Advisen’s Cyber Risk Insights Conference produced many interesting sound bites from a variety of experts who are all attempting to understand a motley of cyber exposures.
From coverage issues to risk management perspectives, and from cyber terrorism to the development of models—the full-day conference in Chicago offered a little something for all attendees.
Rather than focus on a single panel (though we were provided with various follow-up angles), we thought it best to give you a taste from multiple panels via soundbites.
Here are a few:
Vitas Plioplys, director of risk management, Experian: “If we have a breach, it’s the end of our business. We watch everyone who knocks on the door.” The evolution of Experian’s cyber insurance purchase has included a full tower that includes first- and third-party risk, privacy, tech E&O and other exposures in one program.
On whether his insurance tower was enough, he said, “I sure hope so. Fortunately we’ve never had to test it.” But Plioplys said he has yet to find a good product for business interruption/property. “I don’t see the market where it needs to be.”
Josh Harwood, director of risk management, TDS: “You start with walking through scenarios,” he said on how to know the amount of cyber insurance to buy. “Play it out. Predict what you might expect to be covered—what you think might not. Then sit with your broker and analyze the policy and limits. Is it adequate?”
Plioplys: Benchmarking, he said, is challenging but Experian doesn’t have many competitors. So it looks at others with the same revenue. The purchase is often dictated by “keeping up with the Joneses.” The board notices what others buy.
Harwood: The easiest expense to bring to a board is D&O, he said to laughter from the audience. But cyber insurance expenses are “getting close, really fast.” TDS started with cyber limits of $25 million and bumped up $10 million per year. “It wasn’t a hard sell (to the board).”
Plioplys: “We just renewed and the questions [from underwriters] are getting tougher but we’ve been open. Experian now takes underwriters from the entire insurance tower to its facilities in the US and UK. “Now the seventh excess wants to get down and dirty.”
Harwood: “We’re an open book.”
Elissa Doroff, underwriting and product manager for cyber/technology, XL Catlin: “It is so important to understand where threats live. Is the board paying attention?” The insurer attempts to understand “how cybersecurity is valued within an organization.”
Kirstin Simmons, second vice president, underwriting director of global technology, Travelers:
Greg Vernaci, head of cyber for financial lines, US & Canada, AIG: The insurer is differenciating acocunts and providing specific pricing, terms and conditions, capacity and retentions. He added: “Payment card data is contraband at this point.”
Doroff: On new capacity, she said, “Do they have a dedicated claims team or are they going to learn the hard way?”
Simmons: “My contract is with my insured. My contract is not with my insured’s vendors. I don’t get in the middle of that conversation. I can’t watch all the agreements. That’d be a nightmare.”
Vernaci: AIG has paid a growing amount of third-party claims–on more than just breaches that make the news. Extortion involving ransomware is also on the rise. But of particular concern is aggregation. The Anthem and Premera breaches touched many insurers, he said. “It proved how it’s all interconnected–how easy it is to create systemic risk.”
Dave Wasson, professional and cyber liability practice leader, Hays Companies: “Clients are upping limits from $1 million to $3-to-$5 million–maybe $10 [million].” Many times the purchase is contractual. They have to buy coverage because it’s demanded by business partners. Services offered within polices have a “poor take-up rate,” he said.
Brian Thornton, president, ProWriters: Educating these businesses is a challenge. “It’s a stumbling block, as to realizing what the real exposure is.”
John Mullen, partner, Lewis Brisbois: “Acts committed by nation states are an act of war. Acts by non-nation states are acts of terrorism.”
Eric Shiffman, supervisory special agent. FBI Chicago Division: On evaluating threats, he said the FBI group evaluates them “every 6 months and then readjusts priority levels.”
Bill Hardin, managing director/co-chair, global data privacy and incident response practice, Navigant: “In the last 12 months we’ve had 12 cases of card-not-present fraud.”
Matthew McCabe, senior vice president of network security and privacy, Marsh FINPRO: “It is very important to understand the terror exclusion. Policies can respond with an endorsement. It takes the ambiguity out of it. Most policies are silent–most don’t get into it.”
Nick Economidis, E&O underwriter, Beazley: On TRIA, he said, “It doesn’t apply. It was written for physical damage events. Most cyber is in the professional liability marketplace. [TRIA is] not a backstop for professional liability policies.” He said terror and war exclusion language has not been tested. “We don’t know how the court respond.” But the exclusions exist because a single event could trigger multiple policies and the industry “doesn’t collect enough premium” for this risk.