Partner Emmanuèle Lutfalla, Associates Deborah Azerraf and Alice Decramer, and Trainee Simon Fitzpatrick, examine how insurers should approach the use of cyber risk insurance policies, from a French law perspective, in Actuarial Post.
The article was published in Actuarial Post, May 2020, and can be found here.
Cyber risk is insurable, but using cyber risk insurance policies is particularly difficult. With this in mind, the need to offer appropriate solutions becomes increasingly evident.
Apprehending cyber risk: the current state of available policies
Cyber risk is not a new risk. Common consequences include business disruption, loss of data, loss of profit and material damage. Insurers are familiar with such losses and are covered by traditional insurance policies.
There are multiple scenarios where traditional insurance policies will cover cyber risk:
- A cyber incident will be covered if it was not identified under the policy’s scope, even if not taken into account when the contract was priced, or if the insured party bought new policies in order to increase their guarantee. This is the “silent cyber” issue.
- Insured parties will also be able to add clauses to their traditional policies in order to cover cyber risk.
- Some businesses, in particular SMEs, tend to buy “all risks apart from exclusions” type policies, when they are unable to properly analyse their exposed risks. Others simply forget to buy cover against an unidentified risk. Unless cyber related damages are excluded, such policies should be triggered in the event of a cyber incident.
Thus, damages caused by a cyber incident could be covered by traditional policies. This renders the analysis of each insurance cover’s extent trickier and leads to an entanglement of several policies: a hurdle for both the insurer and the insured.
Due to the complexity, some insurers have chosen to offer cyber risk insurance policies.
Historically, such policies are usually intended for big companies. But, cyber policies for SMEs are on the market as standardised offers.
Generally, cyber policies are three-fold: civil liability, damages and support. These policies will cover crisis management expenses, investigations fees, notification fees, data recovery fees, operating losses and third-party losses.
Their strength lies in the support provided to the insured and determining the protection level before a crisis is discovered. When the crisis hits, the policies also help with crisis management: often putting in place an emergency number with a minimal response time, including the possibility to dispatch experts.
It seems inevitable that cyber insurance’s development must not solely rely on demand, but also improve the offered benefits.
The essential adaptation of cyber risk insurance policies
Cyber covers’ content and the covered damages must be clarified.
Companies still question whether the purchase of a specific policy is necessary. The contracts’ lack of clarity and inclusion of sub-limits guarantees do not help. Usually, reputational damages are excluded, despite them representing significant losses for the victim of a cyber incident.
Insured companies are thus often unable to compare available cyber policies, and their willingness to subscribe becomes paralysed.
Similarly, when a company’s guarantees overlap, insurers must clarify their position and the interaction between the subscribed policies so that a cyber incident is efficiently managed.
Cyber risk’s technicity requires insurers to develop expertise and create specialised teams. This will benefit both the insurer and the insured. Such expertise will also prove invaluable in assisting cyber covers’ auditing process, exposure evaluation and identify potential gaps in guarantees.
Insurers are increasingly becoming aware of the importance in offering bespoke cyber insurance products to meet businesses’ diverse needs. Insurers are discussing the potential benefits of specialising in certain types of cyber incidents or a specific industry’s cyber risk, rather than offering one-size-fits-all products.
Due to the actuarial system’s cyber risk deficiency, insurers should develop new risk assessment methods whilst retaining identified cyber incidents. This includes developing a bespoke profile. Reinsurers will play a significant role and will require their customers to give them a detailed analysis of their cyber risk exposure before accepting to reinsure them.
One can also ponder the extent insurers can legitimately rely on their customers. The insured are required to update and protect their systems, but it is difficult to precisely define the extent of their due diligence. For example, how much time must have elapsed since the last update for cover to be denied?
Moreover, many companies are reluctant to share confidential data or data indicating what protection level is required for their systems with their insurers.
Today, a company’s cyber risk exposure is not always properly valued, and premiums do not always corelate risk: cyber insurance premiums were three times higher than civil liability and six times higher than property insurance premiums for the same coverage value.[i]
However, this may change in light of GDPR and national regulations’ duty of care regarding data security and incident notification requirements.
Inevitably, we must consider the State’s role in evaluating this risk and collecting cyber incident data. Data collected through these notifications should be communicated to insurers as it would enable them to conduct a thorough risk analysis and offer true bespoke policies. Unlike the Club des Juristes‘s Cyber Risk Committee recommendations regarding a cyber risk management insurance fund, the appropriate first step is data sharing between the State and insurers.
Insurers are a natural and vital partner for companies in terms of support and risk prevention and must remain so for cyber incidents. Cyber risks coverage may be useful in developing new insurance products for other emerging risks.
It is also important to consider that insurers are not the only organisations who could cover cyber risks. Some companies, including publicly traded companies, have made plans to create a cyber risk prevention and management parallel market. In order to limit parallel markets, insurers must, at all costs, adapt their products to the cyber market.
[i] Enhancing the role of insurance in Cyber Risk management, OECD Publishing, 2017 .
Feb 26, 2021
Feb 26, 2021