The NAIC Executive (EX) Committee recently established the Cybersecurity (EX) Task Force to act as a focus point for cybersecurity insurance regulatory activities. The task force held its first meeting on March 29, 2015 in Phoenix, Arizona. Just before this meeting, the Task Force released its draft Principles for Effective Cybersecurity Insurance Regulatory Guidance (“Draft Principles”).
The message is clear: there will be regulatory pressure to do something around cybersecurity. The National Institute of Standards and Technology framework(NIST) will act as the basis of the eventual recommendations, with the understanding that what is expected will be practical, consistent, flexible and scalable. Additional data on the sale of cyber insurance products will be used to help regulators with financial oversight. As we reported in our Executive Brief on Cyber Risk http://novarica.com/cyber_risk_trends_2014/ trends in August 2014, insurers have been thinking about how to price and underwrite these risks for some time.
In March 2014, AIG introduced a new product called CyberEdgePC that covered property damage and bodily injury. Insurance Journal reported in an article a year ago that TSC Advantage has also enhanced its cyber risk assessment Threat Vector Manager (TVM) technology for commercial organizations, critical infrastructure, and the public sector. That product offered customers security controls in areas including insider threat, physical security, mobility, data security, internal business operations, and external business operations.
Cyber risk coverage that has emerged in the last few years has included business interruption, rewards for capturing criminals, crisis management, cyber extortion of the network, data breach and complying with regulations, identity theft, and liability from defense costs, settlements, judgements and punitive damages.
How does a cyber-liability policy get priced? Not easily. As NAIC correctly points out, insurers will be interested in risk-management and disaster recovery protection of a firms network, data, digital assets, physical assets, and intellectual property.
Insider risk from employees and third parties in the supply chain will need to be evaluated as well. The Target store breach, which stole credit card data, was achieved through malware being installed on the security and payments system though a trusted third party supporting store heating and air conditioning equipment. The breach cost 150MM and Target’s reputation, not to mention the CEO and CIO’s jobs. Insurers will need to be very interested in employee access to systems and data access.
Of course, traditional protection like antivirus and anti-malware software, the frequency of updates and the performance of firewalls will be considered as well. The problem is complex, and the risk unknown. The risk continues to increase as the insurance business becomes more digital and smart devices proliferate, creating new attack vectors.
As a result, the cost is high for the insurance, and the insurers are limiting how much they will cover. A 2014 Crawford & Company study “The Future of Cyber Insurance” revealed that very few carriers are willing and able to indemnify over $50 million with the majority writing a maximum limit of $10 million or less. Today, the market to underwrite cyber risk is dominated by American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. As a growing number of firms require their vendors to purchase cyber coverage, the loss experience will become more extensive allowing for more accurate pricing of risk. This lack of experience is complicated by a shortage of people with the skills needed to assess the risk. As a result, cyber loss control services are starting to emerge as well. Marsh just launched Cyber Monitor and Cyber view in partnership with Cyence, a cyber-security analytics service provider, to look at threat indicators and security analytics.
NAIC’s task force will be responding to this by looking at the protection of information housed in insurance departments and the NAIC; the protection of insurer-held consumer data; and collecting information on cyber-liability issued policies. Inevitably, regulation will emerge in the US as time goes by, both at a Federal and State level. Regulatory enforced reviews of carriers providing cybersecurity risk management and insurance coverage has begun to occur. Federal and state insurance regulators will also be looking to make a positive impact on this emerging insurance market.
The challenge is this: how does the carrier protect itself from cyber risk and assess how other firms the carrier insures protect themselves? Only time will tell how the challenge is met.