My title is not meant to suggest that cyber insurance is flawed. To the contrary; it’s a valuable risk transfer instrument that has performed as advertised in the vast majority of loss situations and often provides policyholders with a gateway to a host of response and mitigation providers that otherwise might be too costly or unavailable when most needed. Most articles questioning the viability of the product are usually centered on denied claims from types of insurance policies that were not designed to cover emerging cyber risks, or written by folks whose knowledge of actual policy language harkens back to earlier generation policies that sometimes contained strict stipulations about maintaining consistent levels of security.
Rather, my title intends to raise awareness that “cyber insurance,” as is commonly offered by the insurance industry, is not an “all-risk” type of policy that covers anything and everything resulting from a cyber event. The most commonly purchased type of cyber insurance covers costs and liabilities associated with breaches of personally identifiable information, such as notification and credit monitoring costs, IT forensics expenses, crisis management costs, and resulting legal costs and liabilities from the event. Policies can also cover costs of restoring destroyed data, revenue loss from system downtime, and extortion demands threatening most of the aforementioned types of losses. Newer forms of cyber insurance products that are already available or imminently available cover certain tangible exposures, such as bodily injury and property damage.
All of those slices of available cyber insurance present a healthy scope of coverage, but still do not come close to the entire spectrum of potential risk. We now live in a world where a malicious cyber attack, technology failure or human data entry error can result in everything from theft of personally identifiable information to pipeline explosions, product malfunctions, hospital shutdowns, supply chain disruptions, and blackouts – literally the entire spectrum of known risk. That reality, when aligned with the current commercial insurance world, means that many other forms of insurance are crucial to the cyber coverage equation.
For instance, losses relating to a spear phishing attack that successfully cons an executive into wiring a massive sum of money to a fake supplier should be covered under crime insurance. Shareholder losses and the resulting liability that result from a stock drop after a cyber attack and bungled response should be covered under director’s and officer’s insurance. Costs to recall products that have been compromised by malicious code should be covered by recall insurance, and if those products fail and cause harm to third parties, products liability insurance. Clean-up costs related to the manipulation of the industrial control systems of a wastewater treatment facility should be covered under environmental insurance. The list goes on, and by our estimation, there exist at least a dozen types of commercial insurance coverage types that should cover cyber-predicated loss.
“Should” is the operative word because despite the fact that many types of traditional insurance coverages are thought to be well understood, the reality that a cyber event can cause a full range of financial and tangible damages is quickly being recognized as an insurance game changer. With certain types of coverage, such as an “all-risk” property policy and barring any specific exclusions to the contrary, the policy holder should get the legal benefit of the doubt. That rule however, is not universal. In other instances, exclusions that have been put into policies to exclude the specific type of losses that “cyber insurance” policies cover can be interpreted more broadly. For example, does an exclusion along the lines of “losses attributable to the manipulation of, corruption of, erasure of, or deletion of electronic data” do more than simply exclude the costs of a breach of PII?
Lastly, and most troubling, is the reality that some policies have broadly written or sometimes definitive cyber exclusions. A good example are commercial terrorism policies written by Lloyds of London, which absolutely contain a very broadly written cyber exclusion. There are many instances of clients that do not purchase terrorism coverage as an extension of their main property insurance, and instead rely on a stand alone terrorism policy. That decision could create a catch-22 whereby a cyber event that causes property damage and that is later deemed to be an act of terrorism would not be covered by the property policy due to the terrorism determination, but also excluded by the terrorism policy because the damage was caused by a cyber event.
Our advice, given this nuanced reality of the insurance world, is to view cyber as a peril when making insurance determinations relative to the risk. We suggest to:
- Start by determining the range of potential exposures that could result from a cyber event
- Overlay those exposures with the firm’s existing commercial insurance portfolio.
Our expectation is that many of those exposures will indeed support the consideration of an actual “cyber insurance” policy, some might already be covered in existing policies, and others might bring to light some of the coverage pitfalls described above (which by the way, can be fixed or supplanted by new “difference in conditions” cyber policies). The good news is that the insurance industry is receptive to covering the majority of the cyber risk spectrum, but doing so requires more attention to detail than simply buying what the industry commonly refers to as “cyber insurance.”