Silent Cyber Threatens Brokers, Too: E&O Risk in Cyber

“Silent cyber” is the possibility that an insurer of a non-cyber insurance policy will assume risk triggered by cyber peril such as a ransomware attack, denial-of-service attack, or data breach that would otherwise be insured under a full cyber insurance policy. Note the definition I’ve used specifies insurer – because the carrier is the one most directly impacted by any claims, or disputes over claims, that arise from a cyber event.

But the carriers clearly aren’t the only actors in the insurance ecosystem. As such, they are not the only ones potentially impacted by a major cyber event. Brokers themselves have a duty to their clients, and errors and omissions (E&O) risk could arise from that duty where claims intersect with the cyber coverage the broker has advised their client to (or not to) purchase.

Silent Cyber: A Primer

If you’re not familiar with the term, there are a few key things to understand about silent cyber. First, not all policies that omit cyber language present silent cyber risk. For first-party risks like Property and Cargo, the policy must also cover damage to property and business interruption. For third-party risks like General Liability or Personal Injury, the policy must insure liability exposures that might be triggered by other events. These are both low hurdles, but are essential: it is these coverages, combined with omittance of cyber-specific language, that produce the conditions for silent cyber risk.

If a ransomware attack causes business interruption when thousands of employees cannot use their laptops for work, are those losses tacitly covered under a standard Property/BII cover? Perhaps yes and perhaps not.

In the insurance industry we have seen this kind of ambiguity in policy language before, in the development of new underwriting categories. It typically results in years of costly litigation before the right coverage and pricing prevails. Considering the scale of losses relating to data breaches witnessed in the past five years or so, that is a grim prospect for carriers, policyholders and the industry.

A recent statement from the Prudential Regulation Authority (PRA), the UK’s insurance regulator, underlines this risk, and effectively ups the ante for all insurers. Their statement, issued in January of 2019, demands that insurers “develop an action plan by H1 2019 with clear milestones and dates by which action will be taken” to reduce the unintended exposure to non-affirmative cyber risk. Notably, the PRA does not just impact UK companies — it also regulates Lloyds of London, and thereby the $250 billion U.S. Commercial P&C insurance industry that is reinsured by Lloyd’s. Yet insurers have been slow to respond, with none wanting to be the first to exclude Cyber in a given class and then suffer the consequences of an efficient market wiping out some of their share.

Brokers, Cyber, and Errors and Omissions

Brokers, of course, want clarity of coverage as much as anyone in the chain in order to better serve their clients. Any broker that has persevered through the lack of clarity around claims of Terrorism (particularly resulting from the 9/11 attacks), Pollution, or Employment Practices know that clients can be lost when a claim is not responded to in clear fashion by their insurers. Perhaps even worse, brokers can expect claims against their own Errors & Omissions policies and retentions from clients who find insurer response to claims unfair.

This particular form of risk is worrisome given the dynamic nature of the offerings available. When the market for affirmative cyber policies was still nascent, one could argue that this untested area of insurance was not an obvious choice for a given client, especially considering that their property policy was silent about cyber, and coverage for damages could be assumed. What may have been a reasonable defense against a claim a few years ago may not be today, given the offerings now in the market for cyber coverage, and the precedent of disputes over cyber coverage.

The Way Out of the Thicket

The insurance market is making its first attempts to address Silent Cyber. Insurers like FM and AXA now offer some high-end Property accounts with coverage against certain Cyber Perils-related losses. While this is good news for brokers and their clients, in its present stage it presents a heightening of risk for brokers. What happens to brokers when they place coverage with an insurer that does not offer Affirmative Cyber and a claim payment is denied as a result of Silent Cyber positions? It is almost better for brokers to have no insurers offering coverage.

The solution, of course, is more integrated Affirmative Cyber offerings across the marketplace, not fewer. If “software is eating the world,” as venture capitalist Marc Andreessen — the inventor of the first commercial web browser — famously wrote, then insurers need to respond with its corollary: Cyber Insurance is eating Commercial Insurance. More robust strategies are needed by insurers. Brokers should demand them.

