Friday, 17 February 2012
A risk in time
It was not so long ago that trying to sell cyber coverage was like trying to sell vacuum cleaners on the doorstep. Awareness of the potential exposures among risk managers has, however, risen dramatically and insurers are working hard to meet demand. Commercial Risk Europe’s Dublin-based cyber risk expert Nik Pratt reports the latest developments in risk awareness, management and transfer of this critical exposure.
Last year was a watershed year for the fledgling cyber insurance market and one that should see it finally develop here in Europe to somewhere near the level it has in the US. As far as insurers are concerned, Europe is now a far more receptive market and is much changed from the time when promoting cyber insurance policies was like selling vacuum cleaners door to door.
“I have been in the cyber insurance market for 15 years,” says Patrick Pouillot, IT Underwriting Manager for ACE Europe. “In the early days I would make appointments to see risk managers and show them various charts and tables but they would tell me to go away because they already have a team of IT experts. But now it is very different and they are happy to talk to us.”
In some cases the heightened awareness is from first-hand experience. Industry surveys show that both the frequency and severity of data security breaches are on the increase.
In August 2011, the US-based Ponemon Institute issued its second annual cost of cyber crime study, which focused on a representative sample of 50 large-sized US-based corporates but also included a number of multinationals.
According to the research, the annual cost of cyber crime has increased by 56% from 2010—ranging from between $1.5m to $36.5m per year per company at a median cost of $5.9m per company.
The number of attacks has also increased by 44% from 2010 with the 50 companies canvassed experiencing an aggregate of 72 successful attacks per week.
Another development for risk managers is the changing business environment.
New technology such as cloud computing, social media, remote access and smartphones offer new opportunities for companies to reduce operating costs and also generate revenue through new distribution channels but they also create new vulnerabilities.
These vulnerabilities are highlighted in the seventh edition of the World Economic Forum’s (WEF) Global Risks survey where cyber risk has been identified as the fourth biggest global risk in terms of likelihood.
The report also dedicated a section to what it called ‘the dark side of connectivity’.
The number of devices connected to the internet is expected to reach 31 billion by 2020 and, while potential benefits are obvious, there are downsides. “Connectivity also allows for amplification; attacks that would have been isolated incidents in the physical world can achieve a cascading effect through connectivity,” stated the report.
Another reason for heightened awareness of cyber risk is the more intensive media coverage of data security breaches. Cases such as the one involving Sony’s Playstation Network or the University of Utah Health Care (see panel) were widely reported in both the specialist and mainstream media, leading boardroom executives to seek assurance from their risk managers that the same fate could not befall them.
Yet despite the greater awareness of risk managers and their boards, there is still evidence that many companies are not sufficiently insured.
A survey carried out in May 2011 by professional services firm Towers Watson reported that the vast majority of companies (73%) have not purchased network liability insurance with 37% believing that their own internal IT security is adequate (37%) or that the cost of insurance is too prohibitive (15%).
It is understandable that the insurance industry has not leapt at the opportunity to provide insurance for cyber-related crimes and data breaches.
As with any other emerging risk, there is a lack of historical data around cyber-related loss events when compared to more traditional areas such as property, casualty and health, making it harder to model and measure the risks.
As the WEF study states, most reports reference the same figures—those provided by the Ponemon Institute—and more information is needed to allow businesses to gauge the extent of the risk since many remain un- or under-reported.
Fortunately there are now more studies and statistics of cyber risk available to risk managers than ever before, including ones focused on the cyber insurance claims experience, such as the Cyber Liability and Data Breach Insurance Claims study carried out in June 2011 by NetDiligence®, a US-based cyber security and risk management company.
“Right now the industry is guessing at the frequency and severity of these cyber risks,” Mark Greisiger, President of NetDiligence® told Commercial Risk Europe.
“A lot of their assumptions are gained from media coverage and while everybody likes to quote the Ponemon study I wanted to find out what is actually being paid out by insurers. There are only twenty or so underwriters out there in the market and I don’t think any of them have enough data of their own to build up any meaningful study.”
Mr Greisiger worked with 15 different underwriters and analysed payouts from 117 legitimate claims made between 2005 and 2010. Ninety-five percent of the breaches were caused by one of three things—hackers, rogue employees and the loss or theft of equipment.
