Is the Industry Responding Quickly Enough to Cyber Risks?

I’m often asked if the insurance market is capable of providing coverage that responds to the rapid pace at which cyber risks are growing and changing. This is an understandable question if you consider our growing reliance on new technologies such as cloud computing and the development of advanced malware, as criminal gangs and activists seek to use it for profit, intelligence and publicity.

The spread of cyber risks in recent years is staggering. The U.K. Information Commissioner’s Office reported a 58 percent increase in data breaches last year. Cyber crime costs the global economy an estimated $388 billion — more than the illegal drug trade. Worldwide, 19 people fall victim to some form of online crime every second, most commonly social network hacking and credit card fraud.

Last year alone: 286 million unique variants of malware were reported; there was a 93 percent increase in web attacks; and on average, 260,000 identities were exposed with each data breach as a result of hacking.

Cyber Liability

Insurance to cover cyber risks first emerged for the U.S. market around 2002, primarily as a result of the state data breach notification laws, starting with California’s SB 1386 — a milestone in corporate data protection requirements.

Initially there were two distinct products offered: privacy policies and non-physical business interruption polices. Around five years ago, insurers consolidated these two wordings into one comprehensive off-the-shelf cyber wording. Since then, insurers have been cautious about developing the product further. It’s a difficult task to continue to innovate and broaden coverage when the risks grow each year and there is poor claims experience to draw on. Coverage needs to be sustainable or it’s of no use to anyone in the long-term.

Additional cyber solutions have been secured in areas such as payment card industry (PCI) fines, inclusion of third-party vendors, increasing the limit for first-party breach costs and broadening triggers for non-physical business interruption.

And now that the insurance market is more experienced, it is time to take a fresh look at the wordings and see where we can look to transfer more of these risks. We also need consistency in wordings so it is possible to build significant limits for cyber programs that comprehensively cover the risks faced by businesses. It is all very well obtaining broad coverage on the primary placement, but if you can’t secure the same coverage on the excess placement, the client won’t get the real benefit of the broader coverage. The market as a whole needs to react and innovate as one to address this issue.

Often we see the market reacting to new trends. At first, claims resulting from third-party IT vendor security breaches were not covered, but we can now obtain extensions to cover third-party IT vendors. On the other hand, some markets have started to exclude claims resulting from mobile devices due to the increase in cyber crime against smartphones and tablets.

New Risks

In 2010 we entered a new decade of cyber attacks with advanced persistent threats (APTs) such as Aurora and Nightdragon. These are insidious, targeted attacks over a sustained period of time designed to steal trade secrets and intellectual property. They occur largely without public disclosures and differ from the immediate financial gratification that drives most cyber crime. The insurance industry needs to consider how it will provide coverage for theft of intellectual property and trade secrets to help businesses mitigate this risk.

Sometimes the market is too slow to react; the recent cyber phenomenon of hactivism is an example. Hactivists use cyber attacks to promote political and ideological ends. Groups of such as Anonymous, Lulzsec and Antisec have targeted organizations including Sony, Universal, the Central Intelligence Agency, FBI and the UK Serious Organised Crime Unit.

It could be argued that Anonymous, which the U.S. government classifies as a terrorist group, could be excluded from coverage by terrorism exclusions. Brokers should therefore try to ensure that the appropriate coverage extension protects businesses from this growing threat.

The cyber insurance market is still young, but has already changed a great deal since it began. Continued communication across the insurance market will ensure a constant evolution of risks and products to help mitigate this fast-moving threat.