Drew Stone

FIN 4334.001
The Growing Issues with Cyber Insurance
As computing technology and hacking skillsets develop, there are more
cyber-attacks on businesses every year. Lloyds, a British insurance company,
states that cyber-attacks cost businesses over $400 billion dollars a year in
damages, and has increased every year. Last year, insurance companies
collected around $2.5 billion dollars in premiums, $500 million more than the
previous year and $2 billion more than 2013. There is a growing need for
coverage following disastrous cyber-attacks; companies need assistance with
defending lawsuits, awarding judgments/settlements, and costs of
indemnifying those affected by the breaches. There are three issues facing
cyber insurance currently: risk pricing challenges, information asymmetry,
and closing the gap between cyber security and cyber insurance
Cyber insurance providers are relying on very narrow policy terms and
conditions, along with conservative pricing, to limit their risk exposure.
However, clients are beginning to question the value of their policies. Clients
are concerned with the ever increasing depth of cyber-attacks, and if they
are covered from future elaborate attacks not specifically mentioned in their
policies. There is a significant risk pricing challenge presented to the
industry. Cyber-attacks are not like other risks. The scale for damages is
potentially enormous, there is little public data available, and the attacks

themselves are changing rapidly. Additionally, breaches can happen and

remain unnoticed for months or even years. Finally, cyber-insurance
providers themselves can expose their clients and themselves to attacks
from their own breaches.
Currently, most cyber insurance policies cover crisis management
expenses, claim expenses, revenue lost due to interruption of your
operations, and costs of restoring or recollecting lost/stolen data. Given the
lack of standardization and competitive market, the terms tend to be highly
negotiable. Off the shelf policies by an insurer may often be changed,
through negotiation, due to the policyholders unique circumstances. Cyber
insurance does not currently cover claims brought by governments or
regulators, vicarious liability for data entrusted to third-parties, and any
breach of unencrypted data. Most policies have a negligent computer
security exclusion: coverage will be denied for companies that did not install
software updates or apply security patches to their computer systems.
PricewaterhouseCoopers (PWC) believes that the best way to address
the risk pricing challenge is clarifying risk appetite, gaining broader
perspectives, and creating tailored, risk specific conditions. By clarifying risk
appetite, insurers need to create an idea of total maximum loss from a major
attack. In doing so, insurers need to assist in reducing risk concentrations by
working with clients to improve their own internal safeguards and crisis
planning. In terms of gaining broader perspectives, PWC states that bringing
in people from technology companies and intelligence agencies can lead to

more effective threat and client vulnerability assessments. The

collaboration from technology companies, intelligence agencies, and cyber
insurance providers could help with the clarification of risk evaluation and
screening of clients.
Policies themselves may need to be changed more often than the
standard 18 month policy renewal schedule. As new threats emerge rapidly,
insurance companies may need to update policies similarly to software
patches on a monthly or weekly schedule. This will allow companies to feel
secure with their policies in the event of new threats. However, insurance
companies cannot possibly cover every attack, so they must clarify what the
most important assets are that they need to protect. Underwriters need to
collaborate with other insurance companies actuarial resources to improve
premium pricing industry-wide. Currently, cyber insurance companies
operate independently. If cyber insurance companies were to provide data
publicly, collaborate with intelligence agencies, and work with clients to
reduce risk exposure, the risk pricing dilemma would be solved.
The second largest challenge with cyber insurance is the wide
information asymmetry. Unlike other types of insurance, where there may be
one or two entities in play, cyber insurance could potentially involve
thousands. Because most cyber insurers do not publish their data publicly,
new entrants have difficulties distinguishing clients that will be high or low
risk. This creates an adverse selection problem, where insurers cannot safely
determine which premium rate clients should pay. There is also a disconnect

