AM Best
Dealing with cyber risk
As claims from cyber events escalate there is growing concern from traditional insurers over their exposures—perhaps against the inability to underwrite or charge a suitable rate, says Fred Eslami of AM Best.
A combination of the captive, commercial market capabilities and self-insurance by the owner is considered a prudent strategy.”
Fred Eslami, AM Best
Thanks to innovation, the majority of companies are embracing new technologies so that they can compete in this global market. COVID-19 and the resulting remote working environment have accelerated this process unexpectedly, despite the potential risks.
These new technologies include cloud computing, connected devices and the internet of things, digital products and apps, robotics and process automation, artificial intelligence, and machine learning. According to a Marsh survey, 77 percent of companies have already adopted at least one of these technologies and 76 percent are piloting or considering at least one.
Two things we know: 1) the economic loss due to a massive cyber attack could amount to many billions of dollars; and 2) the amount of cyber exposure in an insurer’s insurance portfolio is unknown but could also be estimated at billions of dollars.
Clear wording
Most insurance policies do not have a cyber event as a cause of loss, but do not implicitly include or exclude it. The most common instances in which policies are typically triggered are because they do not explicitly include or exclude cyber events as triggers for loss. In fact, exclusionary cyber language is ambiguous and may conflict with other policy wording.
In 2019, Lloyd’s mandated that all policies must be clear on whether coverage is provided for losses caused by a cyber event. Clarity is to be provided by either excluding or affirmatively covering the exposure from all property/casualty policies. The most common types of coverage in cyber policies are:
- First-party coverages, which include event management and breach response, business and network interruption, cyber extortion and ransomware, and data restoration.
- Third-party coverages, which include privacy liability, network security liability and privacy regulatory defence costs.
Captive insurers—especially single-parent captives—are probably the entities closest to their parent’s risks and exposures due to their proximity to the key operating and management functions. These functions include information technology infrastructure and human resources, the two areas in which cyber events can make the parent vulnerable.
Captive risk managers know their risks and exposures—and are willing to take such exposures in order to provide benefit and financial efficiencies to their parents. However, it should be noted that they are not a “hub” for uninsurable or undesirable risk. A combination of the captive, commercial market capabilities and self-insurance by the owner is considered a prudent strategy.
New regulations
In 2017, the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law was adopted and provided the requirements and responsibilities that companies must take on cybersecurity.
In September 2018, the US Treasury Department’s Federal Insurance Office (FIO) recommended congressional action if states do not achieve uniform data security laws within five years. Since then, and with the recent addition of Maine and North Dakota, 13 states have adopted the NAIC Model Law.
New York and California have enacted their own cybersecurity and privacy laws. The Vermont Cyber-Security Law, while not yet adopted, provides discussions for traditional captives—and is expected to be enacted in the 2022 legislative timeframe.
Regulators are focused on the solvency of captives, the health of the industry, and consumer and stakeholder protection. As captive insurers write cyber coverage, they need to think about what makes sense. Is there adequate capital, is it appropriately priced, and is the wording clear?
When implementing cybersecurity coverage, captives should consider other factors such as coverage terms, consultant integration, integration with other key players and the legal/regulatory realm.
A good practice is to work closely with commercial insurers on their cyber programmes and interact with regulators. In addition to their inherent expertise and knowledge, these captives can still gain insight and a better understanding of what may be required of them from regulators in the near future.
Captives can also collaborate with fronting and reinsurance partners to work on the underwriting for cyber policies. Captive insurers should continue to demonstrate due diligence on cybersecurity and create their own cybersecurity governance framework containing a comprehensive risk management process, security awareness programmes, security policies and controls.
Fred Eslami is an associate director in AM Best’s property/casualty ratings division with the alternative risk transfer group. He can be contacted at: fred.eslami@ambest.com
