The impending passage of the EU Data Privacy Directive into law has raised C-suite awareness of cyber issues more broadly and may speed up the “slow burn” of the data privacy debate in recent years.
The Directive has also led some to question what cover exists for a broader range of “cyber” business interruption-related threats to which companies are today exposed.
Indeed, concern is now growing that data privacy has clouded the much bigger issue of how to protect a company’s ‘networked’ assets. By networked assets, I mean vital technological systems either owned, loaned or used by a company such as webmail or CRM systems.
If such a network system went wrong or was damaged due to human error, malicious hacking or a virus – how long would the company take to get back on track? More fundamentally, would the business actually be able to recover? And is there insurance cover available to mitigate against the financial impact that these risks create? These are the questions that business executives and risk managers are asking, and to which the insurance industry needs to find a coherent answer. If you ask any business person today to list the most vital tools needed for the company to function, most would reference access to email, online files, CRM or point of sale systems. All of these physical assets are vulnerable to the standard physical threats including flood, fire, theft or malicious damage. But they are equally, if not more vulnerable, to a host of new ‘non-physical’ cyber-related threats, many of which are far less well understood, yet have the capacity to be equally devastating.
If networked assets are impaired by fire or theft, the insurance solution is straightforward. However, If the same kind of damage is caused by a “non-physical trigger”– such as a hack, virus or even by simple human error – then the answer is much less clear cut.
Wordings: A grey area
Currently some property, general liability and business interruption policies provide a small element of cyber-related cover within them. But it is at best a grey area, and the bottom line is that these products were never really designed to deal with the failure of a major technology system, linked to a cyber-related trigger. Some policies will not respond to a ‘non-physical’ trigger. Others might, but the cover provided is likely to be very limited.Among other factors, it is the size and frequency of these threats that are making insurers question the best way forward. Is it to extend the wordings and increase the limits of existing policies, or go the stand-alone route?
The difficulty inherent in extending the wordings of existing policies is that it tends to blur the traditional market boundaries between lines of business. It could also require some very large limits, which is not a particularly attractive option for insurers, even though this approach may be more intuitive for insureds.
The increased use of specific stand-alone non-physical cyber-related, business interruption wordings may be a more attractive solution as this would remove any ambiguity over the level of cover for cyber-related risks. Such an approach would also enable specific service offerings to be developed that respond to client needs at a time of emergency, helping companies get back to business as usual as quickly as possible. On the downside, this creates another policy for clients to consider and, as noted above, some risks would require very high indemnity limits.
A global issue
The global nature of many cyber risks makes them very difficult to underwrite. For example, an attack on a cloud or outsourcing specialist in India could impair the operating ability of thousands of companies across the world in a matter of seconds. The multinational aspect of cyber risk is unique, and requires insurers to take a global approach to underwriting this business. The global and compound nature of the threat could increase aggregation risk considerably and is a concern for the industry as we do not yet have access to enough loss data to develop a clear view on the true exposures associated with cloud services, virus, or cyber terrorism for example.
So, what next? Well, one thing is clear. None of us can afford to bury our heads in the sand, as cyber-business risks are not going to go away. If anything, they are likely to get bigger as our reliance on technology and automated services increases.
The market has spent the past 12 months in thought and discussion on these issues, and more is still required. In order to move forward, brokers, underwriters and insureds need to work much more closely together to fully understand the risks, share knowledge, learnings and most importantly the data to which they have access.
Once a clearer distinction can be made over cyber triggers, and how these can be addressed, underwriters will be better placed to understand the risks they are underwriting, and clients will have a better understanding of the cover they have bought – or can buy. In addition, policies can be fairly priced, and some of the aggregation risk calculations that are of particular concern to markets, can be more accurately assessed. This is the outcome that benefits all parties and it is what we must strive for.