Do you have cyber risk insurance? Are you sure?
If the answer to that question is uncertain (and it should be uncertain), then there’s a huge, uncalculated risk. Not just to you, but to your insurance company. The UK’s main insurance regulator, the Bank of England’s Prudential Regulation Authority (PRA), has asked insurance companies to reassess their risks associated with what you might call “stealth” cyber insurance policies—that is, all kinds of insurance policies that could be used to cover what might otherwise be considered to be “cyber” risks, but for which the insurance company has never really evaluated the scope of the coverage or the risk. This may mean larger insurance bills for companies that think they already have insurance.
To you, buying insurance is a way to mitigate risk. To an insurance company, or an insurance company regulator, you buying insurance is a risk—a risk to the solvency of that insurance company should it have a covered claim. The UK regulator has for some time been warning insurance companies about the solvency risk to them of what it calls “silent” cyber insurance policies.
These “silent” insurance policies, or what is euphemistically called “non-affirmative risk” policies, are simply … well, simply insurance policies. You know, such as general casualty and liability policies; fire insurance policies; director and officer liability policies; business property insurance; errors and omissions; business interruption insurance; kidnap, ransom and extortion insurance; media liability insurance; and professional liability insurance. These are the kinds of insurance you might have if the year was 1975 and you had no computers at all.
From an insurer’s point of view, however, these represent a silent risk. That’s because many of these policies actually cover potentially huge cyber-related claims without either the insured or the insurance company knowing it. When an insurance company is covering a liability, but not collecting premiums for that potential liability, that represents a solvency risk to them.
The nature of the internet and computers in general means not that things are “more” or “less” risky but that the nature of the risks has changed. Take, for example, critical documents insurance: In the pre-computer days, fire insurance or flood insurance or a similar casualty insurance would likely also cover destruction or loss of the use of “critical documents,” since the most likely scenario where such documents would be lost or damaged would be by fire, flood or maybe theft. You might include a critical documents rider to your general casualty and liability (GCL) policy, but you would have coverage. Today, critical documents will be on a computer, server or cloud, and the risks are not just fire, flood, magnetic storm, electromagnetic pulse, Magneto and other “physical” attacks but also ransomware, hacking, DDoS attacks and simply stupid humans. The costs associated with reconstructing these documents and systems have likewise changed. But your grandpa’s old GCL policy may (or may not) still cover you for losses associated with damage or loss of “critical documents.”
The same is true for things like “media liability insurance,” which traditionally was used to cover authors, publishers or broadcasters, advertising or PR agencies and other media professionals if they’re sued for defamation, invasion of privacy, plagiarism or related claims. With blogs and vlogs, Twitter and Facebook, the scope and reach of these policies (and the need for them) expand exponentially. Every company now has some kind of social media presence and, with it, liability. If a company suffers a breach of privacy-related information and the “media liability” policy covers claims of “invasion of privacy,” would the data breach costs be covered by the media liability policy? Would it cover the costs to the Oscars associated with Kevin Hart’s old tweets? What about doxxing? The nature of the technology and the risks have changed.
A KRE policy (kidnap, ransom and extortion) might cover your CEO if she is kidnapped, but what about your data? What about revenge porn threats? Ransomware? What about regulatory costs associated not with a data breach itself but by the exposure of the fact that your security was not what you thought or marketed it be? It depends entirely on the words in the policy.
An E&O (errors and omissions) policy covers things such as negligence and “third party” liability resulting from failure to meet a reasonable standard of care. But does E&O cover liability resulting from failure to have “reasonable” security? That’s a form of negligence. Would it cover a security consulting company that inadequately tested the security of a client? Since the “duty of due care” includes the duty to protect against cyber risks, an ordinary E&O policy might cover it.
The same holds for professional liability insurance. A doctor who has medical malpractice liability insurance might also be covered for things such as HIPAA privacy or security breaches if you assume that the duty to protect the confidentiality of patient data is a “professional” duty of due care to the patient. If a doctor “negligently” exposed a patient’s records to a third party, would that be a breach of professional standards of care and would it be covered by malpractice insurance?
The Insurance Shell Game
Without examining the terms of each policy, its riders, exceptions, exclusions and the interaction of these policies, it is difficult if not impossible to determine whether cyber-related risks are covered. A hacker hacks the annunciator system of a manufacturer and causes a fire (or reduces the ability to respond to one.) Fire insurance? Cyber insurance? Or flood insurance? What if a fire destroys a data center? Cyber policy? Under SEC rules, officers and directors of publicly traded companies have a duty to address cyber risks as fiduciaries for shareholders. Is their failure to do so adequately covered by director and officer insurance?
To address these issues, insurers—particularly those who offer “cyber” insurance—have been doing two things. First, they have been expressly removing “cyber” risks from ordinary policies through riders and exclusions. Or at least they think they have been doing so; the problem is like trying to exclude “electricity” related risks. “Cyber” is embedded in just about everything we do. If a lawyer fails to show up at a hearing because her computer (and calendar) is unavailable, is this legal malpractice or cyber-risk? If a car accident occurs partially because an ABS system fails, is this product liability or cyber risk? If you completely exclude “cyber” from regular coverage, you are selling extraordinarily limited policies and people are buying what they think is insurance, but it’s not. If, on the other hand, you are providing coverage for risks that are substantively and substantially different from “ordinary” risks of doing business and not capturing additional premiums for that risk, then, as the UK regulator notes, you are at risk.
This leads to the second thing that these insurers are doing. While they are attempting to exclude “cyber” from ordinary coverage they are also providing specialized “cyber” policies to, as the UK might say, “mind the gap.” Problem is, many of these “cyber” policies are extremely limited. They may cover the costs to you of a data breach (investigation, forensics, notification, mitigation) but may not cover the costs to your customers of the breach that are passed on to you through regulation or litigation. They may not include things such as damage to reputation, share price, regulatory or associated costs and cost of new security measures made obvious by the prior breach. The “pool” of risk associated with doing business in an interconnected world is the same, it’s just that it’s being reassigned between various policies, and often then with major deficiencies in coverage.
Failure to Communicate
One of the problems is that risk people and technology people and insurance people speak different languages. In evaluating insurance policies—not just cyber but all insurance policies—the CISO and technologists are often left out of the discussion. As the UK Prudential Regulatory Authority noted:
The PRA expects that all Solvency II firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk. This extends to both affirmative and non-affirmative elements of cyber risk. The PRA expects that this knowledge and understanding should be fully aligned to the level of risk and any growth targets in this field, and should cover all three lines of defence (business, risk management, and audit) …
Well, that’s perfectly clear, ain’t it? Translated from insurance regulation speak, the PRA is saying that companies just don’t know what risks they are taking on particularly as they relate to cyber-related risks. For insurance companies and the insured, this means that they should give cybersecurity professionals a seat at the table, and help understand what is going on in the real world. Otherwise, they are just taking unnecessary risks.