Want to learn more about Silent Cyber risk? Check out our free whitepaper, Silent Cyber: Threat or Opportunity?


What is Dynamic Loss Prevention?

Dynamic Loss Prevention. You may have heard us crowing about it at Corvus (pun intended) – but if you haven’t worked with us before it might not be obvious what the “DLP” is, and why we created it. Today I’m sharing some basic insight into this key component of our Smart Commercial Insurance products.

In short, Dynamic Loss Prevention is a way for policyholders with Corvus to better understand, manage, and reduce their risk.

There are a couple key components to consider. First, the heart of the matter: loss prevention. Let’s explore this in the context of cyber insurance. When a company is being quoted for a cyber insurance policy, a good deal of analysis of their current IT security must be conducted in order to provide optimal pricing and coverage options. At Corvus, that analysis is done through an automated scan. While the data we gather from the scan is immediately necessary for underwriting purposes, it’s far from the only way it can be useful.

Corvus DLP Report

The DLP Report breaks down the information into a single Corvus Smart Score (a weighted measure of overall security), Risk Exposures (ratings for each of the eight risk groups that comprise the Smart Score) and Recommendations (clear advice on opportunities to fix vulnerabilities, prioritized by potential impact on overall security). See the video below for a closer look.

No matter how actively an organization monitors and adapts their IT security, information from the scan can provide a useful perspective. Sometimes it reveals blind spots, where IT managers had overlooked a vulnerability. Sometimes a new issue has arisen since the last time there was a comprehensive check-up. Many organizations simply do not actively manage IT security, and the DLP provides a primer and direction for them to get started.

Whatever the case may be, the information can be put to use by the policyholder to proactively mitigate risk. Looking at the exposure groups gives a broad sense of where trouble spots are, and Recommendations are intended to be actionable. If steps are taken to improve, not only will the policyholder mitigate their risk of a claim, they may see improved pricing or coverage options when it is time to renew.

Why Dynamic? 

Why is is the DLP “dynamic”? Simple: it’s not a one-and-done report. We deliver DLP reports to policyholders throughout the policy period, and upon renewal. These reports can show a developing trend (good or bad) in IT security. If it’s a negative trend, the policyholder can nip it in the bud before it becomes a major issue. These days, with more and more data being stored in web-accessible (cloud) infrastructure and companies expanding their digital capabilities, the “dynamic” aspect of the DLP is critical.

See our video to take a look at a DLP Report up close, and click to get more info about how we map Risk Exposures to IT vulnerabilities.

What can Brokers do about Silent Cyber risk?

You’ve probably heard folks in the industry talking about Silent Cyber risk. You even might have an idea about what silent cyber risk is, and understand how it might impact your clients.

The persistence of the issue over nearly a decade is attributed to complex issues that are high in the insurance value chain. So what can a broker, on the front lines of the issue, do to find solutions for their clients?

Before we answer, let’s look at why solutions have been hard to come by.

You’d be forgiven for thinking, upon surveying the options for cyber coverage, why don’t insurers simply add it to the form and underwrite the risk!? It’s a valid question. The industry has already coined a term of art for this avenue: “affirmative cyber.”  While underwriting the risk is the most logical response, there are at least three problems for large incumbent insurers.  

First, not all commercial insurers underwrite cyber insurance directly. They may not offer a stand-alone cyber insurance policy or know how to underwrite the risk. There’s a simple lack of expertise standing in the way.

Second, even if a carrier offers a standalone policy, offering affirmative cyber as part of a Property policy requires writing endorsements, or mini-policies attached the larger policy. This requires legal and regulatory scrutiny, and adds a significant new source of complexity to policies that have been carefully honed over decades. If your competitors are staying silent on cyber and the sky hasn’t fallen, all of that complexity and expense seems daunting.

