Your Cyber Liability Questions Answered
How much cyber coverage is enough? Who are the right stakeholders to bring to the table when buying cyber insurance? What’s the latest in insuretch that can help protect organizations from a cyber incident? We answer those questions and more.
March 10, 2023
Cyber liability insurance can help protect even the most agile businesses, providing coverage options ranging from security and privacy issues to business interruptions to cyber extortion. With an evolving cyber market and new risks presented daily, businesses have plenty of questions about its effects on their coverage.
Safety National’s Director of Cyber Insurance Underwriting, Steve Anderson, breaks down some of our most frequently asked questions.
1. In discussing aggregation risk, is the industry evaluating events that may have a previously unconceivable multi-line risk similar to what we learned from 9/11?
Insurers are utilizing realistic disaster scenario testing and modeling to better understand cyber risk and what it means for their balance sheets. The market continues to develop and implement solutions that benefit both carriers and insureds. While there have been some substantial data breaches, there has yet to be a significant cyber event of truly catastrophic proportions. There is the potential for a catastrophic cyber attack or a major cyber risk aggregation event, but total cost is difficult to predict. Within the last year there have been several model outputs that outline various scenarios that are tied to catastrophic exposure.
For example, the use of outsourced services, like cloud computing and cloud data processing and storage, is an area of concern. Cloud infrastructure services spending increased 32% to $39.9 billion in the last quarter of 2020, following heightened customer investment, so that increase has garnered the attention of insurers.
2. Do you think we will reach the point of monitoring devices for network or security controls, similar to what auto insurance companies offer to drivers to reduce costs?
Some insuretechs have started actively monitoring their insureds, but most of those solutions exist only in the small- to medium-sized business (SMB) sector. Insureds are often reluctant to let insurance carriers inside their networks, so risk evaluation is still performed through traditional underwriting, submission materials, and outside scans.
For enterprise risk, there are solutions that carriers and brokers are outlining, which benefit the placement and assessment of the risk. Buyers of the coverage now understand that the insurance sector can assist in the risk transfer of cyber risk and assist in protecting their balance sheets by utilizing their carrier’s expertise.
3. Often, underwriters with little technical skills come to a cyber insurance meeting only relying on a checklist of controls. My organization wants to have an in-depth technical conversation. What’s the best strategy to have the most meaningful conversations with the right people for a successful meeting?
Including business leaders from both a strategic and technical standpoint will undoubtedly lead to the most successful underwriting meeting. Carrriers typically work through a checklist knowing that, if certain controls are in place, it will mitigate the overall risk. Also, try to limit the audience size to ensure there is enough time to have the level of technical discussion desired. Too many people in the room may prevent that from occurring.
Brokers now understand that those at the table must have the technical acumen to meet your meeting’s goals. Brokers and insurance carriers are now hiring individuals with expertise insureds need to be represented in these discussions, where there was a much larger gap in years past.
4. What are some of the most-common cyber incidents and what cost is associated with them?
The NetDiligence Cyber Claims study revealed that in 2021, the average ransomware claim was $555,000, and the average incident cost was $840,000 for small-to-medium sized businesses . The study stated that ransomware, hackers, and business email compromise (BEC) were the primary causes of loss.
5. How much cyber coverage is enough? It seems like every significant event raises the exposure ceiling.
When determining limits, some companies will compare with others for context, but peer benchmarking is not a good proxy for choosing what cyber insurance limits to purchase. Each business presents unique risks in its data collection, handling and storage, security approach, and risk appetite. With the help of a broker, focus instead on cyber loss modeling for your business and your risk appetite.
Additionally, using a tool such as NetDiligence’s Data Breach Calculator can assist in determing how much to purchase. This tool can help determine potential claims costs based on the number of records and types of documents a business holds that could be exposed in a data breach. While the resulting costs are estimates, the tool does provide a reasonable estimate of what a company’s claim costs could be in the event of a breach, even in a worst-case scenario.