Cyber Confusion: What’s Needed to Create a Sustainable Cyber Market
There has been plenty of talk about how cyber continues to evolve in an ever-changing technology landscape, how cyber risks have become increasingly sophisticated and how the insurance industry needs to keep pace.
Meanwhile, the question of how to transform cyber insurance into a more sustainable market remains.
“Cyber is moving so fast that we’re on this cadence of we’re almost changing the coverage on an annual basis,” said Bob Parisi, managing director and cyber product leader for Marsh. “Once you have one or two markets doing that, you feel like, ‘Well, I’m going to be left. The train has left the station.'”
Parisi was among the panelists at the PLUS Cyber Symposium in New York last month addressing the sustainability issue.
From Parisi’s perspective, the emphasis on change has led to division among brokers in terms of how cyber insurance is presented to clients and how policies are structured, creating a lack of consistency in the space.
“You have 21 different legitimate cyber markets, and there are 22 different cyber forms on any given risk that a mid-sized to large client has, so a broker is getting five different options, five different policies, five different definitions of ‘claims,’ ‘computer system,’ ‘cyber event’ or ‘glitch’ that they have to explain to the client in a way
‘You’re comparing apples to oranges to pears. … It’s part of that lingering confusion that people associate with the cyber market.’ that the client can understand,” Parisi said.
He added that standardization among terminologies and glossaries will be important for cyber insurance going forward.
However, standardization is not something the cyber insurance space has its arms around yet.
It’s not just brokers who are struggling, according to Gina Pilla, managing director and head of professional lines at Arch Reinsurance Company.
“From my perspective, the only standard is that there really hasn’t been a standard,” Pilla said, explaining that a lack of standard language in cyber policies is something that reinsurers have been challenged with as well. “We would like to have a better understanding of what we’re actually covering when we reinsure someone who is ready for cyber.”
Because cyber has quickly and continuously evolved, standard policy language has not been able to keep up, said Steve Krusko, chief underwriting officer at Berkley Cyber Risk Solutions.
“Even policies written five years ago might not be clearly addressing some of the issues. I think sometimes clients just want clarity,” he said. “They want to know, ‘Could this one event or this one scenario be covered under our policy?’ Rather than hearing, ‘Well, you know, our definition of ‘computer system’ is this, so let’s just add it in there.'”
Beyond simply understanding a cyber policy’s language, determining how evolved a cyber policy is in terms of whether it approaches cyber as a property and casualty risk, or whether it is based on an errors and omissions form has been another challenge, Parisi added.
“You’re comparing apples to oranges to pears,” he said. “It’s part of that lingering confusion that people associate with the cyber market.”
With all of this in mind, panelists expressed frustration regarding how cyber policies can be structured with many endorsements, calling for more consistency and clarity.
“A policy that’s issued with 37 endorsements — as a former claims person — that’s confusing,” Parisi said. “Now, I have to read the policy backward and see, for the thing I’m looking at, was there an endorsement that modified that particular portion of coverage?”
Krusko added that he believes this difficulty is exacerbated by the ever-changing cyber market as well, leading some brokers to fear getting left behind.
“Sometimes I feel like, is the broker asking for those 27 endorsements because they don’t want to get shut out by the competitor broker who has basically said, ‘Oh, you missed the ERP endorsement on there?'” Krusko said. “So, they have this long list of endorsements, which technically are probably not even anything from a coverage standpoint that’s material. You see a lot of that going on.”
As the insurance industry works toward transforming cyber insurance into a more sustainable market, Parisi said he believes the key is to move away from the notion that cyber insurance is simply about price and focus on making the coverage feel more valuable to clients.
“We have to get off of the cadence of, ‘We’ll just make it cheaper and people will buy it,'” he said.
Parisi added that currently, a big uptick in cyber coverage has been seen outside of the privacy space on the industrial side. He explained that industrial clients are buying cyber coverage because it has started to adapt and respond to their business interruption exposures and their digital asset losses, filling the voids that property and casualty coverage has left behind by pulling out.
“Clients will pay for [coverage] if it’s real,” Parisi said. “Now, when I go to a risk manager at a large manufacturing or industrial company, they say … ‘I get that’s valuable coverage. I’ll pay for that because it has value to me. I don’t view it as just dipping my toe in the water.'”
However, Pilla raised concerns that while there is still a lack of understanding around cyber risks, the coverage is too broad.
“We need to build sustainable product with cyber,” she said. “When I think about expanding coverage to include blanket contingent business interruption with a system failure trigger for a Fortune 1,000 company, I don’t even know what I’m reinsuring. So, if there is one of those systemic events, it could be a disaster and it’s not a sustainable product.”
Krusko added that a lack of data regarding cyber business interruption risk is another concern.
“There isn’t a lot of data out there, and some of our carriers are going into it a little blind because they’re using rate plans that were basically designed to cover business interruption for a traditional cyber buyer — maybe it’s a retail or healthcare risk, or technology errors and omissions — and it’s a percentage of the liability premium,” Krusko said. “There runs the risk of, if we keep going down this particular path, we’re going to find the rates aren’t really adequate.”
With pricing in mind, Pilla emphasized that underwriters can’t ignore the catastrophe element.
“I get frustrated when people talk about how we have lower loss ratios, so we should be expanding coverage because we haven’t paid a lot of claims. But you have to think about the exposure you’re putting on your balance sheets,” Pilla said. “Exposure is there, and it’s very hard to measure it when we expand the forms in such a way that we don’t even know who we’re actually insuring.”
Pilla pointed again to contingent business interruption as an example.
“We’re providing product to anyone that company does business with, and we don’t even know who they are. So, we have to consider the exposure, not just the historical losses that we’ve paid when we’re talking about premium adequacy,” she said.
Parisi believes a solution for cyber insurance is that sustainability can come as underwriters model how the property market has historically underwritten risk.
“The property market is able to sustain bad hurricane years … To be sustainable, you have to underwrite to the risk,” he said. “So go next door, ask the property guy for his rating model and start applying it. There are solutions here that can solve some of these problems.”
Another key for underwriters within cyber insurance, Parisi said, is to concentrate on resilience.
“You want the company that is talking resilience, not the company that’s talking security,” he said.
He added that as a former underwriter, he would find it concerning if a company today was still talking only about security and not resilience.
“When we first started this back in the days of yore, it was, ‘How deep is the moat? How high is the wall?’ and that was it. That’s not what we’re talking about anymore,” he said. “It’s how can you function when bad things happen, and can you continue to deal with that and move forward? Because if all you do is just shut down, that’s a bad risk.”
Indeed, Krusko added it’s difficult for underwriters to wrap their heads around cyber when looking at individual risk situations.
Consequently, it’s important to focus on resiliency as a whole.
“How well is the board involved? How well do they do business interruption, continuity plans, backup vendors and all of those things that are going on to make sure they’re resilient and prepared?” Krusko asked. “It’s not about if it will happen anymore, but when it will happen.”
Parisi stated that while taking steps toward achieving greater sustainability in the cyber insurance space may seem daunting, it’s imperative and becoming more attainable as the cyber market continues to evolve, respond to losses and establish itself in the marketplace.
“I do think that the cyber market has gotten past that hurdle of being able to show that it does respond to loss and that the coverage is there,” Parisi said. “Now, the coverage looks and feels the way the buyer thinks it is. The cyber market has gotten to the point where now it’s viewed as credible, because its language and cadence of discussion is credible.”