Third, bringing these solutions to market will be a huge endeavour for P&C insurers because of the manner in which they organize themselves. P&C insurers build towers of authority and business acumen based on the types of insurance policy — departments for Property Insurance, Products Liability Insurance and so on. Each of these units has their own slice of cyber risk that overlap with their historical perils, and each requires something a bit different from cyber underwriting. But none of these incumbent product lines is staffed with cyber underwriters. The ability of these insurers to cross-institutionalize their know-how will be a huge test.

Cyber Underwriting is Different, Plain and Simple

Aside from structural issues, there is also friction that will be caused by the new cyber underwriting process. Full cyber policies require completion of lengthy applications and reviews that will need to be done many, many times over at these insurers.  “Skinny” Cyber endorsements have smaller premiums and require only a subset of knowledge of the overall Cyber risk landscape.

One way to solve for this challenge is automation of the quoting process, starting with smaller accounts.  At Corvus that is for accounts up to $300MM in revenue. We expect to continue to increase this functionality as our Data Science team continues to find ways to use techniques like machine learning, a type of artificial intelligence (AI), to process more data around Cyber breaches and Corvus scores.

What can brokers do?

For all of the reasons stated above, brokers can’t rely on the incumbent carriers to solve the issue for their clients. Brokers need to look elsewhere in the insurance ecosystem for creative solutions.  

Brokers can take advantage of the data from companies like Corvus and other third parties that sell similar information. Each of us in this sector aspires to provide the most value to brokers and their customers. By informing their clients about the extent of their cyber risk, and the limitations of their current P&C policies in protecting them, brokers can gain their trust to pull together solutions that include standalone cyber policies that add value with digital tools as well as novel combinations of cyber policies with specialty lines like Property, Cargo or Tech E&O.

It’s not as elegant as delivering a single set of P&C policies that cover cyber perils from their longtime insurer, but in Corvus’s experience as an MGA, clients appreciate the forward-looking and creative solutions brokers can deliver by looking outside the normal channels. Once clients see the need, they are open to trying new things.

So brokers: dig in and choose your digital weapons. Don’t let Silence win out!   

To learn more about Silent Cyber, check out our whitepaper. Click here to download.

Cyber Risks vs. Insurance: Where do they intersect?

Some commercial insurance categories map intuitively to the vulnerabilities that could trigger them. Not having a sprinkler system increases the risk of catastrophic fire, and such a fire in a factory will clearly cause loss of property and interruption to business operations. It’s easy to draw the line from sprinklers to property and BI risk. 

Other times, risks themselves can be hard to understand, and therefore hard to map to insurance exposure. Even if you know something about a company’s IT vulnerabilities, it can be hard to know exactly how, for an example, a poor software patching regimen impacts the threat of ransomware and therefore potential losses resulting from dealing with a ransom situation. What is software patching, anyway?  

Risk Exposures: Explained

Making matters worse, many IT security exposure categories map to multiple possible insurance risks. To make sense of these complicated interactions, we put together a document that provides a basic overview of how common IT exposure categories map to insurance risks. See the first page our infographic here, and download the full PDF to see the second page with deeper explanations.

 

The Corvus Scan identifies eight primary categories of risk exposure: Software Patching, Web Encryption, Email Security, Web Applications, Threat Intelligence, Defensibility, System Hosting, and DNS Security.

Our infographic explains how all of these eight categories may potentially relate to an insurance policy. For instance, poor email security can lead to a bad actor gaining access to an organization’s sensitive information. Poor system hosting might allow a hacker to shut down an organization’s website, leading to an interruption of business. It’s all connected, and it all goes back to your risk exposure. Click to see more.

Click here to access the document and learn all about how the Corvus Scan can help you mitigate your risk exposure!

Getting to know the Corvus Scan

If you work with Corvus, you know that the Corvus Scan is a critical part of what makes our Smart Cyber Insurance policies work. It’s what enables us to quickly provide customized price and coverage options for brokers and helps to make our form one of the shortest in the industry.

