Cyber Insurance -- a new way to look at insurance

Recently i had attended a webinar on a future trend in insurance called Cyber Insurance. While products for Cyber Insurance were primarily serve by surplus line brokers and agents. These products are becoming more mainstream and agents are now writing Cyber Insurance as a stand alone policy or as part of Commercial Package Policy.

While cyber insurance initially was not covered but some aspects were covered in the form of business interruption coverage. There were specific exclusion where property damaged (such as computers or industrial machines) by a Cyber attack would not be covered. This was an unmet need which was filled with Cyber insurance.


The basic tenets of the policy is still the same as any commercial policy, where we have first party coverage to cover any damage to business owned property due to cyber attack but not third party as it will already be covered under liability insurance. The thin line of difference between Cyber Insurance and Commercial Property is that when a claim is filed, if the cause of loss is determined to be a cyber attack then only cyber insurance will kick in. 

A special clause for an exlcusion is also kept in the policy when the the cyber attack is determined to be catastrophic and has affected a large number of organization. 


Now one of the most interesting things of the discussion in the webinar was the idea that in which category of business would a cyber attack would be most disastrous for the business operation for the particular class of business. The answer was the Critical infrastructure such as power plants, water supplies, heavy industrial factories. 


As these industries rely on computer systems for monitoring critical systems, any terminal getting hacked could spread through the entire network and bring operations to a stand still. An example of a power plant facing an cyber attack could take out lights to an city, thereby resulting in huge losses to the city and the power plant operation. A typical minute of downtime for a power plant is euqal to a loss of around 40,000 dollars.



Some other points in the discussion of the webinar was 

Risk Management

1) Risk Framing — understanding the Business 


2) Risk Assessment - how well we are doing in terms of risk assessment, can be defined as follows

    • evaluate the response plan
    • account the impact
    • audit policies controls
    • evaluate architecture

3) Risk Response - closing the gaps, making policies, what are going to do about it  — assessing both reactively and proactive  — good process to react.

4) Monitoring Risk - monitoring the internal and external factors


Failure in risk management - could lead to breach and reputation is a huge consequence of breach.


What can cyber insurance do - cyber liability insurance can cover the business interruption expenses and lost income as a result of a network outage or computer system malfunction due to 


Primary Loss Exposures :

: administrative error

: employee negligence

: malicious attack


physical damage as a result of a cyber. (property insurance doesn’t always cover this)


explanation 

property insurance by cyber attack will not be covered by named - peril property policies

may be covered in all-risk property policies, normally cyber attack is exclusion

industry/risk specific enhancements are available similar to other commercial policies (Example : replacement power for utility companies)

Explanation: Outage to power system - unable to give power, often time have to purchase power from another power plant, this purchase can be covered by purchase power endorsement


In a typical survey with agents

88 % have not quoted cyber liability insurance for utility insurance

38 % have quoted cyber liability for manufacturing companies

This result shows market is ripe for Expansion


Where do you think greater risk for cyber insurance is ?  — 


Answer: 

power grid because it is under served even nuclear power facilities

Data Breach, could result in exposing health care records of patients


one example was hacking into german steel and damage to steel




Traditionally cyber liability is mainly sold as business interruption policies or component of a policy, main difference it should be physical cause for business interruption like fire , but in cyber insurance 

it can be something like administrative , or system failure


Risk management strategies

  • Risk Mitigation — IOT, automated control systems
  • Buy cyber liability insurance for Risk Transfer


For specific coverage  — scada software systems , exclusions don’t have catastrophic type like physical like fire wind because it is covered in physical property


First party property damage is covered in cyber liability , not third property damage which will be covered by general liability 


Loss in income due to business interruption is covered in cyber insurance similar to property insurance


Property can be covered in cyber insurance by enhancing cyber insurance


As per suvery Agents do not have in-depth knowledge of writing cyber insurance


http://smarter.nasinsurance.com/


Primary rating base continues to be

  • revenue 
  • number of records that they store
  • expect to loose when there is an outage


Limits are set based  per occurrence basis. 20 million per insured basis — spread among other insured customers 


Typical limits are between1 million dollar limit — upwards to 100 million dollar limit 


Very strict terrorism exclusions - nation state — all electronic terrorism 


Some common points to discuss are:

micheal palotay — mpalotay@nasinsurance.com

818.800.4476

www.nasinsurance.com


dave dalva

ddalva@strozfriedberg.com

202-534-3294

www.strozfriedberg.com