Many captive owners are being asked to consider writing cyber-liability coverage in their captives. The idea has been discussed at numerous captive conferences over the last several years. Additionally, there are dozens of articles available on captive vendor websites that explore the possibility. Reading these articles can lead many owners and board members to conclude that cyber-liability coverage is worthy of pursuing.
However, before any captive decides to add cyber-liability coverage to its other lines of business, even though the pressure may be to do so, captive owners and boards need to ask a series of questions. From our perspective, these questions should include the following:
- Can cyber-liability be considered “insurable risk”?
- What is the current state of the cyber-liability market?
- Do we understand what cyber-liability coverage is?
- Is a potential “black swan” event possible?
- Can we get comfortable with our insured’s cyber-security?
- We will explore each of these questions.
Can Cyber-Liability Coverage Be Considered “Insurable Risk”?
Because so many insurers have jumped into the cyber-liability coverage market, captive owners and board members may be willing to conclude the answer to this question is yes. However, there still seems to be a considerable academic discussion on whether cyber-liability, like terrorism risk, can be considered insurable. For purposes of this discussion, we will use the following definition for cyber-liability, taken from A Taxonomy for Managing Operational Cyber-security Risk, an August 2014 blog entry from the Software Engineering Institute at Carnegie Mellon University: “operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.” Captive owners might want to refer to the National Association of Insurance Commissioners website to see how regulators define this risk.
There are various essential conditions that need to be fulfilled before acceptance of insurability of any risk. The following five criteria are normally accepted as requirements that need to be fulfilled in order to have an insurable risk:
- The loss must be due to chance.
- The loss must be definite and measurable.
- The loss must be predictable, meaning it must be of such a nature that its frequency and average severity can be readily determined to establish the required premium.
- The loss cannot be catastrophic.
- The loss exposures must be large (i.e., the “law of large numbers” must apply).
Within the context of cyber-risk, various academic papers come to very similar conclusions of some of the limitations concerning whether this is an insurable risk. These concerns include the following:
(Moral hazard (i.e., lack of incentive for the insured to take self-protective measures that reduce the loss probability subsequent to purchasing insurance) and adverse selection (i.e., firms that have experienced cyber-attacks are more likely to buy insurance).) The complex interrelations of modern information systems result in significant vulnerability to cyber-risk even though single firms invest in self-protective cyber-risk measures.The interrelated nature of information systems also makes it difficult to discover, much less prove, sources of losses and identity of perpetrators, which potentially increases a firm’s reluctance to invest in self-protective measures.
Dramatic change in exposures
Dynamic changes are often dramatic and fast. No sooner do security companies plug one vulnerability than hackers devise new ways to exploit people and systems. From a technical aspect, the rapid advancement of hardware and software and the adoption of new network models threaten stable loss estimates.
Massive aggregate risk exposures
While the captive may have 30 different insurers, if they are all using the same software or the same cloud service provider, and if the software or network is breached, each insured could file a claim for the same event.
What Is the Current State of the Cyber-Liability Market?
The cyber-liability market continues to evolve rapidly, and new entrants would be wise to understand how these changes may impact their decision to write coverage. Below, we highlight just some of the changes occurring today.
Continually changing coverage documents
Terms and conditions and basic policy language continue to be updated as new information becomes available. Policy coverage forms less than 3 years old are already obsolete.
Lack of standardized forms
Because of the conditions cited above, it has been hard for insurers, regulators, and Insurance Services Office, Inc., to agree on standard forms language. This makes it difficult to compare policies between companies and even on a reinsurance basis.
Increase in perils
As noted above, the hacker community continues to evolve as well, which leads to new schemes to exploit vulnerabilities.
Exposure changes due to new perils
Some consultants have warned that cyber-liability coverage is the new asbestos issue for insurers. As perils change, so do exposures, meaning many potential claims will end up in court as claimants and insurers try to work out what is covered and what is not.
These problems and others make it very difficult for captive owners and boards to really get a grip on the risk profile of the coverage they are offering.
Do We Understand What Cyber-Liability Coverage Is?
Cyber-liability coverage is typically comprised of two parts: first-party coverage and third-party coverage. This duality can create difficulties for insurers new to the market if they don’t understand the differences beforehand.
First-party claims include the following:
- Malicious destruction of data
- Viruses, malware, and spyware
- Accidental or incidental release of data
- IT system failures due to all natural causes
- Cyber extortion threats and denial of service attacks
Third-party claims include the following:
- Breach of privacy
- Unauthorized use of personal data
- Character defamation or slander
This list is not intended to be all-inclusive; however, captives may be willing to insure against first-party claims but not third-party claims. Careful understanding of what coverage is intended and wording of the coverage documents are critical.
Is a Potential “Black Swan” Event Possible?
As was noted under whether cyber-risk was insurable, one element of non-insurable risk is catastrophic risk. The problem that many regulators and rating agencies are trying to wrestle with is trying to answer what a black swan event would look like in cyber-liability. In March of this year, hackers were able to steal $81 million from the Federal Bank of Bangladesh. Yahoo just confirmed a hack of over a billion users accounts. As the world becomes more interconnected, the possibility for a massive black swan event increases. What happens to your captive when the reinsurance you were counting on to stop your losses at a certain level is no longer available? Captive owners and board members need to make informed decisions on how much risk they are willing to entertain.
Can We Get Comfortable with Our Insured’s Cyber-Security?
Absent all of the other questions above, the real issue is whether you are willing to place your trust in your member’s cyber-security. Real testing of a system’s ability to withstand a cyber-intrusion is both time consuming and expensive. Many companies place this responsibility squarely on the IT departments, which maintain these systems. Think about the inherent conflict of interest that occurs. IT managers want to believe their systems are foolproof, and the exposure of vulnerabilities is a threat to their livelihoods. External testing is better, but does your captive want to pay for this and also potentially engender the ill will that naturally results from members subjected to the testing?
As a captive owner or board member, there may be essential reasons why your captive may want to think about offering cyber-liability coverage. But doing so requires some real in-depth analysis of the pros and cons before you enter into this line of coverage.