ITIJ 218, March 2018
Neil Hare-Brown, CEO of STORM|Guidance – creator of cyber insurance comparator Cyber|Decider – highlights the importance of standardised terminology for cyber insurance
Although insurance brokers are receiving more enquiries about cyber insurance, this is still a type of insurance that a minority of SMEs purchase. Conversion rates are low, and there are various reasons for this, including cost, uncertainty of cover, lack of clarity on cover needs and the failure of SMEs to fully perceive their true cyber risk.
The uncertainty on risk and cover is made worse by the lack of standard terminology in cyber insurance policies, which causes confusion for brokers and customers and is ultimately stifling market growth.
There is much confusion about the policies available and the terms of cover because insurers fail to use standard wordings. For instance, what one calls ‘network expenditure’, another terms ‘data restoration costs’; in some policies the definition of ‘computer’ also includes ‘industrial control systems’, in others it does not.
Clients are missing out on getting the right cover because cyber insurance is an area that causes brokers confusion, and insurers have done little to rectify that. When you combine confusing policy wording with the tech jargon around cybersecurity, you are creating an off-putting combination for many brokers.
The off-putting and confusing language used in cyber policies is a barrier for both brokers and clients, and it is essential that underwriters are aware of the extent to which the current complicated and often contradictory wordings are stifling market growth.
The upshot of the current situation is that many brokers will only offer customers a blanket policy, whether that is right or wrong for the customer’s specific needs. It means fewer policies are sold and clients are badly served.
An example of cover differences and limitations is the cover provided for the costs a business will incur after a data breach involving loss of credit card data (PCI). Because cyber policies are sold to cover loss from data breaches, businesses naturally assume that liabilities resulting from a breach of payment cardholder data will be covered. Most travel companies accept payment by credit card and so will have significant amounts of this type of sensitive personal data.
Many policies do provide cover for ‘PCI costs’ – but the definition of these costs, and so the extent of cover provided in each policy, differs widely. In some policies these costs will include the PCI fines or penalties only. Others recognise the significant PCI exposure beyond fines and penalties and their cover includes fraud assessments, card reissuance costs, case management fees and PFI investigation expenses as well.
Additionally, many policies contain a condition requiring the insured to be payment card industry data security standard (PCI DSS) compliant at the time the breach – it is rare for a company to be fully compliant at the time of a breach – and/or contain relatively low sub-limits for PCI costs, making it hard for the insured to ever be fully reimbursed for its losses.
Understanding the cover each insurer’s policy provides and then ensuring that cover meets the needs of the buyer is a crucial part of the insurance broker’s role. The insurance needs of a travel business will differ widely from those of a manufacturer. For example, the travel business, in addition to having a considerable amount of sensitive personal data about customers (e.g. health issues), may also be susceptible to attacks on its website (e.g. denial of service attacks).
That business will need to ensure that it has a cyber policy that not only provides broad data breach cover but also business interruption cover that includes not just closure of its whole computer system but also forced closure of its website, even when externally hosted. As the definition of ‘business interruption’ differs between policies it is difficult to see the extent of cover each policy provides.
For example, one policy defines business interruption as ‘the suspension or degradation of the service provided by the company’s computer system solely caused by a security failure’. It is not clear if a denial of service attack on a website hosted externally would be covered (in this case the definitions of computer system and security failure reveals that it is covered).
Across all other insurance lines, whether commercial or personal, underwriters use standard terminology to be clear and concise about the terms of cover available. But insurers offering cyber cover have been reluctant to use standard wordings because of misinformed concerns that sharing an agreed standard policy is anti-competitive and illegal.
Harmonised wordings can help develop the cyber insurance market by:
- Establishing a common understanding of the cover available.
- Enabling like-for-like price comparisons.
- Helping less-aware customers (and their brokers) better understand the options available to them.
- Assisting brokers with assessing the correct insurer more easily and providing the right policy for a particular client.
- Increasing the conversion rate as customers better understand the products.
This article features in the March 2019 issue of ITIJ.