The findings also showed that personal identification information is the most commonly exposed data type and healthcare and financial services are the most commonly breached industry sectors. The average cost per breach was $2.4m with the majority devoted to legal services.
The three aforementioned cases have been instrumental in raising the awareness of cyber insurance among risk managers.
“Many times clients come to us because they have seen an incident reported in the media and they want to ensure the same does not happen to them,” Tom Draper, a cyber liability and data security broker at Lockton told Commercial Risk Europe.
Or else companies may wrongly assume that their cyber exposures are covered under existing coverage. “We have been asking our clients if they think they are insured for a privacy breach and many of them say ‘we know we should be and we think we are but we don’t know’,” said ACE’s Mr Pouillot. “So we are asking risk managers to go back to their brokers and confirm whether or not they have insurance in place.”
In the UK, the risk management association Airmic has just announced plans to conduct a review and audit of what insurance products are currently available for cyber risk. “Cyber risk is a high profile area for our members, reinforced by both their own experiences and by the UK government’s recent decision to highlight cyber risk as a key management concern,” Paul Hopkin, Airmic Technical Director, told CRE.
Once the audit has been completed, Airmic hopes to link that information with a second area of research into IT protection and what controls underwriters want to see in place at prospective clients.
“Once we have taken that snapshot of the market, we then have the opportunity to broaden the project out much more, by consulting with our members and undertaking a gap analysis in terms of our members’ expectations and what is currently available in the market,” said Mr Hopkin.
“We can also then look at exploring other related areas in the cyber world, such as cloud computing, social media and so on,” he added.
In the past risk managers have expressed some dissatisfaction with the insurance market and the paucity of products available. While this market waits to reach maturity, there will clearly be issues that remain unresolved. For example, will it become clear what cyber-related risks are already covered under existing policies? Where new exposures or liabilities exist, will risk managers be able to extend existing coverage or will they have to invest in stand-alone policies?
And will it become easier to identify those risks that are best covered by mitigation and those that are more suitable for risk transfer?
“We know that there are concerns out there among members but it is still an evolving market and I don’t think any risk managers feel like they have hit a brick wall or that there are not any insurance products out there for them,” said Mr Hopkin. “It is a developing market and one that all of our members are interested in, so it is a great opportunity for both general and specialist insurers to develop suitable products.”
According to Lockton’s Mr Draper, there are currently less than 10 carriers in the UK and more than 30 in the US that offer cyber risk policies. But he does anticipate more insurers entering the market, especially with the requirement to notify customers in the event of a data breach likely to become mandatory in Europe.
Under the current EU Privacy Directive, notification is voluntary in most member states (with the exception of Germany), but the current EU Justice Commissioner Viviane Redding has stated in a speech to the British Bankers Association in June 2011 that she intends to ‘introduce a mandatory requirement for notification of data security breaches’.
Given the immaturity of the market and the excess capacity, premiums are not prohibitively priced, say brokers.
“Rates are still very competitive and I don’t think that will necessarily change in the short term,” Lisa Hansford-Smith, a Senior Vice President in the Financial and Professional Practice at Marsh, said. “Often you need some kind of quantum shock for rates to increase but at the moment we can normally get multiple quotes for clients when we go to the market and we can normally tailor and enhance the wordings of the policies so it is a good time for insurance buyers.”
This is supported by NetDiligence®’s Mr Greisiger. “Because the market is soft there is a lot of capacity and a limited number of insurers all chasing the same business. So the scope of coverage is very broad at the moment. Many years ago when this market was really in its infancy, the wording was much more specific, data losses had to be a result of a malicious attack but the coverage now is much broader and tends to include any loss of data, including paper-based data.
This could change though accepts Mr Greisiger, given that we are in an especially transitional stage of the cyber insurance market. “We could see more exceptions in insurers’ coverage. It is a dynamic market and there are constant changes to the threats and the laws. For example, California has outlawed the use of zipcodes for any company holding medical records. And there are more clients using cloud computing for storing their data. And if a large cloud provider goes down that could be a game-change in terms of claims. And we could see underwriters insist on encryption for any firm that uses a cloud provider. Or else they may insist on the use of new data loss prevention technology. However, the fact remains that cyber insurance is still a soft market and while many underwriters may insist on sensible measures to be taken by their insureds before offering coverage, others may be prepared to shoulder more risk in order to build up a client base," said Mr Greisiger.
