The days of renewing cyber policies “as expiring” and based on limited information are past.

The bigger picture

The global Property & Casualty (P&C) insurance industry is under pressure, this impacts the classes of business comprised within – including cyber insurance.

In their 2021 Global Insurance Outlook, Ernst & Young reported that the top 50 global P&C insurers saw a decline in combined ratios which were already under pressure; from 95.2% in 2014; 96.2% in 2019 to 98.1% by the first half of 2020.

Reinsurers are also feeling it.  In October 2021, rating agency S&P Global said: “The global reinsurance sector has generated weak underwriting results in the past four years (2017-2020), and 2021 is shaping up to be another below-par year.”

Cyber

Cyber insurance is in a corrective phase, although it appears to be more immediate in its needs for change than other product lines.  This is undoubtedly due in part to it being a newer product but we cannot overlook the scope of coverage set against a dramatic threat landscape.    

Following the introduction of the data breach notification laws from the early noughties, cyber insurance emerged as a sort of crisis management policy, not unlike Kidnap & Ransom, but to help companies navigate these new regulations. Over time, coverage materially expanded, but the submission requirements and premiums charged did not.   

For years, cyber insurance offered a one-size-fits-all approach to organisations with very different cyber risk profiles. The expectation of loss may have been weighted to one insuring clause; in reality, any of the insuring clauses could produce a limit loss. 

Underwriters now want much more information to help assess the potential frequency and severity of an event that will trigger a claim or loss. The questions they will ask about vary by industry but a high-level sample of the current topics are as follows:

Privacy liability and privacy regulation

  • Type and volume of sensitive personal data collected, processed or controlled                 

Insurers are looking for strong data inventory management. How many records? Where they are stored/secured and what are the largest single repositories?

  • The volume of records is an indicator of the number of people who may be impacted by a breach or bring a lawsuit. Therefore, insurers want to know the number of records held on unique individuals. The name, address, date of birth, or transaction history for one person is one record, even if the data points are not stored together or if they represent multiple transactions.
  • The type of data indicates which regulations might apply. If biometric data is collected, insurers may apply an exclusion.
  • To assess the potential vulnerability of the data, insurers will evaluate how the data is secured – that there is limited access and that there are technical controls to prevent unauthorised access.

Network security liability and business interruption

  • Network Security Practices, Processes & Governance

To assess the potential vulnerability of a network to an attack, insurers will evaluate governance policies, as well as technical controls, to ensure that the organisation is maintaining reasonable security. The security needs to be proportional to the sensitivity of the data and the organisation’s business-critical network. 

  • Organisational Structure, Compliance, and Certifications – to include any specific InfoSec frameworks and status of compliance with relevant data-regulators
  • Access Control
  • Multi-Factor Authentication
  • Email Scanning and Filtering
  • Endpoint Detection and Response and Intrusion Detection Tools
  • Segmentation
  • Patch Management and Vulnerability Assessments
  • Segregated Back-ups (multi-layer)
  • Employee Security Training and Awareness
  • End of Life Systems / Lifecycle Management
  • Vendor management

Cyber extortion

Cyber extortion can result in a confidentiality breach, but it can also impact the availability of the network and/or data. In addition to the information provided in connection with network security and privacy liability and privacy regulation, insurers will need to know how quickly the organisation can restore operations in the event of a ransomware event. This means they will also been keenly interested in the back-ups & recovery of systems and data from these backups.

Event response 

  • Business continuity / disaster recovery / incident response

How well, or poorly, an event is handled can impact future loss – whether it’s business interruption or liability to customers, consumers, and/or regulators.  

  • Are formal policies kept offline?
  • Are policies tested annually?
  • What are the measurable objectives: Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?

In conclusion

The cyber market is changing.  It is more important than ever for organisations to speak to a Cyber insurance broker early for guidance on the insurers’ requirements. These may vary based on the insured’s industry and will likely evolve as insurers are informed by developing claims activity. The more time that everyone has to implement changes to their controls and governance could prove the difference to obtaining a quote or not.