Corporations are calling for a holistic cyber-threat response from the insurance industry – challenging traditional insurers to offer a fully integrated service.
That’s the conclusion from a number of speakers at Advisen’s Cyber Risk Insights conference in London on February 25.
Discussion abounded on the importance of pre- and post-event services in an insurance solution, as well as the inclusion of first-party property and business interruption (BI) and third party product liability covers.
Solutions, Not Products
On a practical level, the insurance industry is providing broad solutions, which span insurance company structures of traditional “silos” of risk or profit-and-loss boundaries.
On a panel discussion with risk managers, Julia Graham, DLA Piper’s director of risk management and insurance, called for cyber insurance to be viewed as a “solution” and not a “product.”
Graham highlighted the need for pre- and post-event services to be included in the offering as standard, to provide meaningful help when it is most needed.
“You wouldn’t buy a Kidnap & Ransom policy without a security expert embedded. So why buy cyber without having breach expert embedded?” she said.
Lord John Reid of Cardowan, the UK’s former defense minister, urged the insurance industry to distinguish between a product and a service.
“The insurance industry needs to tackle what the customer wants, which is advice on mitigation and prevention prior to an incident and public and internal crisis management afterwards. This is not a traditional insurance policy by the integrated nature of cyber itself.”
AIG’s head of client management EMEA, Philippe Gouraud, commented: “Rather than asking if cyber insurance is a niche that will grow into the mainstream, we should ask what is the core exposure of the company?”
“For many companies, cyber is the core exposure and the other elements are on periphery. Therefore cyber should be integrated into coverages,” he said.
Broker JLT’s head of risk practice, Warren Downey, noted that the sharing of experience, data, loss information and best practice was “not going on broadly enough” in the insurance sector.
“You can’t solve BI and contingent BI issues without a property underwriter in the room,” he said. “We need to create risk workshops which break down P&L boundaries.”
Gouraud noted that AIG wanted to position itself as the “most valued risk partner” to an organization. “That means going beyond insurance. Providing capacity is easy and cheap. We need to deliver the ‘beyond insurance’ expertise.”
Integrating coverage: easier said than done
A separate panel of insurers and brokers addressed the practical complexities of integrating a number of different “traditional” insurance covers into one, integrated, policy.
Degrees of cyber cover are available through the liability/E&O market (where cyber insurance was born), casualty (through products liability and bodily injury) and the property market (through BI and terrorism).
However, the extent to which cyber would be covered under each of these existing policies is unclear. For example, the energy market recently introduced the CL380 – an absolute malicious code exclusion. The casualty market, however, has been slow to exclude cyber cover from its traditional bodily injury or products liability policies, the panel discussed.
Stephen Wares, cyber risk practice leader at Marsh EMEA, noted that cyber insurance grew out of the E&O market. “That market has pushed its product as far as it can. For example, BI is included on cyber policies, but with a sub-limit of $25-30 million. Offshore or onshore rigs need hundreds of millions of dollars of cover.
“Cyber isn’t traditionally a BI market. We now need to engage the terrorism and property markets.”
Graeme Newman, director at CFC Underwriting, agreed: “The cyber market should absolutely not be doing [BI]. The property market is set up to deal with this type of loss day-in day-out.”
Newman also noted that aggregation was once “the elephant in the room” with regard to cloud computing, but is now being recognized as an issue.
“The property market would think we’ve gone stark, raving mad in not imposing ‘named supplier’ exclusions and monitoring our aggregates,” he said. “We need to control our aggregations with limit and with diversification of risk.
‘Classic enterprise risk’
Cyber risk also presents added complexity when it comes to traditional insurance tools such as risk modeling and risk aggregation monitoring and control, the conference heard.
Graham said cyber was a “classic enterprise risk”, not respecting departmental or geographical barriers. “It should therefore shape the way a firm does business,” Graham said to the 350-strong audience at the event.
Lord Reid said “most leaders don’t understand the depth of the transformation that cyber has on our lives.”
“Cyber isn’t just amalgam of new technologies, of communication,” he said. “It is the first human-made environment. Unlike sea, land, air and space, cyber permeates everything and will no longer be controlled like the natural environment.
“The cyber age brings new risk, which I doubt traditional actuarial models can cope with,” Reid said. “Consequential loss to businesses or loss of intellectual property or data present challenges for actuarial calculations. None of these fit easily into definable risk patterns.”
Reid suggested that industry could not devise risk management tools and models to cope with the ever-changing and omnipresent cyber risks. “In a real sense, industry is just playing catch-up with the changing threat environment,” he added.