In July we reviewed electronic data ("e-data") exposures when
analyzing an organization's risk to cyber1 loss
exposures (see Cyber
Risk—Data Damage and Destruction beyond the Naked Eye). E-data risk
controls have grown in sophistication and protection and can greatly limit the
catastrophic potential of e-data loss from any peril—cyber or "brick and
mortar."2 But even the best controls can be
breached, and e-data damaged, causing interruptions in an organization's
need for ongoing operations.
Look closely at the above quote from Dr. Jung. What is chilling about cyber
risk is that it is essentially man-made, when one considers that the majority
of cyber risk is created by individuals with one goal in mind: to continually
seek ways to compromise someone else's computer for personal gain or even
worse just to prove that they can with the proof being damage, destruction, or
control. Each day viruses are created and unleashed through the Internet. Each
day we are faced with a need for new defenses and safeguards.
Think in terms of the peril of windstorm and the possibility of catastrophic
damage to an organization: hurricanes happen every year, and with global
warming, have seemingly increased in power and damage potential. But unlike
cyber risk, a hurricane does not morph into a new type of windstorm in order to
intentionally increase its potential to damage or destroy our physical
environment. The risk management professional must face cyber risks of loss as
being new and unique each day, if not each hour, that the organization is
operational.
Insurance for theft of electronic property or damage of e-data damage and
interruption of operations must be carefully considered to ensure adequate
insurance coverage in terms of verbiage and policy limits for an organization
to recreate damaged e-data, seek indemnity for stolen property (i.e., cash and
securities), replace lost income from suspended operations, and offset any
increased operating expenses. There is rarely a silver bullet for any insurable
exposure. This is especially true when dealing with cyber first-party damage
exposures as most property insurers exclude e-data from property covered or
provide such a minimal sublimit that coverage is essentially nil.
In this article we discuss use of appropriate cyber property insurance after
proper identification of cyber property damage exposures. Or, said differently,
we need to take Mr. Bulwer-Lytton's quote to heart and find an insurance
policy that provides coverage (verbiage and limit) necessary to protect our
organization from cyber property risks of loss. For the purposes of this
article, crime insurance for theft or damage of money and securities is
considered a form of property insurance and included within the term
"first-party insurance."3
How To Start the Process?
First, we need to define the exposures. We do this to identify all types of
property subject to cyber risk whether owned, leased, or otherwise in the
custody of the organization. This is to ensure we do not look at e-data only
from a view of damage or destruction but also in terms of exposures such as
extortion, embezzlement, fraudulent funds transfer, and other loss events that
may be considered computer crimes.
Second, we need to create loss scenarios (i.e., exposures to loss) to
determine what coverages are not provided by existing first-party insurance
policies; it not efficient to obtain cyber property insurance only to find out
at time of loss that it duplicates coverage provided in other first-party
insurance policies purchases by the organization. The scenarios can be created
by talking to IT staff (in-house or outsourced), the preferred way, about what
can happen to the organization if its e-data is damaged, destroyed,
compromised, or results in its property being stolen such as money and
securities or property of others in the custody of the organization (i.e.,
online theft of a bank's client's money, securities). The risk
management professional can use cyber risk insurance applications and
discussion with peer group risk management professionals as resources to create
loss scenarios by viewing cyber exposures through different eyes and
experiences.
Loss Scenarios
Almost any organization today is exposed to loss from damage or destruction
of its computers and computer networks, including any resulting loss of income
("business interruption") and/or increased operating expenses
("extra expense"). An organization's use of computers and
computer networks, its own as well as others, creates risks of loss not only to
its self but to customers, clients, vendors/suppliers, and even
unrelated/unknown individuals or entities ("third parties") that
occur as a result from the organization's negligence. A first-party loss to
the organization may also create a situation in which the organization is
negligent and responsible to another party for cyber-caused damages and
therefore result in a third-party claim against it.
Assume, for example the organization is negligent in its security systems
and allows a computer virus into its network which results in loss (damage
and/or destruction) of its own e-data (first party) and then such virus is
spread to nonrelated parties, such as customers or vendors, who in turn lose
data and sue the organization for the data loss and any resulting damages such
as business interruption and/or extra expense. While this article is not
focused on third-party liability exposures and need for insurance, the risk
management professional should nevertheless consider the third-party exposures
as part of his or her risk management due diligence when considering cyber
exposures and appropriate use of insurance.