What you might not know is exactly what goes into each scan, behind the scenes. 

How the Corvus Scan works

The Corvus Scan is a non-invasive test of an organization’s web-facing assets. Since it doesn’t involve penetrating an organization’s IT systems, we don’t require a password or any special access. All of the information we need is out in the open — you just have to know where to look, and what to do with it.

Finding out where that information is — all of the IT “exposure” the organization has in terms of infrastructure they own or use — is what takes place in the first phase of the scan: the Discovery phase. After that, the Testing phase involves running vulnerability tests against the assets that have been identified in order to assess security.

Corvus Scan Infographic

Finally, the results of the tests are aggregated and weighted appropriately given their severity. And once the policy is in effect, further monitoring takes place on a continuous basis. If any external events occur that may jeopardize the organization, they will be notified. This all takes place during the Recommendations and Ongoing Monitoring phase.

While those are the basics, many brokers and policyholders we talk to are interested in getting deeper into what goes into the scan. That’s why we created a document that covers it all: from how the scan works, to the three phases in the scan process, and how the results are turned into our Dynamic Loss Prevention Reports.

Click here to access the Corvus Scan overview and learn all about the scan!

Historical data won’t predict Cyber claims. Here’s what will.

In most insurance arenas, historical loss data is paramount in perfecting pricing and other underwriting strategies. Not so in Cyber Insurance. An examination of large data sets relating to prior breaches is not without interest, of course. But most aspects of Cyber Risk are dynamic: the types and sources of attacks, levels of awareness and defense on the part of organizations, and the ever-growing digital surface area of organizations — these are all in flux. As a result, reliance upon historical loss data, that pillar of insurance underwriting, will likely lead to a false sense of security among many insurers.

Insurance underwriting – the traditional way

In order to demonstrate how Cyber Insurance poses new challenges to the commercial insurance industry, we must first consider traditional underwriting approaches. Let’s approach it through the lens of Property Insurance. There is an immense amount of historical data about the frequency and severity of property losses from major perils like fire. Through both intuition and the gathering of data over decades, insurers are able to identify distinguishing risk characteristics and to quantify those differences.

For example, property losses may be several times as likely to commence in a building made of wood as opposed to a building made of non-combustible materials. Property losses are also mitigated by common defenses that have been well studied. Greater losses are more likely to occur in a building without a modern sprinkler system than one with a system of sprinklers. Consider also temporal conditions. The fire hazard posed by the operations of a paper goods wholesaler or a law firm has not changed in decades. The operations of these companies and the fire risk arising from them are well studied. The past can accurately predict the future.

Cyber Risk is immensely dynamic

Digital risks are much more challenging for insurers to measure. This is due in part to a lack of expertise. Most do not examine, in a digital fashion, the IT Security of their prospective insureds other than by asking questions on a quickly-outdated application. Over time, insurers have gone deeper into the Cyber Insurance market and have suffered losses that can produce intuitions and data-driven assumptions about future risks. This information is certainly important—but the tendency in insurance to rely upon historical data may finally meet its match in Cyber Insurance. Digital risks should be evaluated using digital tools.

Cyber Risk is not as static as most other arenas of risk. Unlike fire, whose nature does not change, the Cyber Risk peril is in constant motion. Consider cyber thieves. They don’t rest idly with their current methods, waiting for law enforcement or the security industry to catch up — these thieves make a living inventing new types of scams, ransomware attacks, and phishing formats. They are innovative in a way that fire risk simply cannot be. Their strategies change in order to increase the likelihood of success. The international nature of the internet along with powerful state actors like North Korea make the source of the peril ever-changing.

Of course, the nature of the peril is not the only dynamic aspect. The defenses used by organizations are also in constant motion. New Cyber Security companies seem to pop up like mushrooms in the spring. They offer new detection and prevention systems for companies large and small. It is a challenge just to identify the nature of these changes, never mind evaluating their effectiveness. Sprinkler systems never had to change so quickly.

