Where Cyber Insurance Underwriting Stands Today

“You would think the first question to ask would be: Do insured parties understand the elements and limitations of coverage?” said Kevin Kalinich, speaking on cyber risk. “The real first question is: Do the insurance companies understand?”

Kalinich, global practice leader for cyber/network risk, at consulting firm Aon Risk Services, was a panelist at the Standard & Poor’s Ratings Services 2015 Insurance Conference this week in New York where experts stressed the importance of underwriters working together to gain a better understanding of the market so they can properly assess and price cyber risk.

Demand for insurance covering cyber attacks is mounting and the risk is evolving rapidly, panelists noted. A number of U.S. insurers are testing the waters but panelists said that even the insurers with larger market shares have thus far been cautious due to the lack of actuarial data available in this nascent market. They have been writing policies with low limits and a slew of exclusions such as excluding damages resulting from data handled by an external contractor.

Current Marketplace

Right now, a handful of players — American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. — dominate the market for cyber insurance, but panelists said clients are looking to buy more coverage than insurers are willing to offer.

As the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This will remain difficult, Kalinich said, because the threat is evolving fast. He said two decades of reliable data are needed to feed models.

“We’re much farther along than we were two years ago; we have much better information now,” he said. “But it’s not a static model. It changes over time, and in two years it will be much better.”

Regulators have taken steps to guide insurers toward a consistent approach to the market. The National Association of Insurance Commissioners (NAIC) recently adopted guiding principles for insurers underwriting cyber risk.

Regulators Involved

The NAIC is also developing a set of best practices for insurance company examiners to test protocols and processes, as well as a consumer bill of rights so that consumers know when data has been hacked.

“The primary issue— the cornerstone of the whole effort-— is making sure we are seamless in information sharing,” said Adam Hamm, the North Dakota insurance commissioner and chair of its NAIC Cyber Taskforce. “The good news here is that that is happening. There’s a substantial amount of work being done to ensure that we’re working together and collaborating.”

So far, risk assessment has been inadequate because initiatives don’t specify the need for aggregated estimates of maximum possible loss, said Aon’s Kalinich. For example, if an insurer covers 1,000 companies, half of which share a particular risk, it’s difficult to gauge the aggregated risk, he said.

Relation to Other Lines

At the same time, it’s important for insurers and clients to understand where stand-alone cyber insurance fits with other lines–coverage could fall under a property/casualty policy, for example.

“If there’s a cyber attack that causes tangible damage to property, it could be covered under your property policy,” Kalinich said. “If there’s an attack that causes tangible damage to a third party, your general liability policy could cover it.”

Currently cyber insurance is written on a claims-made basis and primarily covers third-party liability in the U.S. First-party coverage (covering the cost of investigating and securing the site of the technology breach, as well as losses) is available only sparingly in the U.S.

With large retailers such as Home Depot and Target, banks such as JPMorganChase and Citibank, and health insurers Anthem and Premera Blue Cross all suffering cyber breaches, experience shows no company is safe.

National Security

Jason Healey, director of the Cyber Statecraft Initiative for the international affairs think tank the Atlantic Council, looks at the issue from a national security perspective.

“From that perspective, none of the attacks have been big,” Healey said. “One of the reasons I don’t think cyber-attacks have been that bad yet is that it’s relatively easy to bounce back from them.”

He said it does not appear anyone has died from a cyber-attack. “Essentially, what’s lost are ones and zeroes, and it’s really easy to replace ones and zeros,” he said.

Yet with the increased linking of concrete-and-steel structures–such as power grids–to the cyber world, there’s an increased danger that people could be hurt or killed, and that an economy could suffer irreparable damage, according to Healey.

“It’s going to get worse before it gets better–without a doubt,” Healey said.

Lax Controls

Kalinich said he sees little coordination within companies themselves. He related a tale in which Aon visited a client and found that 19 percent of employees were still using their system’s default password–which was “PASSWORD.” When advised of this, the company implemented a policy to force workers to change their passwords to access the system. During a visit six months later, Aon discovered that 23 percnt of employees had their new passwords on notes stuck to their computers.

Hamm agreed that better intracompany coordination is essential. “If this is an issue that stays in your IT department, you’re probably not going to be around much longer,” he said.

Healey warned that risks change quickly and hackers have become sophisticated. “It used to be that those with intent didn’t have capabilities and those with capabilities didn’t have the intent; that has changed,” he said. “I think we’re coming up on the Internet’s most dangerous moment.”