As cyber insurance expands in popularity and necessity for organization, the industry has begun to examine the next steps for the coverage and how to offer a broader, more useful product as client needs evolve.
Panelists at this week’s NetDiligence Cyber Risk and Privacy Liability Forum in Philadelphia discussed moving beyond insuring businesses for data breaches and toward network interruptions, unintended – and intentional – system outages, cloud cover, and the risks associated with Big Data and privacy ethics.
“It’s a balancing act of how to provide the right coverage, but understanding that some of these things are hard to get your arms around,” stated Tim Francis, enterprise cyber lead at Travelers. During a panel on advanced cyber coverages, he noted that contingent business interruption related to a cyber event could be a “very compelling selling point” for companies with little interest in data breach coverage.
Francis explained that the underwriting challenge comes in quantifying the loss. A business could recoup costs from downtime once systems are up and running again.
“It may not be money that they’ll never see again,” he said.
Florence Levy, senior vice president at JLT, noted that she has seen more network interruption losses, and clients want more specialized coverage.
“This coverage isn’t useful as is,” she said. “From the broker’s perspective, we have to push those boundaries.”
Levy also cited policy language that addresses “unintended outages” or system glitches. She questioned whether cyber policies could ultimately offer protection for a business’ decision to take a system offline in order to prevent an attack or halt a cyber extortion effort.
Francis noted that from the carrier’s perspective, a voluntary takedown could mitigate future loss, but requires a “combination” of understanding how the cyber policy would respond, but also how the claims department would handle it.
John Graham, security and privacy liability product manager at Zurich, commented that willingly shutting down a system to avoid loss calls to mind a snow-covered roof at risk of collapsing. The business and the insurer have to determine whether the expense to proactively demolish the building or otherwise prevent a natural collapse would save money.
“With cyber, there’s the issue of scope,” he said. “I understand the concept, I understand the desire and the need, but as underwriters, we’d have to figure out how that would work.”
Panel moderator Toby Merrill, head of ACE USA’s global cyber risk practice, noted that insurers’ claims departments would also have to determine whether the takedown was necessary quickly enough to prevent the feared damage.
According to Greg Vernaci, senior vice president at AIG, if an organization is considering a voluntary takedown to avoid a loss, it most likely operates at a more sophisticated technical level. Coverage would hinge on whether “a client should reasonably show that this was a wise decision.”
Other speakers during the NetDiligence event emphasized the need for insurance industry solutions to privacy concerns relating to Big Data, as well as expanding litigation.