Even before a global wave of ransomware attacks in mid-May demonstrated the vulnerability of organizations large and small, many corporate buyers were already losing sleep over the lack of clarity and certainty in their cyber insurance coverage for proliferating digital exposures, judging from the attention devoted to such concerns during the recent Risk and Insurance Management Society (RIMS) annual conference.
Indeed, caveat emptor — let the buyer beware — seemed to be the unofficial theme of the numerous cyber risk seminars taking up a large portion of the event's extensive educational program. During one heavily attended session after another, risk managers, attorneys, brokers, and consultants warned how challenging it would likely be to secure sufficient and reliable cyber coverage in this promising but problematic market.
Related: Insurers must adapt to underwrite mutating cyber risks
|Lack of clarity and certainty
Insurers have a lot at stake here since cyber appears to be one of the industry's biggest opportunities for organic growth. With new cyber exposures manifesting themselves all the time, increasing demand for risk-transfer solutions could offer insurers a chance to expand the overall property-casualty premium pie, rather than keep fighting one another for a bigger slice of what's already available to cover more routine exposures. However, predictions of exponential growth are unlikely to be realized unless insurers can offer clients true peace of mind about rapidly evolving cyber threats to their people, property, reputation and bottom line.
During the RIMS conference, the titles of a few of the sessions provided not-so-subtle hints of what's keeping risk managers up at night. One focused on "Protecting your board directors and executives from a cyber nightmare." Another related "tales from the cyber trenches," offering tips on how to avoid having claims rejected. Buyers were warned about potential "trapdoors" and "landmines" in policies that could leave a company exposed if their risk manager doesn't cross every "t" and dot every "i" while negotiating coverage for this rapidly evolving risk.
Based on all the nervous chatter at the conference, it appears that cyber insurance is perceived by many prospective buyers as a potentially hazardous trip into the unknown, in part because policy terms and conditions are largely untested — and not just for new stand-alone policies. Standard property and casualty coverages — including directors and officers, professional liability, and business interruption — are often "silent" on cyber risks, not explicitly stating whether or not policyholders are insured. The result may be a mismatch of expectations that could prompt cyber claims disputes down the road, while stunting the growth of this nascent market until such fundamental uncertainties are settled.
To avoid coverage misunderstandings, buyers were encouraged to run cascade scenarios and conduct gap analyses assessing how their risk management and insurance programs might respond in a cyber crisis. Another precaution might be to purchase wrap-around coverage as a supplement to current policies that are silent on cyber risks, rather than assume such exposures are already included.
|Single attack can prompt claims under multiple policies
One other key takeaway echoed repeatedly during the RIMS conference is that cyber security is not "just" a tech problem. Instead, it's a classic enterprise risk management challenge. That's because cyber exposures can put an entire operation at risk, affecting people and property, undermining a company's reputation and stock price, as well as creating regulatory compliance issues. A single attack can prompt claims under multiple policies. Risk managers should therefore engage with leaders across their organization, including IT, legal, operations, and talent, to make sure they are covered if worst comes to worst.
Last but not least, brokers were often cited as key players in the cyber risk process, and not just to help identify potential gaps and compare coverage options. Some spoke about brokers providing unofficial "sleep insurance" for buyers, under the theory that errors and omissions coverage might offer some relief if a client is left exposed.
By the end of the three-day conference, risk managers attending the RIMS cyber sessions had likely been scared straight, not only about the potential consequences of suffering a breach, but also of inadvertently ending up uninsured.
|Cyber risk is anything but routine
Working with their surrogates — the beleaguered chief information security officers — risk managers have the unenviable task of securing a company's data and operating systems, remaining vigilant in the face of an ever-widening range of attacks and being resilient to recover quickly in case of an incident. A big part of resilience usually involves transferring risk to insurers. This is how risk managers routinely handle other standard property and liability exposures.
But from what I observed at RIMS and learned in my own research, cyber risk is anything but routine at the moment. The lack of clarity and certainty could make cyber insurance a harder sell than it should be for such a highly publicized exposure, while perhaps driving buyers into alternative risk-transfer vehicles, such as self-insured captives, risk retention groups, and capital market securitization.
How might insurers go about overcoming these and other obstacles hindering the cyber market's development? For additional insights, see the research report I recently published on Deloitte University Press, co-authored by my colleague, Adam Thomas, a principal in Deloitte's Cyber Risk Services team, on "Demystifying Cyber Insurance."
Sam J. Friedman ([email protected]) is insurance research leader with Deloitte's Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