between information from the insurer and the insured. Cyber insurance
companies do not often know information regarding insured systems
applications, their software products installed, and their IT departments
security habits all of which are fundamental to determine risk. There is
currently no legislation requiring cyber insurance companies to publish their
data, creating a potential monopolistic industry where the better informed
insurer has the majority of market share. Currently, there are five
underwriting entities for all cyber insurers.
Ranjan Pal, from the University of Southern California, has created a
model in which cyber insurance companies can assist their underwriters in
creating appropriate premiums. The mechanism to help alleviate information
asymmetry, using various scenarios targeting risk adverse companies with
little to no information on the insured. The model does make the assumption
that it is mandatory for users to purchase cyber insurance. For Pals model to
work, insured must have proper self-defense mechanisms (such as
antivirus software) which is required by all cyber insurance policies. Finally,
the model gauges risk based off of a companys wealth/assets and
recommends pricing premiums appropriately. Pals model has been used by
the National Associated of Insurance Commissioners (NAIC) for developing a
more rigorous structure for underwriters to use.
Finally, there is a large disconnect between cyber security firms such
as Norton Antivirus, Mcaffe, etc. and the cyber insurers. Insurers assess
financial losses from attacks and focus on risk management. Cyber security

firms often ignore the issues facing cyber insurers, and must take their
positions into consideration. Cyber security firms need to learn how to draw
necessary boundaries, explain the scope of attacks/breaches, and assist in
the damage calculation assessments. Security firms often understate attacks
on companies defended by their software, or underestimate damage done
publicly. For cyber insurers to operate functionally, there must be a clear and
honest dialogue between the two industries so premiums can be priced
appropriately, and for cyber insurers to know how to best write policies.
When cyber security firms struggle to properly assess damages from
breaches, companies may question whether cyber insurance is even worth it.
InfoSec states that there are several cyber insurance considerations
that must be met by cyber security firms, governmental bodies, and the
insured to provide proper coverage and risk assessment. First, there has to
be clear and concise definition of terms such as hacker, attack, and
incident in terms of cyber insurance. As of 2015, there are no standardized
definitions to these terms and thus increase cyber insurers liability.
Secondly, the insured must be very clear in which what exact coverage their
specific company requires. Coverage definition for cyber-attacks starts with
company audits for the valuation of data and estimates of aggregate costs of
attacks. Finally, insured must make sure their policies cover all aspects of a
breach. Currently, there are three stages of a breach that will be covered by
cyber insurance: discovery, investigation/remediation, and court costs.

Cyber insurance is a growing market. In 2002, $200 million dollars was

collected for premiums and in 2016 companies have already collected $2.5
billion dollars in premiums. Although it is a soft market with much room to
grow, companies are still struggling to properly manage their risk pricing.
The industry is currently in its infancy, and by some estimates will grow to
$20-$25 billion in premium collections as early as 2020. However, if
companies do not start collaborating with cyber security firms, governmental
organizations, and share their actuarial information with underwriters it will
soon become a monopolistic enterprise. By using PricewaterhouseCoopers
suggestion to assess risk confidently, companies will be able to price risk
properly and clearly with the insured. Underwriters and their insurance
companies will begin using Pals model to alleviate asymmetry with
insurance companys information, to create a more honest pricing schedule
and allow new entrants. Finally, Cyber insurance companies, cyber security
companies, and governmental bodies need to collaborate to ensure proper
cyber-attack definitions, defense, and data sharing for all insured. If these
key issues are addressed, the cyber insurance industry will be better defined,
increase market share, and provide clients with appropriate coverage in the
event of a cyber-attack for the foreseeable future.

Citations

PricewaterhouseCoopers. "The Promise and Pitfalls of Cyber Insurance." The Promise and
Pitfalls of Cyber Insurance (2016): n. pag. PricewaterhouseCoopers, Jan. 2016. Web. Nov. 2016.
Filkins, Barbara. "Quantifying Risk: Closing the Chasm between Cybersecurity and Cyber
Insurance." Www.sans.org. PivotPoint Risk Analytics, Mar. 2016. Web. Nov. 2016.
Pal, Ranjan. "One Government's Approach to Cyber Security Policy." Cyber Security Policy
Guidebook Bayuk/Cyber Security Policy (2012): 211-37. University of Southern California, May 2012.
Web. Nov. 2016.
Iwata, Edward. "Challenges and Opportunities Ahead for Cyber Insurance Industry - Third
Certainty." Third Certainty. N.p., 28 Mar. 2016. Web. 28 Nov. 2016.