In the last article for this column, an overview
of our perspective on the overall market for cyber insurance was presented.
One of the issues discussed involved whether and to what extent large companies
are insuring their first-party cyber risks. This article will drill down further
on this issue.
Some of what is presented might be controversial. Such controversy is fully
intended—because certain myths must be debunked.
But before the myths are debunked, let's be up front about something at the
outset. Without doubt, the most important risk management technique to address
these risks is loss control, not insurance. Every article consulted that is
authored by experts in the field, on both sides of the Atlantic, contains this
conclusion.
That conclusion is not being disputed. The question, though, is whether risk
managers should take the time to try to transfer some of the risk that will
always exist (the risks that are currently insurable) no matter what type of
loss control techniques are in place. With this caveat in mind, an analysis
of several myths relating to the issue of insuring first-party cyber risks is
presented here. Where that leads is still not clear, but hopefully it can further
discussions on key issues, among risk managers, brokers, and underwriters alike.
Myth #1: Only Companies with a Lot of Online Sales Need First-Party Cyber
Risk Coverage
This perception is definitely wrong. There are first-party cyber losses (involving
computer-virus-caused data/software corruption, as well as data/software corruption
caused by something other than computer virus) that have nothing to do with
online sales. Examples of such losses include a well-known incident of a $15
million loss, and little-known losses of much, much more. And some of these
losses were paid under traditional types of policies before cyber exclusions
were placed on them.
Such losses involve assembly lines going down, data/software on product getting
corrupted before shipment, critical internal operations going down, etc. Just
think of all the different goods and products that have data and software in
them that can be corrupted. Just think of all the critical systems and operations
on which companies rely—even brick and mortar companies—that depend on data
integrity and software running correctly. Such losses have nothing to do with
online sales.
Myth #2: First-Party Cyber Risk Involves High-Frequency/Low-Severity Losses
Some risk managers of large companies have indicated that they and their
IT personnel have concluded that, given their risk control strategies, any first-party
cyber risk they could suffer would be within the deductible on their insurance
program, so they don't have an interest in insuring the risk.
The debunk of Myth #1 above also debunks Myth #2. The losses, even ignoring
online sales risk, can be, and have been, staggering—in excess of any deductible
we've ever seen. You're not hearing about these losses because companies don't
want to publicize that they're sustaining such losses. It's that simple. Don't
let the “silence” of such companies lull you into a false sense of security.
Myth #3: First-Party Cyber Risk is Fully Avoidable by Proper Redundancies,
Mirroring, Back-Ups, Etc.
According to every cyber risk consultant and cyber risk insurer consulted
about this issue, there are real-life examples of first-party losses sustained
by companies that had full redundancies, mirroring, back-ups, etc. Mistakes
happen, redundancies fail, nothing is full-proof. Those are the explanations
of the real-life losses according to such experts.
Myth #4: It is Too Difficult To Obtain Meaningful Limits for First-Party
Cyber Risk
Meaningful refers to limits in excess of $25 million. This myth is a little
harder to debunk with only personal experience. So deference is given to the
brokers polled for this article. Several of the brokerage firms that have dedicated
groups doing nothing but cyber insurance and related coverages were consulted.
(To find out which brokerage firms have such dedicated groups, and how to contact
them, please visit our website in the coming months, as we have links to some
of those brokers on our site now, and are in discussions with several other
brokers to add links to their sites.)
The brokers polled all said that they have placed, and continue to place,
even in this hard market, cyber insurance programs with limits in excess of
$80 million for first-party risk (according to them, higher limits can more
easily be obtained for third-party liability risk). We are advised that it's
not easy, but is doable, and is being done, even in this hard market.
Myth #5: The Policy Wording Currently Available is Illusory
Many risk managers express great concern that the policy wording in first-party
cyber insurance policies they have reviewed has not been tested, is never going
to work, etc. However, some of the policy wording is no different than what
used to be available in traditional policies that have already paid out on first-party
cyber losses, before cyber exclusions were placed on them.
It is true, though, that some of the policy wording is unique and hard to
understand. However, some of the insurers that sell insurance for first-party
cyber risk are willing to work with risk managers, their brokers, and even their
coverage counsel, to amend some of the language so that the risk manager has
a greater comfort level with the language.
And note that the same concern raised by risk managers on this line of coverage
was raised on many new lines of insurance, e.g., environmental impairment liability
(EIL), pollution legal liability (PLL) and other environmental coverages back
in the 1980s, employment practices liability insurance (EPLI) in the 1990s,
etc. While it is true that each of these lines have had issues, and the policy
language has evolved and continues to evolve, the fact is that these lines have
proven over time to provide meaningful coverage. We believe the same will be
said about first-party cyber insurance if the market for such coverage grows.
Conclusion
In the end, it is still questionable how many large companies ultimately
will pursue the purchase of insurance to address certain of their first-party
cyber risks. Without doubt, some large companies have bought such insurance,
and some will continue to buy it.
Whether the market for such coverage will flourish or languish still remains
to be seen. It is hoped, though, this article will help risk managers, brokers,
and underwriters alike better understand certain issues, views, and perspectives,
and foster greater discussion among them. That can only be a good thing for
the market.