Cyber insurance – a term we’re getting used to seeing more and more these days but I’d argue there remains a general sense of anxiety associated with it. In fact, according to Advisen’s 2020 Cyber Insurance Market’ View survey, the three main identified obstacles to cyber insurance adoption are “not understanding exposures” (70%), “not understanding coverage” (51%) and costs (50%).
What’s more alarming is that cyber incidents and cyberattacks have become a “when” problem and no longer an “if”. Where does that leave cyber insurance?
Traditionally, cyber insurance was only purchased by businesses processing sensitive information with coverage only for third party liabilities. However in 2020, virtually all industries, big and small, regardless of how much sensitive information they are handling, are realizing the need for comprehensive and standalone cyber insurance. For instance, with automation becoming integral to the manufacturing sector, there has been an increased likelihood that cyberattacks can lead to network outages and entire work stoppages. On the other spectrum, small businesses are finding that while cybersecurity tools may help prevent, detect and mitigate cyber incidents, cyber insurance accelerates the response and recovery process in the aftermath of a cyber incident when it inevitably does happen.
Unfortunately, increased demand for cyber coverage across varying organizations has led to a one-size-fits-all approach. These policy add-ons, referred to as endorsements, are often limited and only cover data breach events with sub-limits that are inadequate to even cover loss and expenses resulting from a data breach. Instead, standalone cyber insurance allows for businesses to get effective financial protection from the multitude of cyber incidents that businesses face – cybercrimes, social engineering, ransomware, and more. Compared to coverage bundled in Business Owner Policy(BOP) or Errors and Omissions (E&O), standalone coverage brings clarity over what’s covered and usually includes security breach expenses, regulatory fines, public relations, notification expenses, extortion threats, computer & funds transfer fraud, social engineering, business interruption with aggregate and sub- limits. All of these can be tailored for businesses’ specific needs.
The evolution of cyber insurance from tailored coverage with limited solutions to a vital element of every organization’s cyber risk program, has pushed insurers to provide accessible policies to cybersecurity novices while still having the intelligence and speed to evaluate today’s cyber threats.
Let’s take a look at the most instrumental characteristics of a comprehensive cyber insurance policy in 2020 and beyond: flexibility, transparency and specialization.
Each client requires different coverages and inclusions, depending on their industry, business model and vulnerabilities. Cyber insurance holders should not be charged for irrelevant coverage; brokers should create tailored policies to increase benefits of the coverage while decreasing the program’s overall price. We recommend shifting existing coverage into specific insurance contracts rather than offering general policies within exclusions. Additionally, cyber is all about data and how to assess continuously changing risks; policies must be updated regularly to keep pace with an industry that is constantly evolving. Innovative cyber insurance firms are rapidly digitizing the insurance process, integrating artificial intelligence (AI) and machine learning (ML) into their offering.
Perhaps one of the most common reasons businesses are slow to adopt cyber insurance is due to lack of transparency. With the cyber insurance industry gaining traction, insurers are racing to replace jargon from policies with verbiage that anyone can resonate with. Simplifying terminology leads to a shortened and straight-forward insurance policy. Carriers must craft a simple set of wording for all sensitive information, whether that be personal data, corporate information or health records. The ideal cyber insurance program is a 100 percent online process, meaning no more confusing questionnaires that lead to risk assessment being based on unverifiable data. Cyber insurance should not have to be complex for either policyholders or agents; policies should be curated on the premise that technology and robust insurance forms will deliver a much better experience for all.
As many traditional lines of insurance are realizing their cyber risk vulnerabilities, carriers must continue to identify tailored coverage options for their clients. Cyber insurance has limitations, but not as many as the media headlines would lead you to believe. Coverage must be specifically designed for cyber risk exposure — not entwined with other lines of coverage. Likewise, every business uses technology differently, revealing why a one size fits all type of policy cannot work for cyber. As the digital landscape evolves and cyber criminals employ new methods to cause damage, cyber insurers must go beyond data breach coverage to offer policies that cover a variety of cyber attacks including cyber extortion, ransomware, social engineering and business interruption.
Cyber insurance will continue to evolve
Cyber insurance providers will continue to innovate, resulting in a stronger relationship between policyholders and insurers. Transparency across all stakeholders is needed and having them all work off of the single source of truth will be equally important. This holistic view of privacy needs to be ingrained throughout private and public organizations and ultimately become less regulation-driven. Successful cyber insurers will shift focus to offer tools that empower policyholders to learn more about the cyber landscape and better protect their organizations.