Cyber insurance claims differ on severity and frequency

By Erin Ayers on March 8, 2015

insurance-policy200x200aCyber insurance claims tend to be related less to hacking efforts and more to mistakes relating to human error, according to a panel of experts speaking at Advisen’s Cyber Risk Insights Conference in San Francisco.

Although anecdotal evidence suggests that organizations have shown more interest in coverage for hacking events and business interruption, there have historically been more claims driven by either human error or employees actively intending to create a cyber issue. According to insurers, claims relating to employee passwords gone astray or unintentional disclosure of personal information far outrank any claims relating to nefarious hacker activity.

Cyber hacks claims are growing, though, likely because more businesses have begun to purchase cyber coverage and are looking to protect their intellectual property and data.

Jim McQuaid, U.S. head of cyber media and technology for financial lines claims at AIG, said that claims involving seemingly simple or innocent revelations of data comprise many of the cyber claims currently fielded by insurers.  A doctor’s office might be liable for having accidentally called the wrong person and shared medical data, or a business might improperly dispose of records. These are not malicious occurrences, but they do create insurance claim events. They are common, but not costly.

However, claims related to hacking events carry a higher severity level even if they are not as frequent for insurers.

Thomas Kang, cyber product manager at Hartford Financial Products, explained that while 25 percent of claims are related to hacks, over 50 percent of losses pertain to those events. These events tend to involve more data and open insureds up to more third-party claims, he noted.

And, he added, the companies that operate under the assumption that they will be hacked are the most successful in either avoiding or responding to a breach. This ties strongly into how insurance companies underwrite the risks they are presented – panelist emphasize that they look at the plan organizations have in place for any type of breach.

According to Tim Francis, enterprise lead for cyber insurance at Travelers, insurers must also evaluate the level of resources available at any given organization. Some customers have the IT personnel for in-house security, others do not.

“We’re trying to understand that dichotomy. It undoubtedly increases the complexity of an event,” he said.

Underwriting to “the worst case scenario” tends to be both a theme and a goal for cyber liability, according to the panel.  Matt Donovan, national underwriting leader of technology and privacy at Hiscox, commented that organizations and insurers are starting to examine “how bad could it get” in terms of breaches. Pessimism is a virtue in terms of risk, the group agreed.

An interesting twist in terms of data loss relates to the relatively frequent claims due to loss of paper data. For example, a company might assume that it is protecting itself by transferring paper-based data to a storage facility – but then find itself open to claims when that facility loses information and limits its own liability.

Business interruption claims may become more of an issue now that the Sony hack has become big news, according to AIG’s McQuaid.

Insurance underwriters fully understand that the risk will expand, and insurers will have to get a handle on evolving risk, the panel revealed.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].