Corporations face a rising threat level related to cyber attacks. Indeed, our latest white paper outlines a dozen different ways such attacks can result in a company taking a major financial hit. So how can organizations protect themselves? One important tool is cyber insurance. This report provides an update on the cyber insurance market and explains why, when you go shopping, it’s important to work with knowledgeable experts who can ensure you get the right level of coverage.
Cyber insurance comes in many shapes, sizes and colors today. That’s a good thing when you’re seeking to manage the growing and rapidly evolving risks it protects against. But while a competitive insurance market has expanded the availability of coverage, it has also increased the challenge of buying the right policy to meet your unique risk profile and financial needs. This general update on cyber insurance trends and purchasing tips is designed to help you avoid common risk management traps.
Prudent business risk managers focus on the possibility of falling victim to cybercrime and the catastrophic damage it can cause. This is wise, considering the magnitude of the threat—whether from ransomware, wiper worms that erase your hard drive, spear phishing or some other malicious scheme—and the publicity this growing form of criminal activity receives.
While intelligence gathering is the primary motive behind spear phishing activity, Symantec’s 2019 Internet Security Threat Report informs us that “attack groups using malware designed to disrupt and destroy business operations increased by 28% in 2018.” The same report says supply chain attacks, in which cybercriminals gain access to your systems through vulnerabilities in vendors you interact with through the Web, nearly doubled last year. Also, “living off the land” attacks in which intruders infiltrate PowerShell scripts that modify operating systems increased tenfold in 2018.
Cybercrime is thriving, and you don't want to accelerate that trend by letting down your guard.
Despite the proliferation of such criminal activity, equally great or greater cyber risks come from entirely innocent sources such as operational errors, administrative mistakes and system failures that can be, despite built-in safeguards, enormously disruptive and costly. Fortunately, cyber insurance can protect against these innocent risks, too. For instance, it can cover “fat finger” mistakes that cause system outages or disruption, or in some cases, the costs to repair digital assets compromised by such mistakes.
Finally, you can minimize some of the cost of mundane system errors not triggered by hapless humans with properly constructed cyber insurance. Such errors may include outages due to router failures and switchgear or other system component malfunctions. Even when your systems operate perfectly, your service providers may experience problems that have spillover impacts on your and your customers’ operations. In a hyperconnected IT environment, containing the cascading effects of a system failure can require expensive and time-consuming efforts.
How, specifically, can such adverse cyber events affect your organization? Understanding the possible corporate impacts of the three exposure categories—malicious cyber activity, accidental human error, and unintended and unplanned system outages—is essential to securing appropriate cyber insurance. Here are a dozen possible financial hits from cyber events to consider:
The market for cyber insurance is expanding at a rapid pace as companies devote greater attention to these risks. A report published by Orbis Research projects the market will grow at a 25% annual rate over the five-year period ending in 2023, with revenues then hitting $18 billion. New carriers are joining the market, helping to stabilize premiums for large corporations with substantial cyber risk exposures. Meanwhile, premium rates for small to midsized companies are highly competitive today.
Also, in the current cyber risk insurance market, full policy limits are commonly available for all policy provisions. That is, carriers generally aren’t requiring sublimits, or ceilings on coverage for particular claim categories within the overall policy. Similarly, the scope of available coverage has expanded to include contingencies like system failure, often at a modest additional charge and with reasonable waiting periods.
Cyber insurance now covers other risks—including contingent business interruption, reputational harm and accidental or malicious destruction of system hardware—more easily and affordably. Insurance markets are cyclical, however. As carriers and reinsurers gain more claims experience and competitive dynamics within the cyber insurance market evolve, the cost and availability of coverage could change.
When a cyber risk shifts from theory to reality, the immediate and urgent priority is rectifying the situation. That does not make for a strong negotiating stance when procuring external technical support services. Some cyber insurance policies, however, include access to breach remediation services at favorable contracted rates. Also, carriers often offer breach and related cyber risk prevention services similar to traditional loss-prevention packages for other property coverage.
With all the possible cyber risks a company faces, the task of modeling and quantifying them for insurance purchasing purposes can be highly complex. But assessing risk boils down to answering two questions:
Answering those questions with respect to discrete cyber risks is where sophisticated risk analytics and quantification tools come into play to ensure you are neither under- nor over-insured. Insurance brokerages specializing in cyber risk management solutions can provide these tools and can also assist with the analysis of your financial capacity to self-insure against certain risks.
Also essential in securing appropriate coverage is expertise in the meaning of the “fine print” provisions of cyber policy contracts that may narrow the scope of your protection. Policy complexity, including varying deductibles and waiting periods for particular claim categories, also warrants scrutiny.
The ability to understand the significance of policy exclusions, including war exclusions, is similarly critical. For example, in the world of global cyber warfare, determining verifiable attribution of the original cyberattack and defining “war damage” aren’t always clear-cut. Lack of clarity can lead to costly litigation. The trained eyes of seasoned cyber insurance professionals can mitigate the risk of being under- or over-insured.
Securing the right kind and level of cyber insurance can be more complicated than it is for traditional property risks, but it is no less essential for the financial health of your organization. It is crucial to work with an insurance brokerage firm with ample experience and expertise in this field. To learn more about your cyber risk exposure and how to manage it, contact your relationship manager.