Many of us have thought or heard that cyber risk is the new natural catastrophe (Nat Cat). While this may be the case for some insureds, others have very low chances of facing a massive exposure.
Jurisdiction, type of data, nationality of users/clients, legislation, industry, security standards, service providers, software tools, production standards, covers and extensions, and the type of breach, are all factors that will have implications on the degree and extents of a loss.
As more and more cyber insurance products are sold in the market, underwriters will most likely pursue the development of more creative, innovative and comprehensive covers.
We see underwriters developing policies that include cover for the breaches suffered by vendors or service providers. There is also a move towards the inclusion of Contingent BI covers, or D&O, E&O, product liability and/or computer crime extensions; mimicking the ones we are used to seeing within general liability policies.
Insurers may seek new niches for business but also must be fully aware of the impact that new covers will have in their exposure, this is, because in today’s digital economy the cyber risk is always on the rise.
To illustrate this, we bring to your attention some examples and their collateral risk scenario:
The growth of e-commerce continues apace. As shops move online, they become increasingly reliant on electronic systems, often run by third parties. The AWS outage suffered by Amazon in March 2017, caused by an employee error, impacted on the business operations of many users of Amazon’s services.
The drone and self-driven vehicle industries are also on the rise. However, reports indicate that compliance with security and privacy standards is not necessarily a top priority.
Avoiding a catastrophic cyber scenario requires that insurers carefully choose their business strategy, developing innovative products that complement but not aggregate risks to their exposure. We recommend that insurers consider a business strategy that diversifies risk using economy of scale approach offering all members of a supply chain discounted products, instead of aggregating their risks to a single cyber policy.
Strategic approach will not only depend on the policy wording and exclusions, but also on the approach used while assessing risks. As absurd as it may seem, many policies and proposal forms require or inquiry about “audits”, not referring the nature or standards of them. Very few proposal forms question the existence of certifications and almost none of them include condition precedents requiring compliance with a specific security standard of the IT industry.
We still need to learn more about the risks posed by the cyber industry, part of this is due to the lack of information, the constant development of new IT products, the lack of cyber insurance products, the lack of precedents and laws addressing IT risks, beyond privacy. A prudent approach requires not only to avoid aggregation, but also having legal and IT experts involved in the development of any cyber product, as well as in the attention of any cyber claim.