The biggest source of unreliability in prior experience is the use of the internet by the policyholders themselves. It seems that every function is moving to digital platforms with cloud-based systems. Not only does this pose new aggregation risk for insurers, but it also means that most organizations are increasingly reliant on web-based platforms for customer orders, logistics, quality control, product operation, safety, and more. Thankfully, this is countered by an increasing level of attention being paid to Cyber Risk security by organizations.

Lastly, the use of static underwriting tools like document-based applications leads to a tendency to collect information that is quickly outdated. While insureds are seldom malevolent, there is a tendency nonetheless for many to put less than their full effort into the underwriting process — particularly when it seems so antiquated by the nature of its questions.

How can insurers respond to this new risk environment?

There are a number of strategies for insurers to address the ever-changing risk dynamics of Cyber.

First, underwriting information needs to be focused on the near past instead of the distant past. That means opening up to the possibility of using proactive measures to assess risk at a point in time, not just by using an aggregation of past data. Put differently, if the digital “footprint” of a business is constantly growing and evolving, the most accurate assessment of risk will necessarily be one that examines an organization’s digital landscape as close as possible to the moment the policy is quoted — not what it looked like last quarter or last year, or generally over the past 5 years.

To accomplish this up-to-the-moment assessment, insurers need platforms that use AI and machine learning to automate the process of scanning web-facing infrastructure, and which can process new information about threats and defenses far more quickly than a labor-intensive questioning process about the company’s systems. These kinds of scans are typically found within the realm of cyber security, where vendors work to actively protect clients rather than underwrite risk. But such technologies are making inroads in the insurance industry as their value for underwriting becomes better understood. A side benefit of using an automated assessment is that it bypasses the human element, eliminating inaccuracies based on misunderstanding, error, or laziness.

Insurers should also be wary of becoming too reliant on the historical data approach that has served so well in everything from Property Insurance to Workers Compensation to Products Liability Insurance. Looking back at a decade of cyber attacks to judge risk at the point of quoting a policy isn’t enough. With dynamic cyber crime trends, information about current risks should be both included in the initial risk assessment and also shared with policyholders as new information becomes available. The cyber crimes relevant in 2017 may not be relevant in 2019. Insurers can protect themselves from increased risks by helping their policyholders proactively protect against new threats throughout the policy period.

Digital tools are needed to assess digital risk. The sooner insurers accept and act upon this directive, the better cyber insurance will be for insurers and policyholders alike.

Corvus Shortlisted for Two Cyber Risk Awards

The Corvus team is excited to be participating in Advisen’s 2019 Cyber Risk Awards!

Corvus has been shortlisted in two categories: Cyber Newcomer of the Year and Cyber Risk Innovation of the Year for our Smart Cyber Insurance™ product. We’re honored to be among the great companies in these categories, with leaders in cyber insurance on the cutting edge of innovation in our field. 

Can we count on you for a vote?

It means so much to us to know that brokers and partners we work with see the value in our products. If you feel that we’ve earned your vote for Cyber Newcomer of the Year and Cyber Risk Innovation of the Year, you can head to Advisen’s website to learn more about the awards or click here to go straight to the voting form to cast your vote. We truly appreciate it.

About Smart Cyber Insurance

With Corvus’s Smart Cyber Insurance policies, rich sets of data are gathered through our non-intrusive Corvus Scan, and analyzed with the help of AI to instantly and accurately assess risk to inform underwriting. Our Dynamic Loss Prevention Reports provide actionable recommendations to mitigate risk and prevent claims over time, including real-time threat monitoring, while the CrowBar platform provides on-demand access to policy information, claims reporting, loss prevention recommendations, and business intelligence.

With Smart Cyber Insurance, brokers can be confident in delivering their clients the data and understanding they need to make key decisions about their coverage, and reduce their cyber risk over time.

Click here to learn more about Smart Cyber Insurance.

