IUA Response Shows Need for Real Solutions

Update 7/4/2019: Lloyd’s of London announced today that it will require underwriters to clarify cyber coverage or exclusion within property policies starting January 1st, 2020, in line with the PRA and IUA actions discussed below.  

Cyber risk isn’t going away. Even if it’s excluded. 

With news from the International Underwriting Association of two new exclusion clauses for the reinsurers to handle cyber risks, we are clearly seeing a response to a regulatory body, the PRA, which in January directed insurers to come up with a plan by June to address “silent cyber” risk. But it is also a long-time-coming response to an issue that has been looming over the industry since long before the PRA’s missive. 

“These two new model clauses provide broad policy exclusions which may be utilised as a starting or reference point for underwriters offering cover for traditional business classes that may include an element of cyber risk” – Chris Jones, Director of Legal and Market Services at the IUA.

The exclusions are a natural response by the underwriting body to a risk class that has proven in the past 5 years to be not just a major factor in overall enterprise risk, but even a catastrophic risk, as the industry saw when the Wannacry and NotPetya attacks of 2017 impacted multiple multinational businesses and led to billions of dollars in losses. 

In one sense, the IUA announcement is welcome: with an issue as stubborn as “silent cyber” risk has been, any action is better than no action. (Corvus CEO Phil Edmundson has previously written about why the industry has been so slow to develop solutions). But excluding cyber does nothing to advance the issues faced by the policyholders and their brokers. 

Risk managers at insured businesses will benefit from the clearer underwriting that will result from the IUA guidance. But excluding losses from cyber perils simply means they will have to look for other solutions for coverage. Already the spread of monoline Cyber Insurance policies has offered some coverage for many businesses, but those businesses also rely upon the broad (and ambiguous) coverage within P/C and other lines to complete their coverage — in theory — in addition to their primary cyber policies. 

When that gray area becomes black and white, the coverage gaps for cyber perils will be laid bare. Primary cyber policies won’t be enough without a drastic change to how they are written. In the near term, affirmative cyber endorsements to other commercial policies will become the only viable route to close the coverage gap

And as we’ve noted before at Corvus, brokers, in particular, are caught in the middle of an issue that puts them at risk. They cannot control the actions of the carriers whose policies they sell, but they have a duty to provide proper coverage to their clients. Failing to do so could put them at risk of errors and omissions claims. Brokers will be at the forefront of the new world of affirmative endorsements.  

“Silent cyber” risk won’t go away overnight. Exclusions will merely open the door to the affirmative policies the industry ultimately will need. Insurers and MGAs now need to step in to provide those solutions. 

Now In Flight: Smart Cyber Excess Insurance™

Today I’m thrilled to announce the latest product to take flight from the Corvus nest: Smart Cyber Excess Insurance. This product was created in response to demand from our brokers for excess capacity in cyber, and brings increased underwriting appetite for our Smart Cyber Insurance™ product lines.

Under a new underwriting mandate from Hudson Insurance, our risk-taking partner, Corvus now underwrites Excess Cyber Insurance for most types of organizations with up to $1 billion in annual revenues in addition to its primary offering. We now write Smart Cyber Excess Insurance policies with up to $10 million in aggregate limits.  

Just like all of our Smart Cyber Insurance policies, Smart Cyber Excess underwriting will be driven by the Corvus Score™ and will include Dynamic Loss Prevention™ (DLP) reports. Corvus Scores are based on an assessment of any enterprise’s IT footprint, including their vendors and partners, across eight critical security criteria. This provides holistic visibility into your client’s security programs to better inform underwriting. The Corvus Score also drives a customized DLP Report that includes recommendations and business intelligence you can use to inform your clients about their cyber risk and help them to reduce the total cost of risk.

As a broker we know you’re always working to provide the best options for your clients, and we couldn’t be more excited that Corvus will now be among your options for Excess Cyber.

If you’d like to learn more about our Smart Cyber Excess Insurance, please contact me here

Cyber

Smart Cyber Insurance and The Evolution of Cyber Risk

Massive retail data breaches, state-sponsored malware attacks, and the mishandling of sensitive information by the world’s largest companies have kept cyber risk in the headlines for the greater part of the last decade. Digitization has forced even smaller organizations to consider a wide variety of both internal and external threats to data security. The self-contained enterprise is a thing of the past, as more companies rely on third party vendors for services related to data storage, web hosting, IT security management, logistics and more. While these providers have allowed companies to operate more efficiently, cyber exposures have increased as a result. It’s no wonder cyber liability coverage has received much of the recent attention in the commercial insurance world.

Nearly 15 years ago, the earliest versions of stand-alone cyber policies would only cover third-party liability arising from the wrongful release of confidential information. Expenses related to first-party breach notification costs, digital forensics, data destruction, and contingent business interruption were not typically addressed. Not only was the coverage limited, but the underwriting process was arduous as insureds were forced to complete lengthy applications, supplemental questionnaires, and teleconferences to discuss the details of their IT security. Carriers offered few proactive risk management services, forcing insureds to incur additional expenses if they needed guidance on IT security best practices.

While insurers have made progress broadening the scope of cyber coverage, unfortunately many of the outdated methods of underwriting remain commonplace and carrier loss prevention advice is often inadequate.

At Corvus, we take a vastly different approach to underwriting and risk management. We believe in leveraging the best technology to assist our policyholders proactively address cyber risk. Rather than relying on prolonged applications with limited value, we use non-invasive web scans as part of the underwriting process and we provide our customers with meaningful insight into their IT security performance. At the time of quoting and throughout the policy period, we deliver a detailed analysis of the insured’s security operations with concise, risk-prioritized recommendations to resolve critical vulnerabilities. We red-flag IT supply chain issues and we offer meaningful business intelligence reports to insureds that are serious about confronting cyber risk head-on. Policyholders have access to a number of resources to help strengthen their IT security posture, including sample IT security policies, online privacy training, and a directory of pre and post breach experts. We call this process as Dynamic Loss Prevention™.

More precise underwriting means improved coverage and competitive premiums as well. Insureds with the strongest IT security controls are eligible for broad-form first and third party coverage, including extensions for blanket contingent business interruption triggered by cyber perils, system failure, reputational loss, social engineering, ransomware, and much more.

Our mission at Corvus is to arm commercial insurance brokers and our policyholders with the best available tools to tackle cyber risk from all angles. A modern and dynamic solution is required to address a constantly evolving risk landscape. This tech-enabled, holistic approach to risk management is what we call Smart Cyber Insurance™.