As hazards grow, insurance market expands

Corporations face a rising threat level related to cyber attacks. Indeed, our latest white paper outlines a dozen different ways such attacks can result in a company taking a major financial hit. So how can organizations protect themselves? One important tool is cyber insurance. This report provides an update on the cyber insurance market and explains why, when you go shopping, it’s important to work with knowledgeable experts who can ensure you get the right level of coverage.

Cyber insurance comes in many shapes, sizes and colors today. That’s a good thing when you’re seeking to manage the growing and rapidly evolving risks it protects against. But while a competitive insurance market has expanded the availability of coverage, it has also increased the challenge of buying the right policy to meet your unique risk profile and financial needs. This general update on cyber insurance trends and purchasing tips is designed to help you avoid common risk management traps.

Prudent business risk managers focus on the possibility of falling victim to cybercrime and the catastrophic damage it can cause. This is wise, considering the magnitude of the threat—whether from ransomware, wiper worms that erase your hard drive, spear phishing or some other malicious scheme—and the publicity this growing form of criminal activity receives.

Rising threat level

While intelligence gathering is the primary motive behind spear phishing activity, Symantec’s 2019 Internet Security Threat Report(opens in a new tab) informs us that “attack groups using malware designed to disrupt and destroy business operations increased by 28% in 2018.” The same report says supply chain attacks, in which cybercriminals gain access to your systems through vulnerabilities in vendors you interact with through the Web, nearly doubled last year. Also, “living off the land” attacks in which intruders infiltrate PowerShell scripts that modify operating systems increased tenfold in 2018.

Cybercrime is thriving, and you don't want to accelerate that trend by letting down your guard.

Despite the proliferation of such criminal activity, equally great or greater cyber risks come from entirely innocent sources such as operational errors, administrative mistakes and system failures that can be, despite built-in safeguards, enormously disruptive and costly. Fortunately, cyber insurance can protect against these innocent risks, too. For instance, it can cover “fat finger” mistakes that cause system outages or disruption, or in some cases, the costs to repair digital assets compromised by such mistakes.

Finally, you can minimize some of the cost of mundane system errors not triggered by hapless humans with properly constructed cyber insurance. Such errors may include outages due to router failures and switchgear or other system component malfunctions. Even when your systems operate perfectly, your service providers may experience problems that have spillover impacts on you and your customers’ operations. In a hyperconnected IT environment, containing the cascading effects of a system failure can require expensive and time-consuming efforts.

Corporate impacts

How, specifically, can such adverse cyber events affect your organization? Understanding the possible corporate impacts of the three exposure categories—malicious cyber activity, accidental human error, and unintended and unplanned system outages—is essential to securing appropriate cyber insurance. Here are a dozen possible financial hits from cyber events to consider:

  1. Revenue loss when your systems are down for an extended period
  2. Mitigation expenses incurred during an outage period
  3. Cost of reconstructing compromised data and programs
  4. Potential extortion or ransom payments to cybercriminals
  5. Forensic investigation costs to determine the source of a system breach
  6. Significant costs associated with responding to a data breach involving customer data, including legal and public relations fees, customer notification expenses, call center services for responding to customer inquiries (in multiple languages), and website hosting for customer response registration
  7. Credit monitoring and other identity theft restoration services for harmed parties
  8. Payment (credit and debit) card costs, such as PCI fines, card brand fraud assessments, new card issuance, and other investigation and settlement costs
  9. Defense and litigation expenses following lawsuits brought by consumers and other harmed third parties
  10. Liability for failure to supply goods or provide services as contracted or promised according to committed service/delivery schedules
  11. Regulatory investigation costs and potential fines and penalties from state and federal authorities
  12. GDPR (the European Union’s General Data Protection Regulation) investigation costs and potential fines and penalties, if applicable

Cyber insurance market

The market for cyber insurance is expanding at a rapid pace as companies devote greater attention to these risks. A report published by Orbis Research(opens in a new tab) projects the market will grow at a 25% annual rate over the five-year period ending in 2023, with revenues then hitting $18 billion. New carriers are joining the market, helping to stabilize premiums for large corporations with substantial cyber risk exposures. Meanwhile, premium rates for small to midsized companies are highly competitive today.

Also, in the current cyber risk insurance market, full policy limits are commonly available for all policy provisions. That is, carriers generally aren’t requiring sublimits, or ceilings on coverage for particular claim categories within the overall policy. Similarly, the scope of available coverage has expanded to include contingencies like system failure, often at a modest additional charge and with reasonable waiting periods.

Cyber insurance now covers other risks—including contingent business interruption, reputational harm and accidental or malicious destruction of system hardware—more easily and affordably. Insurance markets are cyclical, however. As carriers and reinsurers gain more claims experience and competitive dynamics within the cyber insurance market evolve, the cost and availability of coverage could change.

When a cyber risk shifts from theory to reality, the immediate and urgent priority is rectifying the situation. That does not make for a strong negotiating stance when procuring external technical support services. Some cyber insurance policies, however, include access to breach remediation services at favorable contracted rates. Also, carriers often offer breach and related cyber risk prevention services similar to traditional loss-prevention packages for other property coverage.

Possible challenges

With all the possible cyber risks a company faces, the task of modeling and quantifying them for insurance purchasing purposes can be highly complex. But assessing risk boils down to answering two questions:

  • How frequently is a particular set of adverse events likely to occur, especially considering the inherent vulnerabilities in the types of software and hardware your company is using?
  • How costly will those events be when they do occur?

Answering those questions with respect to discrete cyber risks is where sophisticated risk analytics and quantification tools come into play to ensure you are neither under- nor over-insured. Insurance brokerages specializing in cyber risk management solutions can provide these tools and can also assist with the analysis of your financial capacity to self-insure against certain risks.

Also essential in securing appropriate coverage is expertise in the meaning of the “fine print” provisions of cyber policy contracts that may narrow the scope of your protection. Policy complexity, including varying deductibles and waiting periods for particular claim categories, also warrants scrutiny.

The ability to understand the significance of policy exclusions, including war exclusions, is similarly critical. For example, in the world of global cyber warfare, determining verifiable attribution of the original cyberattack and defining “war damage” aren’t always clear-cut. Lack of clarity can lead to costly litigation. The trained eyes of seasoned cyber insurance professionals can mitigate the risk of being under- or over-insured.

Securing the right kind and level of cyber insurance can be more complicated than it is for traditional property risks, but it is no less essential for the financial health of your organization. It is crucial to work with an insurance brokerage firm with ample experience and expertise in this field. To learn more about your cyber risk exposure and how to manage it, contact your relationship manager.

Related articles

Tax Insurance Solutions

Learn about the three main types of transactional insurance and how they help merging companies allocate post-closing risks. 

Leadership's Role in Mergers

Building leadership capacity and change management skills can help maintain momentum after a merger.

Raising 'Just in Time' Capital

Learn about At-The-Market (ATM) offering advantages and eligibility considerations as ATM strategies gain momentum across expanding fields.

Branch Banking and Trust Company, Member FDIC.

Only deposit products are FDIC insured.

BB&T Capital Markets is a division of BB&T Securities, LLC, a wholly owned nonbank subsidiary of BB&T Corporation and Member FINRA(opens in a new tab) / SIPC(opens in a new tab). Securities or insurance products and annuities sold, offered or recommended are not a deposit, not FDIC insured, not guaranteed by a bank, not guaranteed by any federal government agency and may go down in value. Corporate banking products are offered through Branch Banking & Trust Company. Read all disclosures.