Cyber Policyholders Need Security Data – Brokers Can Help

Few cyber insurance policyholders have a security program in place. That’s an opportunity for insurers and brokers. 

For large businesses, cyber risk is a fact of life. After the spate of privacy breaches and ransomware attacks experienced by companies with household-name brands, including the WannaCry and NotPetya attacks of 2017, cyber risk shot up to the top of lists of business risks. A recent survey of large businesses from Willis Towers Watson suggested that 85% of US employers and 72% of UK employers consider cybersecurity to be a top priority.

In general, these companies have the resources to take on the issue of cyber risk head on with well-developed IT policies and programs throughout the enterprise. But if you’re not a Fortune 500 company (or even a Fortune 1000 company) are the headline-making events of the last few years enough to coax you to take action?

Most would answer yes, with some caveats. One way to look at this is by looking at the market for cyber insurance. The steady growth not just in the enterprise segment, but also in middle and small business segments, speaks for itself. Within the SMB segment, first-time buyers of cyber insurance policies grew an average of over 30% each quarter for the year leading up to Q3 2018. That is substantial growth.

Yet awareness of the issue, and the penetration of cyber insurance, doesn’t provide a complete picture of risk, or what companies can do about it.

A recent survey from the Council of Insurance Agents and Brokers (CIAB) found that just 37% of commercial brokers’ clients have a security program in place to prevent or mitigate the effects of cyber attacks. These clients run the gamut from SMBs to the largest enterprises. The number is surprising given that this is a sample of companies that we already know have cyber insurance – so they are certainly aware of the risk, and willing to take steps to mitigate their financial exposure. Yet few have put procedures and programs in place to prevent the events they are insured for.

This points to a major opportunity for the insurance industry.

Companies of all sizes are clearly looking to insurers for help to protect against cyber risk. While the world’s biggest companies are already backing up their cyber insurance policies with standardized security procedures deployed across many thousands of employees and applications, companies in the vast middle market, including many large businesses, are not. The insurance industry serving this market can surely underwrite the risk and provide policies — but we can also help provide the knowledge companies need to help push toward safer practices and policies for cyber.

The key, as with much innovation in today’s business world, is data.

As cutting-edge cyber insurers develop new means of identifying and pricing cyber risk, the next frontier should be deploying that knowledge in ways other than simply fueling a premium and coverage decision. The opportunity is there for insurers to arm brokers with data about their clients’ vulnerabilities. In turn, brokers have the opportunity to relay that information to clients, ensuring they understand it. The challenge for everyone throughout the insurance value chain is presenting data clearly, making it actionable for the policyholders.

The CIAB survey noted that 85% of brokers have a “strategic approach to marketing and educating clients about cyber risks.” It’s time for insurers and brokers alike to take it a step further. If clients can get their hands on actionable information about cyber security — armed with knowledge of what it means, and what to do about it — it could mean fewer claims, lower premiums, and a safer web environment for everyone.

Now In Flight: Smart Cyber Excess Insurance™

Today I’m thrilled to announce the latest product to take flight from the Corvus nest: Smart Cyber Excess Insurance. This product was created in response to demand from our brokers for excess capacity in cyber, and brings increased underwriting appetite for our Smart Cyber Insurance™ product lines.

Under a new underwriting mandate from Hudson Insurance, our risk-taking partner, Corvus now underwrites Excess Cyber Insurance for most types of organizations with up to $1 billion in annual revenues in addition to its primary offering. We now write Smart Cyber Excess Insurance policies with up to $10 million in aggregate limits.  

Just like all of our Smart Cyber Insurance policies, Smart Cyber Excess underwriting will be driven by the Corvus Score™ and will include Dynamic Loss Prevention™ (DLP) reports. Corvus Scores are based on an assessment of any enterprise’s IT footprint, including their vendors and partners, across eight critical security criteria. This provides holistic visibility into your client’s security programs to better inform underwriting. The Corvus Score also drives a customized DLP Report that includes recommendations and business intelligence you can use to inform your clients about their cyber risk and help them to reduce the total cost of risk.

