One of the fastest growing threats to financial institutions and their customers is cyber risk. This category of risk broadly encompasses any harm induced by a computer security breach, for example, a cyberattack that compromises confidential personal information or causes physical harm.
Traditional insurance, such as first-party commercial property insurance and third-party commercial general liability (CGL) insurance, typically excludes cyber claims, or may not cover cyber risk without an endorsement modifying an existing insurance policy. Therefore, companies seeking to protect themselves against cyber risk must consider purchasing stand-alone cyber insurance, which can include both first-party and third-party coverage.
Robert Rosenzweig, senior vice president and national cyber risk practice leader at Risk Strategies Company, gave his take on trends in cyber insurance and the regulatory outlook in an interview with Regulatory Intelligence. New York-based Risk Strategies is an insurance broker handling all lines of insurance, including cyber risk.
Most of the questions in the email exchange for this article revolve around recent regulatory initiatives that require banks and insurance companies to strengthen their cyber risk programs. Rosenzweig’s responses, edited for length, reflect his own views:
Q: How big have cyber-induced losses been in the U.S. in the last few years? Recognizing that it’s hard to predict malicious behavior, are there any projections for how big losses might be in the coming years?
Rosenzweig: Cyber losses have been significant, but I would question whether we actually know the full extent. Given that penetration rates for cyber insurance are estimated to be under 30%, unless there is media coverage or the totality of a loss is publicly disclosed it is conceivable that there are significant losses that we don’t even know about. Based on numerous studies, the number of reported incidents are on the rise and purchase rates for cyber insurance continue to grow, so it is reasonable to assume that cyber losses will become even more significant in the coming years.
Q: The 2014 ISO endorsements, developed by the Insurance Services Office, a commercial organization which develops many of the policy forms used by insurers, exclude coverage for many kinds of cyber risk. Are financial institutions and other companies still trying to purchase cyber coverage through their CGL and other traditional policies, or has there been a significant shift to purchasing stand-alone cyber insurance? What about umbrella policies that drop down to cover cyber risk not otherwise covered by the first layer of coverage?
Rosenzweig: As insurers have become more educated about cyber and losses have become more prevalent, the general trend has been that exclusionary language on policies such as CGL, property, and other lines has been tightened up to ensure that losses aren’t being paid under policies that were never intended to cover cyber-related losses. There are still instances of policyholders attempting to seek recovery for cyber-related losses under such policies, but the purchase of stand-alone cyber coverage is becoming much more commonplace.
Q: Has there been increased uptake of new cyber insurance policies since the May 25, 2018 effective date of the General Data Protection Regulation (“GDPR”), the European Union legal framework that imposes strict requirements on companies that process personal information of EU individuals, regardless of where the companies are located?
Rosenzweig: I believe there was a marginal increase in uptake as a result of GDPR. Despite the fact that many smaller companies are considered covered entities under GDPR, the majority of the focus on compliance in advance of last May was skewed towards larger multinational corporations. As many U.S. states such as California move towards implementing similar regulatory frameworks we are seeing this uptake based on regulatory trends trickle downstream.
Q: Cyber policies typically cover data breaches. Do they also cover illegal processing where there has been no data breach, such as when a company fails to erase personal data upon an individual’s request under the GDPR?
Q: Fines against companies that fail to comply with the GDPR are very high – up to 4% of global revenue or €20 million (about U.S.$23 million). Some countries prohibit insurance policies from covering government fines because it is against public policy. Can U.S. cyber policies cover government fines? Have companies been increasing their limits of coverage to accommodate the potential exposure?
Rosenzweig: There are conflicting opinions on this and no one yet knows definitively. The insurers’ intent is to pay these losses; it remains to be seen whether regulators in a particular EU member country will allow these losses to be paid as a matter of public policy. We are seeing clients increase limits both due to a greater potential for regulatory fines and due to concern over other elements of covered loss such as business interruption costs.
Q: Finally, have there been any recent developments at the ISO on forms to cover physical harm arising from cyberattacks, which may be excluded by both traditional policies, since they generally don’t cover cyber incidents, and cyber policies, which generally don’t cover physical harm?
Rosenzweig: We are seeing some property and general liability insurers willing to pick up elements of loss due to cyber-related issues. We are also seeing certain cyber insurers willing to cover these types of claims but it is an intensive underwriting process as the insurers want to understand all potential coverage that could be implicated and there needs to be very careful coordination. This can also be extremely costly.
*To read more by the Thomson Reuters Regulatory Intelligence team click here: http//:bit.ly/TR-RegIntel
(Jason Hsieh is a contributing writer for Regulatory Intelligence.)
This article was produced by Thomson Reuters Regulatory Intelligence - bit.ly/TR-RegIntel - and initially posted on July 10. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters