Follow Us
ITA MEMBERSHIP

RISK / SECURITY

RISK / SECURITY

Insurers Face Cyber Risk Challenges from All Directions

Mitchell Wein | July 28, 2015

The NAIC Executive (EX) Committee recently established the Cybersecurity (EX) Task Force to act as a focus point for cybersecurity insurance regulatory activities. The task force held its first meeting on March 29, in Phoenix. Just before this meeting, the Task Force released its draft Principles for Effective Cybersecurity Insurance Regulatory Guidance.

The message is clear, there will be regulatory pressure to do something around cybersecurity. The National Institute of Standards and Technology framework (NIST) will act as the basis of the eventual recommendations, with the understanding that what is expected will be practical, consistent, flexible and scalable.

Additional data on the sale of cyber insurance products will be used to help regulators with financial oversight. As we reported in our Executive Brief on Cyber Risk trends in August 2014, insurers have been thinking about how to price and underwrite these risks for some time.

  • In March 2014, AIG introduced a new product called CyberEdgePC that covered property damage and bodily injury.
  • Insurance Journal reported in an article a year ago that TSC Advantage has also enhanced its cyber risk assessment Threat Vector Manager (TVM) technology for commercial organizations, critical infrastructure, and the public sector. That product offered customers security controls in areas including insider threat, physical security, mobility, data security, internal business operations, and external business operations.

Cyber risk coverage that has emerged in the last few years has included business interruption, rewards for capturing criminals, crisis management, cyber extortion of the network, data breach and complying with regulations, identity theft, and liability from defense costs, settlements, judgments, and punitive damages.

How does a cyber-liability policy get priced? Not easily. As NAIC correctly points out, insurers will be interested in risk-management and disaster recovery protection of a firms network, data, digital assets, physical assets, and intellectual property.

Insider risk from employees and third parties in the supply chain will need to be evaluated as well. The Target store breach, which stole credit card data, was achieved through malware being installed on the security and payments system though a trusted third-party supporting store heating and air conditioning equipment. The breach cost $150 million and Target’s reputation, not to mention the CEO and CIO’s jobs. Insurers will need to be very interested in employee access to systems and data access.

Of course, traditional protection like antivirus and anti-malware software, the frequency of updates and the performance of firewalls will be considered as well. The problem is complex, and the risk unknown. The risk continues to increase as the insurance business becomes more digital and smart devices proliferate, creating new attack vectors.

As a result, the cost is high for the insurance, and the insurers are limiting how much they will cover. A 2014 Crawford & Company study “The Future of Cyber Insurance” revealed few carriers are willing and able to indemnify over $50 million with the majority writing a maximum limit of $10 million or less. Today, the market to underwrite cyber risk is dominated by American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd.

As a growing number of firms require their vendors to purchase cyber coverage, the loss experience will become more extensive allowing for more accurate pricing of risk. This lack of experience is complicated by a shortage of people with the skills needed to assess the risk. As a result, cyber loss control services are starting to emerge as well. Marsh just launched Cyber Monitor and Cyber view in partnership with Cyence, a cyber-security analytics service provider, to look at threat indicators and security analytics.

NAIC’s task force will be responding to this by looking at the protection of information housed in insurance departments and the NAIC; the protection of insurer-held consumer data; and collecting information on cyber-liability issued policies. Inevitably, regulation will emerge in the U.S. as time goes by, both at a federal and state level.

Regulatory enforced reviews of carriers providing cybersecurity risk management and insurance coverage has begun to occur. Federal and state insurance regulators will also be looking to make a positive impact on this emerging insurance market.

The challenge is this: How does the carrier protect itself from cyber risk and assess how other firms the carrier insures protect themselves? Only time will tell how the challenge is met.

 


Featured articles

test

ELECTRONIC CHAT

The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.

  • Electronic Chat: Ken Mitchel

    Robert Regis Hyle

    I would say that data mining technologies are under-used for most small to mid-size insurance entities, likely because it is such a large undertaking... READ MORE

WEB EVENTS

ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.

BLOGS AND COLUMNS

only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News