September 14, 2017
Despite consistent growth in the cyber insurance industry over the last two years, the industry faces a key underwriting obstacle that could potentially limit growth in the market: data. Lack of historical data in the cyber insurance market provides a critical challenge as carriers struggle to model cyber risk across a broad portfolio.
From an underwriting perspective, disclosed cyber risk data given to underwriters remains insufficient. Many feel that carriers are not asking the right, or enough, questions to accurately represent risk exposure for particular rates. Additionally, the fears of an aggregate attack were brought to light after a recent report conducted by Lloyd’s of London and Cyence suggested a catastrophic cyber-attack on a cloud service provider could result in average losses of $53 billion in just two to three days.
In terms of risk modeling, “a lack of sufficient historical data hinders a carrier’s ability to build models to properly rate the risk,” according to a recent Carrier Management article. Not only are organizations hesitant to report cyber events in fear of reputational loss, insurance companies are skeptical to share incident data with each other for competitive reasons.
Although the insurance industry has historically stayed at arms-length from government regulation, many experts believe the government could play a crucial role in collecting useful data through the required disclosure of certain cyber incidents, particularly when personally identifiable information (PII) is compromised.
Cyber events involving PII, however, account for only a fraction of all data breaches and carriers. In addition, modelers are more interested in how and why a breach occurred, not necessarily that a breach occurred and the number of compromised records involved. Nonetheless, the government could take several steps to improve both the quality and quantity of data accessible to carriers, the first being a uniform national data breach reporting law that would consolidate data into a common repository, a position The Council supports for a number of reasons. Others believe that encouraging organizations to disclose data breach information on the condition of anonymity would ensure sufficient and quality data, but the reality that organizations would voluntarily report this data remains an issue due to liability concerns.
Another example of what the government is doing to promote a greater understanding of cyber risks is the creation of the National Cybersecurity Center in Colorado Springs (NCC). The NCC is a non-profit organization founded in 2016, supported by philanthropic and corporate donations, and aims to “vastly improve the cyber preparedness, security and response of primarily midsize and smaller companies,” a recent Leader’s Edge article explains. The development of a “Rapid Response Center” is dedicated to assist NCC members to both prepare for and respond to cyber threats. The response center will also serve as a clearinghouse for cyber-related information, populated with government data on cyber incidents.
Cybercriminals have historically taken advantage of a lack of coordination around data collection, notification and response. Due to a generally limited understanding of cybercrime at the C-Suite level, appropriate resources and funding allocated for cybersecurity remain inadequate in many organizations. Not only would better data collection in cybersecurity increase cyber awareness, preparedness and response, it would also provide carriers, modelers and brokers with the necessary tools to underwrite this large and complicated risk.
Update on Equifax
By now, we’re all familiar with the Equifax data breach, which resulted in compromised personal information of nearly half the country, or 143 million Americans. Due to sensitivity of the content compromised, this breach marks the worst of its kind to date. Over the last week, experts have come out with suggestions of what to do, such as freezing your credit file at the major credit bureaus, and government officials have been quick to respond with public statements and plans of action.
New York AG Eric Schneiderman has already opened a probe to investigate the breach and several other offices will likely follow suit. Additionally, there are now at least three planned House committee hearings related to the Equifax breach.
While many insurance execs see the Equifax breach as an opportunity for new business, it appears Equifax’s cyber insurance policy is likely inadequate to cover the costs of the breach. Not to mention, the company’s stock is plummeting and more than 30 lawsuits have been filed against Equifax since the breach was announced last Thursday.
Equifax announced that criminals began accessing consumer data as far back as May and reportedly discovered the breach in late June. However, it took the company nearly three months to disclose the breach. On top of that, three top executives sold nearly $1.8 million in stock shortly after the firm initially discovered the breach. Interestingly, the company insisted that those executives were unaware of the breach when they made the sale.
Times are tough for the consumer credit reporting agency with no clear signs ahead; lawmakers have vowed that someone will pay the price. While the company’s future is uncertain, you can guarantee that questions will be answered.
Pool Reinsurance Co., the United Kingdom’s government-backed terrorism reinsurance facility, has won approval to include cyber risks in its coverage, and plans to add the coverage starting on April 1, 2018.
UPS Capital, a subsidiary of UPS, has launched a cyber liability product for small and mid-sized businesses. The product includes coverage for security-breach response, cyber extortion, income and digital-asset restoration. It also covers third-party consequences like litigation, fines and investigation.
U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT), introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices.
Tracey Vispoli, president of Berkley Cyber Risk Solutions discusses the boardroom’s role decision making following a breach.
Deloitte releases report discussing the state of the cyber insurance market, strategies to overcome growth obstacles and hurdles from the insurer’s and buyer’s perspective.
Banks are increasingly turning to insurance protection against cyber risks and rogue traders following a spate of costly court cases and IT outages, according to a Reuters report.
In response to global cyber threats that require enterprise-wide attention and agile risk management solutions, property/casualty insurance company Chubb has broadened its enterprise risk management solutions for Chubb commercial cyber policyholders in the United States and Canada.