Chubb launched a cyber security insurance product for UK, Ireland and the rest of Europe in December 2011, targeting companies that own or handle confidential personal data or transact business over the internet. The coverage is for the financial loss that arises from a data security breach and includes both third party and first party coverage. And while the inclusion of both first and third party coverage is not uncommon among cyber insurance products, it is first party coverage that is really driving the market at present, Michael Thyssen, European Product Manager of Chubb Speciality Insurance told CRE.
This may change as more plaintiffs bring liability claims for emotional distress to the US courts, as recent cases involving US retailers Starbucks, Hannaford and RockYou have shown, but the majority of judges are still looking for actual rather than speculative harm before awarding damages.
There may be some coverage for cyber-related risks under other insurance products such as fund transfer fraud under financial fidelity policies and some overlap with kidnap and ransom, said Mr Thyssen.
As regards other lines, D&O, GL and BPL policies do not normally provide any first party coverage and may have an IT exclusion, and property policies normally require physical damage to tangible property. “The current product therefore is filling gaps for expenses such as remediation costs and post breach expenses such as notification and crisis management expenses as well as loss of business income. The expenses associated with notification are a significant portion of a company’s loss and this is what risk managers are looking at,” added Mr Thyssen.
Nevertheless, the estimates around potential notification costs can vary wildly as was seen with the Sony case where Forbes magazine had speculated that total losses arising from notification could total $24bn.
In reality, Sony has paid $171m.
Such disparity can lead companies to wrongly assume that cyber risk is just too large an exposure to cover with insurance, suggested Mr Pouillot.
“The truth is that the market has the capacity to manage these claims. In the US we can insure up to $20m but we never sell it. The scenario of having all your IT systems destroyed and all your clients affected is not the true story. It is about having on operating system or one database infected and estimating the residual risk involved. Insurance companies are ready to pay for risks that are identified, quantified and where there is hazard. There is not a problem with capacity but no insurer will pay for risks that are not identified or quantified.”
As well as the coverage available for third and first party losses and expenses incurred after a data breach, Chubb also provides a number of pre-loss services such as access to an online portal comprising news of recent attacks, guidelines on best practice for IT security and links to various vendors in the IT security space. “If a company takes advantage of the available pre-loss services, depending on the outcome it may have a positive effect on our underwriting and their premium,” said Mr Thyssen.
The conditions of the underwriters is a key concern for risk managers and Mr Thyssen said there are various factors that Chubb’s underwriters will consider when offering coverage. “We assess risk by a prop form that we send out to potential insureds. Do they have an information security policy in place? Is there an incident response plan or a business continuity plan? Do they conduct intrusion testing? Are laptops and other remote devices such as smartphones and data sticks fitted with encryption software? How big is the IT department? Is the company PCI-compliant? To what degree is the company dependant on the internet for its business?”
Insureds can also lower their premiums by using the pre-loss services that Chubb provides such as access to an online portal comprising news of recent attacks, guidelines on best practice for IT security and links to various vendors in the IT security space.
Brokers have also stressed the need for risk managers to involve other departments in any discussion of cyber insurance. “We always try to get the IT department involved as well as the legal and marketing departments,” said Marsh’s Ms Hansford-Smith. “A lot of people assume that all cyber risk sits with the IT department but often marketing staff are more on top of the risks they face, especially if they have a lot of internet-based sales or promotions.”
“Just as a risk manager would consult with the health and safety department before buying liability insurance, we would expect them to consult with their IT department before buying cyber insurance,” adds Airmic’s Mr Hopkin. “As this market matures, this is what we hope will happen.”
Perhaps the biggest challenge for the industry is that in the time it takes for the market to mature, new exposures will emerge where managers are left without cover. For example, the Stuxnet computer worm used to infect Iran’s nuclear effort also infected other users of the same operating system, creating a whole new category of cyber risk best described as ‘collateral damage’.
And then there’s the unpredictable world of social media where the popularity of inventions like Twitter continues to confound common sense.
Clearly both insurers and insureds will have to match maturity with invention and innovation in order to stay on top of these perpetually evolving exposures and risks.
The cost of insurance in the Middle East and North African (MENA) region remains low driven by high capacity from both local and international markets and as a result profitability is low. The market still promises huge long-term potential and tempting short-term growth rates above gross domestic product levels which themselves far outstrip rates in more mature economies such as Europe and the US.