A September 2016 survey by the Risk and Insurance Management Society found that 80% of companies surveyed bought a stand-alone cybersecurity policy in 2016. The takeaway, according to RIMS, was that policies covering cyber exposures exclusively are now the norm for many large companies. In fact, the survey made it seem like buying cyber-insurance was a no-brainer.
But new research from the Deloitte Center for Financial Services throws cold water on that assessment of market conditions.
After conversations with primary carriers and brokers writing cyber-insurance coverage, Deloitte produced a report detailing a host of problems in the buying and selling of cyber insurance — problems that limit companies’ ability to find the right coverage and make them uncertain how well covered they are when they do purchase a policy.
For example, companies have a”hard time quantifying exactly how big a risk they face,” says the Deloitte report, “Demystifying Cyber Insurance Coverage.” According to the report, “that may lead to uncertainty about what type of coverage and how much insurance [a company] might need, as well as the cost/benefit associated with transferring at least part of this burgeoning exposure to insurers.”
Complicating this fact, for buyers and carriers, is the “continuous evolution of risks that undermine exposures’ predictability,” according to the report. “As underlying exposures continuously shift, insurers adapt to one type of attack only to face a new threat technique. … Operationally, innovations in business — like [the Internet of Things] and autonomous vehicles — also pose new cyber-attack possibilities that need to be assessed and insured.”
For the purposes of underwriting, there is also the challenge of a lack of sufficient cyber-attack data. Because companies aren’t required to disclose all hacks and breaches, many go unreported.
“As a result, the insurance industry faces a rampant reporting bias that is hard to translate into policies,” the Deloitte report says. There is an answer for this: “Insurers can implement risk-informed models as opposed to definitive predictive models and break down data silos across the industry to better pool underwriting resources,” Deloitte suggests. But, for now, the issue still exists.
Despite all this, carriers and brokers are going ahead and selling cyber-risk coverage. But what carriers and brokers are offering is not, in many cases, appealing to companies, to put it mildly. For one, there is what Deloitte calls a “lack of standardization in defining and underwriting cyber risks.” As Deloitte explains, “Cyber coverage is often written via customized policies, resulting in different terminology from carrier to carrier.”
Cyber risk may also be included as part of a wide range of products, Deloitte says, “including general liability, property, professional liability, business interruption, and crime policies. This complicates efforts by the buyer to assess coverage needs, match policies with exposures, and compare alternatives.”
An additional issue with cyber-risk policies is their comprehensiveness. “Many insurers have tunnel vision when it comes to writing [them], focusing primarily on marketing cyber products for personally identifiable data hacks and ignoring the many other cyber risks that companies face.”
For buyers, this can be a major turn-off. “Concern over potential coverage gaps seems to be a major reason why many businesses that want and need cyber insurance are passing for now,” says the Deloitte report.
In addition, “many large commercial buyers wonder whether the coverage being offered by insurers is sufficient for the risks they face or the premiums they’re being asked to pay,” Deloitte says. “At present, cyber policies often are capped with relatively low limits for the risks being covered, which brokers told us may be discouraging more buyers from taking the plunge.”
Companies are also worried about being on the hook for a major loss if they have to litigate a disputed claim “due to differences [with the carrier] over which policy applies or whether policy language indicates coverage,” the Deloitte report says. Because cyber coverage disputes have not made their way through the court system, “policy terms and conditions have therefore yet to be battle-tested,” one broker told Deloitte researchers.
“Given all the potential confusion surrounding which policies may cover which cyber risks … brokers we spoke with told us that many buyers remain leery about purchasing coverage,” says Deloitte. “Companies want to avoid buying coverage they don’t fully understand and whose language may still be subject to interpretation.”