Cyber exposures are not static and evolve as society continues to use and
rely on computers and individuals strive to find ways to invade computers for
personal gain or other malicious purpose. To properly evaluate cyber risk
insurance policies, one has to understand the extent of cyber risk coverage
provided, if any, in existing first-party insurance policies purchased by the
organization. Examples of cyber first-party insurance loss scenarios are shown
in Column 1 of Schedule 1.
Schedule 1
This schedule may not be complete or adequate for all organizations. Each
organization needs to define its own loss scenarios, which may include some or
all of those identified in Schedule 1. Certain scenarios may also create a
third-party exposure; thus, this type of schedule can be used for both
first-party and third-party (i.e., general liability, professional liability)
loss scenarios. It should be noted that several loss scenarios in Column 1 may
be covered in whole or in part by brick and mortar property insurance
(including equipment breakdown coverage also known as boiler and machinery
insurance) and crime insurance policies but for exclusions or limitations
related to e-data.
Using loss scenarios will (1) allow the risk management professional to
determine if there is adequate coverage for its existing brick and mortar
exposures (i.e., power outage, electrical arching); (2) ensure that any
duplication of brick and mortar and cyber risk coverage is kept to an absolute
minimum; and (3) determine weaknesses in existing first-party insurance and
where coverage from a specialized cyber policy may be needed. Columns 2 and 3
are completed by the risk management professional to confirm coverage, describe
limited coverage, or point out lack of coverage.
This type of analysis must be done to determine what cyber exposures are not
insured. The lack of coverage should not be a surprise, as many property and
casualty insurance policies today have not been expanded to address cyber
exposures. As a result of coverage gaps in brick and mortar property (and
casualty) insurance policies, some insurers have created specific insurance
policies to address cyber loss exposures. Column 4 in Schedule 1 is to be used by the risk management professional
to confirm the extent of coverage provided by any cyber first-party insurance
proposed for the organization's cyber exposures.
Insurance Procurement
Cyber insurance policies differ by insurer as there is not a standard cyber
first-party insurance policy. Insurers issue policies based on their
understanding of cyber exposures, their willingness to insure the indentified
exposures, and use policy terms and conditions that may be unique when compared
to another insurer's cyber insurance policy.
The procurement process for cyber insurance policies is no different than
that used to obtain any other type of insurance. Applications may need to be
completed and specific information about cyber risk controls may need to be
shared with prospective insurers in writing, by in-person onsite survey, or by
conference call. It is important for the risk management professional to create
a request for cyber risk coverage outline (i.e., coverage specifications) for
inclusion with completed applications to ensure that the insurer responds with
coverage appropriate for the organization and not a "generic/one size fits
all" proposal. Limit and retention minimums and maximums beneficial for
the organization need to be requested as well.
Terms and Conditions
The wording used by an insurer in any insurance policy is critical to the
extent of coverage provided. Wording as in insuring agreements, definitions,
and exclusions must be reviewed very carefully to ensure that when the policy
is viewed in total, that coverage provided meets the actual exposures of the
organization. In cyber first-party coverage, special attention must be given to
the following concepts as actual definitions of each will differ by insurer:
extortion, property or data damage, data protection, business interruption, and
extra expense.
Limits
It is difficult to determine an appropriate limit for first-party coverage.
There does not seem to be any public information that is credible to use as
benchmarks. The organization may be able to obtain creditable and quantifiable
exposure information from its brick and mortar insurers, from prospective cyber
insurers, and through discussion with peers involved in the same or similar
activities and industries. Coverage discussions with IT staff are highly
recommended as well.
Retentions
A minimum deductible amount will be required by cyber insurers, not unlike
other first-party insurance policies. The deductible chosen by the organization
should be consistent with the risk-bearing capability of the organization and
commensurate with the cost of the cyber insurance. It does not make sense to
purchase cyber insurance (or any insurance policy) subject to a high deductible
simply because the organization can afford that level of loss retention if the
premium credit provided is not significant when compared to a lower deductible.
Discussion with appropriate management of the organization may be prudent as
well, depending on the retention amount being considered.
Conclusion
An organization's cyber risk controls (firewalls, encryption, passwords,
etc.) may be appropriate as preventative and/or mitigation tools, but these
controls should be used in conjunction with appropriate use of cyber
first-party insurance. The decision to choose one insurance policy over another
policy must be made by understanding the coverage differences of each policy
and the significance of each difference. Coverage differences include not only
limits and retentions, but actual policy terms and conditions. Once coverage is
understood, then one must review premium cost for a policy in terms of
coverage, limits, and retentions to determine if the premium is commensurate to
coverage provided.