Expert Commentary

Insuring First-Party Cyber Risk for Fortune 1000 Companies—A Worthwhile Endeavor or Boondoggle?

Mike Rossi examines the myths related to the question of whether companies should insure their first-party cyber risks.


Cyber and Privacy Risk and Insurance
November 2002

In the last article for this column, an overview of our perspective on the overall market for cyber insurance was presented. One of the issues discussed involved whether and to what extent large companies are insuring their first-party cyber risks. This article will drill down further on this issue.

Some of what is presented might be controversial. Such controversy is fully intended—because certain myths must be debunked.

But before the myths are debunked, let's be up front about something at the outset. Without doubt, the most important risk management technique to address these risks is loss control, not insurance. Every article consulted that is authored by experts in the field, on both sides of the Atlantic, contains this conclusion.

That conclusion is not being disputed. The question, though, is whether risk managers should take the time to try to transfer some of the risk that will always exist (the risks that are currently insurable) no matter what type of loss control techniques are in place. With this caveat in mind, an analysis of several myths relating to the issue of insuring first-party cyber risks is presented here. Where that leads is still not clear, but hopefully it can further discussions on key issues, among risk managers, brokers, and underwriters alike.

Myth #1: Only Companies with a Lot of Online Sales Need First-Party Cyber Risk Coverage

This perception is definitely wrong. There are first-party cyber losses (involving computer-virus-caused data/software corruption, as well as data/software corruption caused by something other than computer virus) that have nothing to do with online sales. Examples of such losses include a well-known incident of a $15 million loss, and little-known losses of much, much more. And some of these losses were paid under traditional types of policies before cyber exclusions were placed on them.

Such losses involve assembly lines going down, data/software on product getting corrupted before shipment, critical internal operations going down, etc. Just think of all the different goods and products that have data and software in them that can be corrupted. Just think of all the critical systems and operations on which companies rely—even brick and mortar companies—that depend on data integrity and software running correctly. Such losses have nothing to do with online sales.

Myth #2: First-Party Cyber Risk Involves High-Frequency/Low-Severity Losses

Some risk managers of large companies have indicated that they and their IT personnel have concluded that, given their risk control strategies, any first-party cyber risk they could suffer would be within the deductible on their insurance program, so they don't have an interest in insuring the risk.

The debunk of Myth #1 above also debunks Myth #2. The losses, even ignoring online sales risk, can be, and have been, staggering—in excess of any deductible we've ever seen. You're not hearing about these losses because companies don't want to publicize that they're sustaining such losses. It's that simple. Don't let the “silence” of such companies lull you into a false sense of security.

Myth #3: First-Party Cyber Risk is Fully Avoidable by Proper Redundancies, Mirroring, Back-Ups, Etc.

According to every cyber risk consultant and cyber risk insurer consulted about this issue, there are real-life examples of first-party losses sustained by companies that had full redundancies, mirroring, back-ups, etc. Mistakes happen, redundancies fail, nothing is full-proof. Those are the explanations of the real-life losses according to such experts.

Myth #4: It is Too Difficult To Obtain Meaningful Limits for First-Party Cyber Risk

Meaningful refers to limits in excess of $25 million. This myth is a little harder to debunk with only personal experience. So deference is given to the brokers polled for this article. Several of the brokerage firms that have dedicated groups doing nothing but cyber insurance and related coverages were consulted. (To find out which brokerage firms have such dedicated groups, and how to contact them, please visit our website in the coming months, as we have links to some of those brokers on our site now, and are in discussions with several other brokers to add links to their sites.)

The brokers polled all said that they have placed, and continue to place, even in this hard market, cyber insurance programs with limits in excess of $80 million for first-party risk (according to them, higher limits can more easily be obtained for third-party liability risk). We are advised that it's not easy, but is doable, and is being done, even in this hard market.

Myth #5: The Policy Wording Currently Available is Illusory

Many risk managers express great concern that the policy wording in first-party cyber insurance policies they have reviewed has not been tested, is never going to work, etc. However, some of the policy wording is no different than what used to be available in traditional policies that have already paid out on first-party cyber losses, before cyber exclusions were placed on them.

It is true, though, that some of the policy wording is unique and hard to understand. However, some of the insurers that sell insurance for first-party cyber risk are willing to work with risk managers, their brokers, and even their coverage counsel, to amend some of the language so that the risk manager has a greater comfort level with the language.

And note that the same concern raised by risk managers on this line of coverage was raised on many new lines of insurance, e.g., environmental impairment liability (EIL), pollution legal liability (PLL) and other environmental coverages back in the 1980s, employment practices liability insurance (EPLI) in the 1990s, etc. While it is true that each of these lines have had issues, and the policy language has evolved and continues to evolve, the fact is that these lines have proven over time to provide meaningful coverage. We believe the same will be said about first-party cyber insurance if the market for such coverage grows.

Conclusion

In the end, it is still questionable how many large companies ultimately will pursue the purchase of insurance to address certain of their first-party cyber risks. Without doubt, some large companies have bought such insurance, and some will continue to buy it.

Whether the market for such coverage will flourish or languish still remains to be seen. It is hoped, though, this article will help risk managers, brokers, and underwriters alike better understand certain issues, views, and perspectives, and foster greater discussion among them. That can only be a good thing for the market.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More