If there ever was an insurance product where the devil is in the details, it’s cyber. How coverage is written has and will continue to determine whether a cyber claim is covered or denied. Important stuff indeed.
Rightfully so, but almost ad nauseum, cyber risk is at the forefront of every insurance buyers minds. Most are advised by educated specialists who counsel their clients to ensure the correct and proper amount of coverage is purchased. Conversely, however, too many are instructed by uninformed brokers that are ignorant to what cyber insurance actually is and how to cover it. Often, clients of these brokers end up purchasing cyber products with inadequate coverage, restricted by exclusions and restrained by sublimits.
A cottage industry no more
The evolution of cyber insurance is an extraordinary story. Once a cottage industry, the product has changed dramatically since the first policies were issued some 20 years ago. I’m fortunate to have been involved from the onset. Initially, the task of underwriting cyber was given to the technology E&O underwriters for really no specific reason. Maybe cyber sounded like tech. Maybe because cyber was such an anomaly, insurance companies didn’t know what to do it.
It’s been fascinating to witness how the advancements in technology have impacted risk, particularly cyber risk. In its infancy, cyber insurance was written to protect businesses from the perils of moving their operations online. Easy enough. But something went astray. The Internet kept growing and expanding. Applications were invented. Facebook, Twitter, Instagram and Snapchat revolutionized the way we communicate. All the while – unbeknownst to most, private information was being captured, stored and processed. Processing power took off. Storage became cheap. The Cloud was created. Mobile devices. IoT. You name it.
And the tech E&O underwriter was left to figure out how to underwrite it.
Needless to say, early days the trading of cyber insurance did not go as smoothly as anticipated. l. Uninformed clients, uneducated brokers and inexperienced underwriters knew a new exposure needed to be identified and assessed and a product needed to be created, sold and serviced. We all tried hard but the task was difficult and pace of change breathtaking. Surely, mistakes were made along the way. Coverages were miswritten, exposures missed, limits undersold and exclusions misinterpreted.
Within the last few years, the market has really taken off and the process has improved dramatically. Recognizing the business opportunity, brokers have hired cyber specialists who excel at communicating risk to clients. Underwriters have gained much needed experience and have even looked to the tech industry to add talent. And more and more the market is relying on third parties, the real experts, for help.
Today it is not uncommon for cyber policies to have upwards of ten coverages, varying limits and retentions and riddled with technical terms. And to boot, all carriers’ forms and product offerings differ greatly in breath, scale and scope- making decision making for brokers and clients difficult.
In addition there is no standardized underwriting process in cyber, as there is in other lines such as property insurance. For example, property underwriters routinely rely on a building’s construction, occupancy, protection and exposure, or COPE, which are well-defined and widely used engineering measures. Not so with cyber. At the moment there is no objective way to assess a business’s cyber security. The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, developed a cybersecurity framework for critical infrastructure in collaboration with private industry, releasing its first draft in 2014. NIST’s effort is a good start, but it’s voluntary. The NIST continues to collect feedback and conduct workshops, making updates to the framework.
YOU MIGHT ALSO BE INTERESTED IN