The Department of Homeland Security sponsored an insurance industry working session (see here) to find ways to generate a more robust Cyber Risk Insurance market. The result so far has been a readout report (here). According to the Insurance Working Session Readout Report three areas could lead to a more robust market:
- Cyber incident information sharing/data repository – the idea here is to create a secure method to pool and share cyber incident information on an anonymized basis in a database accessible by insurers.
- Cyber incident consequence analysis – New data and modeling techniques would help insurers assess the loss value of a cyber-attack on critical infrastructure, and also the impact of various cyber risk management techniques. Most importantly, the techniques which assess the impact on an individual company level would have the most impact on both insurance pricing and the use of risk management.
- Enterprise risk management (ERM) – Cyber risk is outside the scope of some ERM efforts and many mid-sized and small organizations do not practice ERM. The conclusion is that it will be difficult to move cyber risk management out of IT departments without greater focus on ERM.
Our take is a bit different. The Cyber Risk Insurance market is currently robust, it just takes some effort and expertise to navigate. The market operates as follows:
- Many insurers provide Cyber Risk Insurance
- Coverage is reasonably priced
- Cyber Risk Insurance can be comprehensive, but not all forms are
- Forms vary considerably and can be tailored to a customer’s needs
- Underwriting varies by insurer, with many insurers focusing on specific areas – some degree of specialization
- While there is very little in the way of credible loss statistics, underwriters are responding to incidents and learning fast
- Insurers are seeing claims
- We expect pricing to rise over time
- Increased underwriter focus on IT security (“cyber risk management”) is coming
Given the current market for Cyber Risk Insurance, all organizations should be buying Cyber Risk Insurance. Cyber Risk Insurance is an essential coverage for business of all sizes for protection from both criminal attacks and employee error; it should not be optional. Coverages vary widely and can be tailored to cover the cost of breaches, forensics, business interruption, crisis management and PCI assessments.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber). We excel at hard to place accounts. Review our expectations here.