Last month’s post summarized key findings from the recent emerging risk report issued by Lloyd’s of London and risk-modeling firm Cyence, highlighting several key findings about cyber risks and the cyber insurance market more generally. In this post, we provide a closer look at some of the more significant cyber coverage issues discussed in the report, a full copy of which can be found here.
1. The Difficulty of Zero-Day Exploits
All businesses face great risk from attacks that exploit “zero day” vulnerabilities. As the Lloyd’s report explains, zero day vulnerabilities “are a particularly severe sub-set of vulnerabilities that are unknown to a software vendor or the information security community,” where “zero” refers to the amount of time that the cyber security community has been aware of the vulnerability to patch it. Zero day exploits, which arise frequently and—as the name suggests—without warning, pose a “delicate balancing act” where public disclosure of the exploit assists users in correcting the problem, but also alerts bad actors to the relatively unknown weakness.
While the vulnerabilities that give rise to this risk are largely out of consumer control, attendant failure to patch vulnerabilities (or significant delay in patching) exacerbates an already bad situation. Given the size of potential industry exposure estimated in the Lloyd’s report (ranging anywhere from $4.6 billion for a “large” cloud service disruption event to $53.1 billion for an “extreme” event), policyholders should not be surprised to see insurance products that exclude coverage for so-called “mass vulnerability” attacks. Indeed, many products already exclude such coverage. In addition, policyholders may face increased efforts to deny coverage based on policyholders’ representations in insurance applications about the time by which businesses endeavor to patch identified vulnerabilities.
Zero-day vulnerabilities are unlikely to subside any time soon, so policyholders should evaluate whether their coverage is adequate in the event of a “mass vulnerability” attack, as well as remain vigilant in proactively monitoring and reacting to future zero-day exploits.
2. Significant Coverage Gaps Posed By Global Cyber Events
The Lloyd’s report also highlights a significant gap under various hypothetical scenarios, including with respect to coverage for contingent business interruption (CBI) losses in the event of a cloud service attack.
As discussed in the report, cyber policies generally include some sort of business interruption coverage to respond when cyber events disrupt a company’s digital operations. In contrast, cyber policies vary greatly with respect to whether coverage exists for CBI (i.e., coverage for a policyholders lost profits and extra expenses caused by interruptions in the business of a supplier or customer)—some cyber policies exclude CBI altogether, while other policies impose sublimits to any CBI losses.
CBI losses are particularly important in the cyber context however, given that a large-scale disruption following a cyber attack at a major cloud service provider or similar vendor could have significant repercussions across many industries worldwide that rely on uninterrupted service. The Lloyd’s report presents a stark picture in analyzing potential coverage for such risks, estimating a potential “insurance gap” of between $4 billion (for a large loss) and $45 billion (for extreme loss) following a significant cloud service disruption event. Stated differently, the report estimates that only 12% to 17% of expected losses are covered when considering large loss and extreme loss scenarios, as compared to 30% for the world’s ten most costly natural catastrophes. Policyholders should be aware of this important issue when assessing the adequacy of their cyber coverage.
3. The Importance Of Risk Modeling and Current Impediments In the Cyber Market
The Lloyd’s report concludes that not enough policyholders complete risk modeling. This means that policyholders lack adequate information about potential exposures, how to address those risks, and the extent of long-tail exposure associated with those risks. Because policyholders don’t have the information, neither do insurers, which is a present impediment to the market.
Policyholders should work with their critical staff, including accounts payable and IT professionals, to anticipate common and worst-case cybercrime scenarios, and test those scenarios against existing risk management protocols. Such information will not only improve cyber protections, but will also help policyholders identify new or augmented coverages that may be needed to address exposures identified during testing. When consumers of insurance are better educated about their needs, the insurance market is in a better position to provide coverages actually responsive to the daily reality of businesses under cyber attack.