“There are only two types of companies: those that have been hacked and those that will be.”
Robert Mueller, FBI Director
Cyber insurance is a relatively new offering compared to property and casualty insurance. However, most insurance companies are treating them the same from limits, actuarial and business perspective. Fundamentally this is a mistake. Using historical data will not correlate to the cyber risk the company currently has.
The cyber insurance market is relatively small compared to other insurance products. The underwriting criteria for insurers who offer cyber insurance is in its’ infancy, and underwriters must actively work with cybersecurity companies to develop their effective products. Cyber insurance is a risk transfer mechanism that is enormously beneficial in the event of a large data breach. It buffers the losses and provides a means for businesses to return to normal quickly.
Using loss events to determine limits adequacy and to underwrite cyber insurance has failed and the market cannot meet capacity demands.
What is Cyber Insurance?
Cyber insurance is a specialty insurance product intended to protect against risks that are related to Internet connectivity and attacks against digital assets. Generally, cyber insurance is designed to protect your company from five primary cyber related risks. These are:
- Data loss due to a data breach
- Privacy Exposure
- Business Interruption from Ransomware and DDoS
- Errors and omissions
Coverage provided by cyber insurance policies may include first-party coverage and third-party coverages.
First–party coverages are those that impact the company who is the data owner and may include insurance against losses from data exfiltration, cyber extortion, destruction, hacking, and business interruption from denial of service attacks.
Third-party coverages focus on liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations, investigative expenses, and criminal reward funds.
Components of a Cyber Insurance Policy
An aggregate limit is the maximum amount an insurer will pay for covered losses during a policy period. The annual aggregate limit is the total amount an insurer will pay in a given single year.
A sublimit is part of, rather than in addition to, the limit that would otherwise apply to the specific type of loss. It is the maximum amount available to pay for a type of loss, rather than providing additional coverage for that type of loss. These types of losses related to cyber events are data exfiltration, business interruption due to a denial of service (DoS), distributed denial of service (DDoS) attacks or ransomware attacks, and regulatory fines.
source: Enterprise Cybersecurity, How to Build a Cyber Resilient Organization – Treating Cybersecurity as an Enterprise Risk; M. Ariel Evans