Few corporate risks are as amorphous as cyber liability, and few insurance products are as complex as cyber insurance. Small wonder why so many different insurance policies present a modicum of cyber coverage, but none offer comprehensive protection.
The problem can be traced to the word “cyber,” so broad that it encompasses a multitude of financial exposures, from denial of service attacks to computer viruses to a cup of coffee destroying a laptop. Other cyber risks include stolen or corrupted digital information, Internet-based libel and slander, and even such extraordinary hazards as an office building’s computer-operated HVAC system shut down by a hacker.
The insurance industry has responded to these wide-ranging risks with a variety of insurance policies picking up different exposures. Errors and omissions liability, commercial crime and general liability insurance policies all offer some protections. For third party liability risks—a hacker breaching a company’s database to steal the personally identifiable information of customers and/or employees (the third parties)—insurers have addressed this peril with cyber liability insurance.
While cyber liability insurance would seem a necessity, particularly in the wake of two recent major corporate data breaches involving potential identity theft—Target and Snapchat—not many companies buy the coverage. The reason is that different industries confront different levels of cyber liability risk.
“Clearly, this is an issue for retailers, financial institutions, health care and the hospitality industry,” said Kevin Kalinich, global practice leader, cyber, at insurance broker Aon Risk Solutions. “The majority companies in these sectors buy the insurance. But, for other sectors, the purchase rates are much lower, even though every industry from automotive to pharmaceutical is leveraging technology in profound ways.”
Building the Customer Base
Insurance broker Marsh estimates that the market penetration for cyber liability insurance across all industries is about 25 percent to 35 percent, “give or take a 5 percent deviation,” according to Bob Parisi, network security and privacy practice leader. “We expect this to change now that many carriers are streamlining the underwriting process, providing truncated insurance policies and turnkey solutions to enterprises where interest has been less than robust.”
A key challenge for potential buyers, particularly smaller businesses without a corporate risk manager, is the cyber insurance application process. In many cases, the insurer wants detailed information on the organization’s technology infrastructure and security protocols, which can be both time-consuming and expensive. “The process is very off-putting,” Parisi said.
This is changing, however. The insurance industry’s plan to tailor policies to specific industries and types of businesses is expected to increase purchase rates. Another factor likely to spur greater interest is the high publicity surrounding the data breaches at Target and Snapchat. The retail giant was attacked from November to December last year, while Snapchat, a video and photo sharing service, was hit in January. The data breaches exposed millions of their customers’ personally identifiable information to identity theft risks.
Making the decision to buy cyber liability insurance recently is Concordia University in Montreal, which tallies more than 7,000 employees and 45,000 students, all potentially vulnerable to identity theft. “We have private, personal information on every single student and employee, including bank account numbers in some cases,” said Jean-Francois Baril, the university’s corporate risk manager.
Concordia, a research-driven institution, also has in its possession a storehouse of intellectual property, including the R&D of the many large corporations that provide funding for specific research conducted at the university on their behalf. “It is our responsibility to protect this information,” Baril said.
This wealth of data, were it to fall into the wrong hands, could be financially and strategically devastating, insofar as Concordia’s academic reputation. For several years, the university weighed the purchase of cyber liability insurance, but ruled it out, primarily for costs reasons. No longer is this the case. “We are in the process of buying cyber insurance,” Baril said.
This process first required the hiring of consulting firm PwC to examine the school’s existing IT infrastructure and recommend measures to strengthen security and reduce overall risks. More than $500,000 has now been budgeted to improve the IT system, and in February insurer AIG will assess these controls. Once approved, Concordia will be provided an all-inclusive cyber liability policy, with a $100,000 self-insured retention.
Bank of New York Mellon purchased its first cyber liability insurance five years ago. “At the time, our perception of risks emanating from the Internet had grown,” according to Carmelo Casella, managing director corporate insurance, at the New York-based bank. “I also was reading these stories about companies that had lost customer data because an employee left a laptop on the subway.”
Since purchasing that initial policy, the bank has added to the limits of financial protection, from $10 million originally to what is now $50 million in insurance. The policy’s coverage terms and conditions have also broadened. “The big expense is victim notification of a breach, which is broadly covered to include all out-of-pocket extra expenses like phone calls, letters, and so on,” he said.
The risk manager agrees that the initial underwriting process is onerous, as are subsequent annual policy renewals. “What I do is have my chief information security officer here with me when the underwriter visits,” Casella said. “Technology is a foreign language to me, packed with acronyms. Rather than be a messenger between the insurer and our IT people, I find it best to have us all in one room.”
Some businesses like The Lincoln Electric Company continue to mull the purchase of cyber liability insurance, but find it too expensive. “We’ve given it a close look the last three years as we evaluated our cyber exposures, and determined to self-insure the risk for the time being,” said John Hach, risk manager of the Euclid, Ohio-based $3 billion manufacturer of welding products, arc welding equipment, welding consumables, and robotic welding systems.
The company’s risk evaluation included the creation of a model pinpointing the financial and reputational impact of a data breach. “The findings indicated that the average cost to rectify data breach losses of victims was roughly the same as the deductible offered by the insurer,” Hach said. “Consequently, it made no sense to buy the insurance. Rather, we’re managing the risks by investing in our IT infrastructure. For instance, we recently went through an `ethical hacking’ of our system to assess if there were any holes.”
In between these examples is the State of Washington, which awaits direction from its Chief Information Officer on whether or not to purchase cyber liability insurance. “Right now, we self-insure (our cyber liability risks) and purchase reinsurance above it,” says Drew Zavatsky, loss prevention section manager in the state’s Office of Risk Management. “Given the volume of personal data we possess, and the criminal skills of the hacking community, our CIO is undertaking a gap analysis to assess our security strength against the potential threat.”
It’s a “huge” project, he notes, one that will not conclude for at least another year, due to the state numerous agencies and departments. “The CIO could come back to us and say, `Buy the policy now,’” Zavatsky said.
Three years ago, this was not the case, however. “We stuck our toe in the water in 2011 to really give this some thought, but felt the premium was prohibitively expensive,” he recalls. “Still, this is one risk that just won’t go away.”