Cyber incidents are the most important long-term risk for companies in the next 10 years, according to the Allianz Risk Barometer, which surveyed over 800 risk managers and insurance experts in more than 40 countries. With hundreds of millions already paid out to cover cyber losses in the United States alone, businesses are seeking greater insurance coverage. The forecast for cyber insurance is a topic that will be explored at the Secure Halo threatLAB 2016 – Cyber Risk 360° conference, Feb 1-3, by Mary Guzman, Senior Vice President, Director of E&O and Cyber Sales and Strategy at McGriff, Seibels & Williams. threatLAB asked Guzman for a preview.
threatLAB: How would you characterize the change in demand for cyberinsurance?
Mary Guzman: I would say that over the last three years the demand for cyber insurance in general across all industries has probably doubled or even more. The interest is at an all-time high. Every client that we have, no matter the industry they’re in, is trying to educate themselves and understand whether they need cyber insurance and what their risks and exposures are. Healthcare, financial, technology services, and retailers have been earlier adopters but even they are assessing their limits and potentially buying more as they gain insight into how much one of these losses could really cost them.
Their boards are demanding they carry more insurance if they’re public companies. The boards are saying, “What are we doing about this? We’re being held personally accountable for making sure we understand our risk mitigation strategies around information security. One of those has to be insurance.” And they’re saying that to the risk manager now or the general counsel.
We’re also seeing a lot more interest among critical infrastructure companies, including the full spectrum of energy – oil and gas, pipelines, and utilities – because they understand their SCADA and other industrial control systems are vulnerable to attack.
threatLAB: What trends do you see in what is being offered in cyberinsurance?
Guzman: The policies have become broader, specifically addressing the needs clients have around the disclosure of confidential personally identifiable information (PII) and personal health information (PHI). The underwriters understand the risks when they write this exposure now and they’ve dramatically increased their rates and adjusted their rating models to compensate for the fact that there will be significant payouts either from card brand demands or regulatory requirements to respond to a breach. As a result, the coverage is still there, but it has become more expensive and you have to know the ins and outs of the policy language to make sure that it’s going to address all of the unique exposures that arise out of those contractual and regulatory obligations that clients have, as opposed to most insurance policies, which are designed to respond to general legal liability or negligence claims.
I would also say that until two or three years ago, there wasn’t coverage available to critical infrastructure, specifically to power companies for failure to supply, and now you can get failure to supply coverage, which has brought a lot more clients to the table.
threatLAB: What do companies need to know about cyber risk policies?
Guzman: We still see a lot of policy forms that have sub-limits in them, especially around all the breach notification expenses that are incurred. When you have an information security breach that involves PII or PHI, a lot of those policies have limitations on how much the client can spend for forensics, notification or credit monitoring. So you want to make sure you don’t have sub-limits or that you understand exactly how they’re going to work.
The second thing is that I don’t think people have a great understanding of how their policies will cover their contingent risks from use of vendors or third-party service providers, which is a huge exposure in the cyber world. On the first party side you have coverage for your own business interruption loss, and on the third party side for liability claims. It can cause significant problems for clients if they don’t understand how their policy will respond if the loss doesn’t happen directly to them. It happens regularly where a business will have a loss and expect it to be covered and it’s not covered because it happened to a third party service provider. For example, the third party provides web hosting or security services or another service relied upon to keep systems up and running. It’s a major exposure and it’s actually hard to insure.
threatLAB: What kind of information should companies expect to provide to insurers?
Guzman: That’s definitely changed over the last 18 to 24 months, especially for retailers and large merchants. It used to be that you could fill out the form and check the box that said that you were PCI compliant, for example, and you could get $200M in cyber insurance. Now, the underwriters have a full questionnaire just around PCI, POS applications and assessments. And they’re wanting to take a deep dive on point to point or end to end encryption, and whether or not you’ve followed the requirements by the card brands to move from the stripe to chip and pin. So it’s a lot more involved than it used to be and may require a separate questionnaire or a conference call with the CIO or CISO.
Or, if it’s really significant or challenging risk, some of the underwriters require at least a separate conference call no matter what limit the client buys or how broad the policy is. Others will require it only for critical infrastructure clients. The markets are spending a lot more time asking questions and focusing on security assessments and whether or not you follow recommended guidelines. The riskiest industries may require a formal on-site assessment.
threatLAB: What connection have you seen between the purchase of cyber insurance and organizational security posture?
Guzman: There definitely is a connection. From year to year, when you go to renew the policy, insurers want to see consistent improvements to information security. Some of the recent articles and statistics point to the fact that if you have better security and a better business continuity and disaster recovery plan, you will do far better in the event of a breach. Many assessments focus on preventing the hacker from getting in, whereas I think the underwriters are coming to realize that hackers will get in, and that if you don’t have a developed and tested business continuity and disaster recovery plan, things will not go well. The cost to respond to the breach, the public fallout, changes in share price will all be reflective of how ready you are as a company. So insurers are a lot more focused on business continuity and disaster recovery planning than they have been before.
threatLAB: Have you see companies benefit from the experience of going through assessments?
Some of our energy clients who have been through the TSC Tier 3, including one of the largest utilities in the country, developed their whole 2015 information security plan based on what they learned in their 2014 TSC assessment. They put their focus on improving their security maturity in the identified areas and it really paid off for them. They got kudos from their board of directors, they had a very actionable plan that could help them justify their information security spend in their budget and hiring the resources they wanted. And they also got a reduction on this year’s renewal for their information security insurance program.
Learn more about threatLAB 2016, Cyber Risk 360°.