As a broker we know you’re always working to provide the best options for your clients, and we couldn’t be more excited that Corvus will now be among your options for Excess Cyber.

If you’d like to learn more about our Smart Cyber Excess Insurance, please contact me here

What is Silent Cyber Risk?

By now, you’ve likely heard about “silent cyber” — after all, it’s been the most talked about term in global commercial insurance for the past year or so. It seems like every major reinsurer, broker, and insurance publication has commented on the topic, and explained the risks it poses.  

What you may not have heard yet are suggestions for how insurers can take action to avoid those risks. It’s a difficult problem for insurers to solve, for a number of reasons — but there are ways to start mitigating the risk through the use of technology. We cover these challenges, and suggestions for overcoming them, in our new whitepaper: Silent Cyber: Threat or Opportunity? If you want to read more in-depth on the issue, head over to check out the full whitepaper now.

If you’re just getting started, read on as we discuss the basics of the issue of silent cyber: what it is, and how we got here as an industry.

What is Silent Cyber Risk?

Silent cyber risk is a term describing the possibility that an insurer of a non-cyber insurance policy (e.g., Property, Business Interruption, General Liability) could assume risk triggered by a cyber peril such as a ransomware attack, denial-of-service attack, or data breach. Importantly, the policy in question must be “silent” about cyber: neither mentioning cyber risk as part of the coverage, nor excluding it. By covering things like damage to property or business interruption that are potentially impacted by a cyber attack, but not defining how that situation will be handled, you have the conditions for silent cyber risk.

There are a few different ways silent cyber risk can manifest. Sometimes the insured business does not have any sort of standalone cyber insurance policy at all — only non-cyber policies that are silent on cyber. In others, a business may have a cyber insurance policy, but also have cyber-silent policies covering property or general liability. Those non-cyber policies may still be impacted by certain perils that are beyond the scope of the standalone cyber policy. Lastly, there may be cyber-specific language (“affirmative cyber”) included in some non-cyber policies, but not others.

Needless to say, things can get complicated with ambiguity at various levels. Each situation is unique to the business and its coverage.

How Did We Get Here? A Brief History of Silent Cyber

The first cyber insurance policies, issued in the 1990’s, were limited in scope. Over time, as new risks emerged and demand for insurance grew, insurers offered increasingly complex insurance policies. That expansion of coverage allowed insurers of other traditional commercial Property & Casualty (P&C) insurance policies to remain silent, hoping that cyber policies would come to the rescue if there were claims.

The mode of complacency was shaken in 2017, when a series of attacks on major global businesses rocked the insurance industry. The NotPetya and WannaCry ransomware viruses affected large, global businesses like FedEx, Merck, Mondelez, WPP, and Maersk, among others. In each case costs ran to the tens or hundreds of millions of dollars. At the high end, total losses for some companies were reported to have exceeded $1 billion.

Costs were driven not only by direct damage, such as infected computer hardware, but also business interruption losses. Property/Business Interruption insurers covering the affected companies likely did not underwrite cyber risk under their policies, nor did they charge an explicit premium for the risk. Alarm bells began sounding in insurer board rooms across the world.  

The attacks had the effect of magnifying the silent cyber issue. In several cases insurers paid out millions in affirmative cyber coverage, but those claims represented a small fraction of overall losses for businesses. The rest of the losses, due to business interruption for instance, remained ambiguous due to cyber silence and left insurers open to the risk of disputes if insured companies were to seek redress. With hundreds of millions in losses uncovered, the stakes are high for all involved.

Why Can’t Insurers “Speak up” on Cyber?

If you’re interested in learning about why silent cyber risk persists, and what can be done about it, we invite you check out our free whitepaper: Silent Cyber: Threat or Opportunity.

While you’re at it, follow us on Twitter for more content and commentary on cyber insurance and the intersection of insurance, data and technology: @CorvusInsurance