the future, there must be better information sharing, both around threats and around defenses, as well as a focus on clarity to help make sense of a turbulent environment. Economidis and Silvestri highlight a number of ways to bring clarity to cyber insurance and to provide flexibility for an uncertain future.
Triggering definitions are a major cause of frustration. First and third party coverages often have different coverage triggers. Economidis argues that more agreement on universal trigger definitions is essential for successful cyber policies: “I’ve seen situations where brokers had to explain why a loss isn’t covered on one portion of the policy, while it is being covered on another section of the policy. I strongly suspect brokers find that frustrating because nobody wants to be having that conversation when somebody has a loss.”
Silvestri expands on this: “As Nick noted, universally defined triggers are important. To ‘future-proof’ coverage, also seek a broad definition for any underlying universal covered cause of loss. Threats change constantly. In the early days of cyber coverage, nobody contemplated crypto ransomware or Stuxnet,” says Silvestri. “Broad definitions for ‘network’ help too. Even a year ago, few of us would have thought about the variety of remote work arrangements that are commonplace today in response to the Covid-19 pandemic.”
Economidis and Silvestri both emphasize that the client’s needs, and the nature of the business, should determine the policy. Depending on the client’s requirements, Economidis argues for the need to prioritize: “I don’t think that every coverage enhancement on a cyber policy has equal weight. For instance, I think coverage for bricking is currently more important than coverage for crypto jacking. I say that because we’ve seen much more significant bricking claims than we have crypto jacking losses.”
Silvestri agrees, adding that “Nick’s advice on how to evaluate cyber policies is spot on…Start with your client’s exposures and needs. Base those on their unique business operations. Establish coverage evaluation criteria by prioritizing those needs. Then evaluate cyber policies against the criteria, not against each other. That helps you negotiate coverage enhancements for what matters most.”
Perhaps most important, clarity and readability are key elements of a cyber policy that can manage the demands of a rapidly changing threat environment. As Silvestri emphasizes, “Above all, seek clarity and readability. The market is littered with policies that even lawyers can’t parse and understand. If coverage is clear, it’s easier to ask for enhancements if you need something special. More importantly, it avoids issues if you have a loss…. Look for cyber policies that fill coverage gaps as these standard lines increasingly exclude cyber as a cause of loss.” He also added that it is important to, “Look for cyber liability coverage that doesn’t require your client to have committed a wrongful act. Your client may be an innocent victim just as much as any claimant.”
Cyber threats are not simply going to go away. As the frequency and severity of cyber attacks rise, it becomes imperative to have strong cyber insurance policies that are capable of encompassing future risks and providing clarity to risk analysts and brokers.