The year 2017 had no shortage of headlines pertaining to cyber incidents. On the commercial side, you have the Equifax and Uber cases and on the government side, you have the DHS event. These cyber incidents ran parallel to awareness campaigns run out of the European Union for the General Data Protection Regulation (GDPR), a model law proposed by the National Association of Insurance Commissioners (NAIC), (based in part on the State of New York’s Department of Financial Services Cyber Law), and a deadline imposed by the Defense Federal Acquisition Regulation (DFAR). 2017 ended in a somewhat positive note as data suggests that the adoption rate of cyber insurance is now at 31% versus 19% the year before in the United States and the highest rates of increases were scene in India with 50%.
So what is in store for 2018 and how might these factors impact underwriting practices or adoption rates? To begin with, the State of New York has the first deadline to contend with. Business entities that are operating within the State of New York in the financial services sector and have $5M in revenue must submit artifacts to support they have a cybersecurity plan of operations to include remote penetration testing, onsite vulnerability assessments, and even demonstrate a CISO is in place.
GDPR becomes actionable in May where violations might subject the offender to penalties starting at 20 million Euros. For U.S. firms that believe they are not subject to this, please ensure you review Privacy Shield requirements and how the U.S. Department of Commerce will work with the EU on enforcement actions.
A bill is on the floor of the State of North Carolina that would give the State standing to prosecute business entities failing to adequately protect healthcare data as an unfair and deceptive business practice (a model usually reserved for the U.S. Federal Trade Commission).
Senator Warren is proposing a bill that would impose heavy sanctions on credit reporting bureaus that sustain a breach because of inadequate cyber practices.
The ever increasing play for regulators around the world will likely create unique challenges and potentially some new opportunities for the insurance marketspace. To date, the majority of policies are written by only a handful of insurance companies. While the number of businesses offering new lines in the realm of cyber increase monthly, the majority reside with the most established names like Zurich, Beazley, Chubb, etc. Because cyber represents such a small percentage of their total portfolio, not much diligence is being played out.
For the new comers to this space, some are giving considerably more thought about how they can offer more for less money than the competition. The catch? These same organizations are seeking out new methods and techniques towards evaluating cyber risk profiles to limit their exposure to a claim. As the deadlines for some of the aforementioned regulations kick in, the ability to limit such exposures becomes increasingly more critical.
The insurance sector has underwritten cyber risks for almost 20 years, so why will 2018 be any different? I think it is hard for any one person or think tank to speculate until the first sanctions are levied for failing to comply with GDPR, NYDFS Cyber laws or other new regulation. However, if there is any truth to the narrative from a report led by PartnerRe and Advisen in late 2017, “Pricing is seen as less consistent than last year, many brokers noting soft market conditions and broadening coverage without adequate rate consideration” then this supports a hypothesis that market corrections might follow.
What might a market correction for cyber insurance look like? Perhaps lower premiums or higher retention rates? If claims pivot from five and six figures to seven or eight figures more consistently because of fines and penalties for organizations not having adequate cyber hygiene, then the market could see corrections over a short period of time because of the losses incurred.
I have spoken with insurance experts and listened to industry panels as well and the consensus is that no checks will be written specifically for a GDPR fine. Having said that, given the pervasiveness of global data, it is hard for me to reconcile how an agent or broker will structure a policy in a way that defines GDPR penalties as an exclusion. At least without the client asking, “So what are you protecting me against if I cannot offset some of my risk exposure to fines and penalties associated with a cyber incident?”
Will policies dictate that fines and penalties are covered in “X” scenarios but not “Y” scenarios?
If NYDFS hits a financial services organization with sanctions for failing to meet the law and there are lost revenues due to suspended business activities, if cyber is the trigger, will it carry over to claims tied to lost revenue? If the trigger is in fact tied to cyber and language exists within the policy that it will not cover GDPR or NYDFS fines, will that create ambiguity resulting in a failure to pay a claim and likely result in a civil suit?
Lots of gray areas but also opportunities for smaller insurance shops that can move more rapidly to meet market demands to structure policies that focus on actual business risk as it applies to cyber triggers of harm. Some firms have tools for existing clients or potential clients to measure how good of a risk they are. Some firms are using BitSight or similar technologies.
At the end of the day, if more money continues to be spent on cyber defense and our risk posture is not improving proportional to the level of spend, the insurance sector may need to reassess how to properly evaluate an applicant’s cyber risk profile. Those that are able to adopt unique lines of coverage that can account for stricter regulatory fines and penalties will likely capture more of this precarious market segment.