With the enormity of the risk still holding back insurers and a lack of clarity among buyers, debate is still raging about how to handle cyber risk
Part of a future in risk and insurance report supported by Zurich
In July, a Jeep Cherokee was hacked by cyber experts as part of a stunt set up with Wired magazine. They took remote control of its radio, air conditioning, windshield and transmission system through the vehicle’s internet-enabled entertainment system. The incident led Fiat Chrysler to recall 1.4 million Jeeps.
Could damage to the Jeep Cherokee or Fiat Chrysler brands have been covered by a cyber policy for this security breach? Or perhaps a product liability policy would have covered the cost of the recall? These are typical of the questions vexing risk managers and insurers on how to handle emerging technology risks, including data security and reputation risks.
“The whole issue of cyber risk, the technology- and digital-driven transformation of every part of the economy, means that you cannot separate cyber [risk as a standalone threat]” says Sarah Stephens, JLT Speciality’s head of cyber, technology, and media errors and omissions. “There are so many loss scenarios that could be triggered by a technology failure, a security failure, a cyber or quasi-cyber incident that could be, or should be, covered in a property or casualty policy. That is a massive challenge for insurers and for the industry right now.”
In some cases, organisations are taking matters into their own hands and finding their own ways to mitigate cyber exposures. In response to risks around its customer data, KPN, the largest mobile, text, and TV subscriptions provider in the Netherlands, set up a new data security department and embedded a strong ethos on customer privacy and business continuity throughout its operations.
KPN privacy officer Rence Damming highlights the discoveries it made by researching its customers. “It matters what kind of company you are. Google processes a lot of data, and users expect that – they give away their location information in return for a service. But they don’t expect it from a telecoms operator or an energy provider. Expectations differ. Customers want to trust their telecoms operator, because we deliver all their communications from A to B. We build trust by telling customers what we do and don’t do with their data.”
Notification of breaches
KPN’s stance on data security and business continuity reflects the substance of a new law passed by the Dutch parliament in May. This will require organisations to notify the authorities about data breaches or face fines of up to €810,000 or 10% of annual turnover. The rules anticipate the European General Data Protection Regulation (GDPR), due in 2015 or early 2016, which will include security breach notification obligations from 2017 or 2018.
Bert Schijf, KPN director risk and reporting, says that while he is interested in cyber insurances, he believes that notification requirements could introduce a degree of caginess into conversations with insurers.
“It could be hundreds of thousands of people who are affected by a data breach. Is this something insurers are willing to provide policies on? On the other hand, maybe organisations will not want to notify the authorities if they think that the insurer won’t pay out,” explains Schijf.
“It could make the conversation difficult, like trying to purchase medical insurance if you have been unwell in the past.”
Cyber brokers emphasise that insurers are very willing to do deals on data breach risks. “It’s a competitive, hungry market, with new entrants coming in every quarter. It’s a market very willing to take on IT and security-based exposure, and to adapt to clients’ requirements,” says Stephen Wares, Marsh cyber risk practice EMEA leader. “If we can define the triggering event, and closely define the loss, there’s no reason why we can’t pitch that into the market and find a solution. The insurance markets are doing a good job at addressing cyber exposures.”
Marsh is “pumping out proposals” for consulting services to organisations that want to understand their cyber risk profile.
“They need to start thinking ‘What if it happens?’, ‘Who is responsible for defining that risk profile?’, and ‘What does that project look like?’,” says Wares. “Some clients want a professional consultant, whereas others may have the skills and resources internally to do this for themselves.”
JLT’s Stephens agrees that data breach and business interruption liabilities can be quantified and underwritten as a standalone risk, and thinks this could develop as a specialist policy, similar to kidnap and ransom, where the service element is a big part of the reason to purchase.
“Many insurers have put together panels to help organisations respond to cyber incidents,” says Stephens. “The real questions are whether property damage or bodily injury or non-damage business interruption, triggered by a cyber attack, are covered by property casualty policies, by a cyber policy or even some new specialist insurance.”
Meanwhile, on the buyer side, a gap in communication between risk managers and their board directors is continuing to hold organisations back. This is resulting in senior management often being unaware as to which of their cyber risks are covered by insurance and which are not.
“It was a big surprise to us that board-level ownership of cyber risk did not change much year-on-year,” says Wares. He is referring to Marsh’s Cyber Risk Survey of clients, released in June, which shows that board directors are responsible for cyber risk in 19.4% of companies, compared with 55% where it’s owned by the IT department.
“Most cyber risk management is done by the IT team,” he says, “and IT is driving the conversation. We need to emphasise that this is a risk conversation, not a technical one.”
An analysis by Marsh of premium flow into the market suggests that cyber insurance penetration is 2%. This compares with UK government figures showing that 52% of board directors think that they have cyber cover.
“We asked insurance buyers if they had bought cover, whereas the government asked senior executives. We think our figures are likely to be nearer the truth, so there is a big communication gap between the insurance buyer and the board about what is insured and what is not,” Wares explains.
This lack of clarity about coverage on the buyer side is mirrored by a degree of uncertainty in insurance markets about how best to underwrite these emerging risks.
“It is happening in property, professional liability and product liability, where there is no cyber exclusion but there is no cyber underwriting happening either,” says Stephens. “In a market cycle that is relatively competitive, it is tough to be the insurer who puts the exclusion on, because they lose that deal. So a lot of insurers are struggling.”
A property policy for an industrial site, for example, if it has no exclusion, presumably covers damage triggered by hackers breaching the site’s control systems, as it would cover damage caused by a fire, or windstorm.
Property underwriters using metrics such as historic weather risks, location, construction materials and whether the building has sprinklers do not traditionally underwrite these new cyber risks. Now that internet-connected controls and remote monitoring systems are becoming commonplace, insurers will begin looking at internet security systems, whether default passwords have been changed and if back doors installed by equipment suppliers are properly disabled.
“They should ask ‘What did you do in terms of managing all that connected cyber risk in your control system, which now has remote monitoring, and all sorts of capabilities it didn’t used to have?’,” says Stephens.
“That’s a risk that could trigger a property loss, but insurers aren’t asking the right questions, either because they don’t know which questions to ask or because it’s not on their radar that it could trigger that policy.”
Inside insurance companies, underwriters who have cyber expertise are often part of a professional liability or cyber team, where their knowledge is kept separate from the wider property casualty business.
“Some insurers are starting to deploy cyber and technology underwriters across different lines, so that they can transfer expertise, but generally there is a knowledge gap and a training gap,” says Stephens.
The rise in cyber-related risks will change the underwriting experience for risk managers as well, adds Stephens.
“In addition to providing building engineering information for a property policy, buyers will be asked about system firewalls, original equipment manufacturers and what data they put in the cloud,” she says.
“They have to start providing a different level of detail. In some cases, that will mean talking to people internally who they’ve never met before, and compiling information they may feel uncomfortable with, including lots of technical jargon.”
While the debate continues about the extent to which emerging cyber risks should be embedded into traditional insurance lines or covered by standalone policies, the clinching factor is likely to be a big loss.
“We are at a crossroads and definitely don’t have a consensus,” says Stephens. “There’s this thing called cyber and it has grown and changed a lot over the past decade. We know of examples of cyber attacks on oil pipelines and energy generation plants, but no big losses. If we have a big loss, then that changes behaviour pretty quickly.”