Cyber Insurance Defined: Traditionally, and Now
For many organizations, it’s time to bite the bullet and start (or more likely, revisit) the conversation around cyber insurance. Questions may go a little like this: Why do we need it? What does it actually cover? What does it not?
Even as cyber liability insurance has been established as a mainstay of the commercial insurance bundle, buyers still wonder exactly what cyber insurance covers and how it works. We’ll explore the traditional role cyber coverage plays in protecting your organization, as well as its newer evolution — and how the very definition of “cyber insurance” has changed. (Hello, proactive risk mitigation!).
The Traditional Definition: What is Cyber Insurance?
A traditional, narrow definition of commercial cyber insurance goes something like this: a contract between an insurer and an organization that defines when and how much the insurer will pay the policyholder for costs stemming from a variety of cyber incidents, including cyberattacks such as data breaches, fraudulent funds transfers, and ransomware attacks.
If you want to think a little bigger-picture, cyber insurance is risk transfer. Like any other kind of insurance, it is a transfer of risk from the policyholder to the insurer, up to a defined limit, in exchange for a fee (the premium paid by the policyholder). Cyber policies cover a variety of things that can happen via a policyholder’s IT system, like a fraudulent transfer of funds, or to a policyholder’s IT system, like damage that requires replacement of hardware. Those costs can be categorized as first party (direct losses accrued by the policyholder) or third party (losses that a third party — such as a policyholder’s customer — experienced as a result of the incident).
Cyber 101: What You Need to Know
How to Start
When buying insurance — whether it’s your first time or thousandth — there are two main considerations to jumpstart the process:
Does the insurance I have now fit my needs?
- Let’s consider general liability insurance, which wasn’t made with cyber in mind. These policies typically don’t include language that explicitly includes coverage for cybersecurity events, and if they have cyber coverage at all, it’s limited. With that in mind, you’ll be left vulnerable in the event of a breach, ransomware attack, or most cyber incidents — leaving your organization to take on an abundance of risk alone.
What coverage do you need to weather worst-case scenarios (without irreparable damage)?
- If you decide the risk warrants the investment, then it’s time for the tricky part. Mainly, determining how much of an investment is necessary. Other considerations, such as what coverage is adequate for your business, what is included in your cyber policy, and what may be sublimited or excluded, all weigh in on the decision making process.
We’ll be the first to admit that when it comes to cyber, the answers might not always feel so black and white. Technical terminology, fluctuating markets, and non-standard language can make it a challenging purchase. Working with seasoned brokers — people who really get the cyber market — can make it less daunting, especially since they know exactly where to look for these coverage nuances.
What Cyber Covers:
With the looming reality of financial losses and an increasingly all-encompassing digital landscape, getting the right coverage matters. According to the FBI’s Internet Crime Report, internet scams cost $6.9 billion dollars in 2021 alone, up from $4.2 billion in 2020. Not exactly chump change. We can give you a general baseline of what to expect to help you get started, but the only way to know for certain is to read the policy language yourself.
First-party Cyber Liability Coverage
- Consider the big-hitters: data breaches, business email compromise, ransomware, and social engineering. The costs associated with first-party coverage typically include ransom negotiations, forensics (to restore systems and data), legal teams (to review any state or legal liabilities), and business interruption (lost revenue when systems were down). Basically, the cost that your organization incurs from a cyberattack.
Third-party Cyber Liability Coverage
- When handling client or consumer data, the onus of responsibility for that data falls on you. Third-party liability covers costs that arise when your cyber incident impacts others, and clients or consumers are looking to hold you at least partially responsible for damages they’ve incurred from your cyber incident. This includes the costs of legal representation, settlements, regulatory fines, and any court-ordered damages.
The New: How Has Cyber's Definition Evolved?
We noted at the top that our first definition was a traditional one. That’s because as the market for Cyber Insurance developed, startup underwriters specializing in cyber policies had an opportunity to think outside the box. With a new line of coverage, they weren’t bound by tradition.
Now, several years into a boom in cyber insurance, the offerings available don’t start and stop at paying out claims. It’s a new type of relationship between insurer and insured, where it’s not just about a risk transfer, but a proactive approach to risk mitigation for an entire policy period.
With that in mind, we humbly propose an update to the definition of cyber insurance:
A cyber risk management service including risk transfer, risk insights and analysis, and proactive risk mitigation through direct guidance and linked services.
How did the evolution to this new definition happen? Briefly, cyber insurers first began by using new technologies to assess cyber risk. They integrated these findings into the underwriting process, but also used data to guide conversations with policyholders about why they were (or weren’t) given particular insurance options or prices. Then, due to the complicated nature of cyber incidents, insurers began to step in to act as an expert guide, or conduit, to send policyholders to the right specialists for responding to critical situations.
These earlier uses of technology and data bloomed into a fully-fledged product and service offering. Policyholders are proactively given access to data about their risk, and advice to make them safer (and to make renewals easier).
Is a 365-Day Approach Really Necessary?
Cyber insurance warrants significantly more engagement between policyholder and carrier than other lines of business, mainly due to our human adversaries. As organizations improve defenses, threat actors come up with new ways to circumvent them. Things move fast; throughout a policy term, active outreach is necessary. Whether it’s vulnerability alerts, regular scans of the insured’s public-facing web infrastructure, or a regularly updated platform designed to tailor to a policyholder’s cybersecurity needs, the relationship between carrier and policyholder has never been more important to combat risk.
...But It's Not All Tech
As everything went digital in the last decade — food delivery, taxi services, our entertainment — there was a push for insurance to do the same (no one wants to be Blockbuster). But in the rush to bring risk mitigation to our fingertips, there was an unrecognized missing piece of the puzzle — expertise from insurance industry veterans. No line of business seems as perfectly positioned to succeed at being tech-savvy as cyber, but being aware of what’s worked in the past is just as important. The secret sauce? Knowing when to let tech shine, and where to let tradition continue.
At Corvus there’s an emphasis on making the broker experience easier, not removing them from the picture altogether. Due to the nature of the digital landscape, cyber has a natural leg-up with large swaths of data in the wild. We can use this data to address and understand risk. When it’s cleaned up by data science experts, those once unstructured novel and unique sources of information drive our pricing models (allowing us to offer bindable quotes in minutes) and help us modify our underwriting practices to address new risks.
At the end of the day, cyber is still rapidly evolving. Coverage wordings will change and new threats will unfold, but we can only keep getting better in our approach to mitigating and understanding cyber risk.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.