Common Attributes of Traditional Cyber Insurance Carriers
These carriers typically offer “Admitted” options
While they have a specialized cyber insurance business unit, they will write multiple lines of commercial insurance coverage
Often takes longer for these types of carriers to revise coverage forms and add endorsements
Often work through traditional insurance distribution channels (direct to retail agents and brokers)
Often household or known names in the insurance marketplace
7
8
MGAs, Specialist Underwriters & InsurTech Market
8
Common Attributes
Often start out as non-admitted options
Some may offer other lines of specialized coverage, but many offer cyber and tech insurance exclusively
Often backed by a large insurance market like Lloyd’s of London or a very large traditional insurance or reinsurance carrier
Specialized insurance entity that is vested with underwriting authority from a large insurance market like Lloyd’s of London or another large insurance or reinsurance carrier
Often work through non-traditional distribution channels or through Wholesalers
Often, but not always, more technology and cybersecurity focused especially with underwriting and loss control
8
9
Admitted vs. Non-Admitted Carriers
9
Non-Admitted Carriers
Are regulated entities just like Admitted carriers, but does not necessarily have to adhere to all laws and regulations of each individual state
Do not pay into the state guarantee fund so if the carrier or company becomes insolvent there is a risk claims will not be paid
Do not have to file policy forms, endorsements or rates so are able to adapt coverage more quickly
In order to place coverage, brokers and agents may have to follow due=diligent search requirements if carrier is not on an “exportable” list
Taxes and fees are collected separately
Often a market for non-traditional or risks that are more difficult
Admitted Carriers
Must adhere to laws and regulations of each individual state Insurance Commissioner
Pay into the state guaranteed fund administered by each state Insurance Commissioner
Must file all forms, endorsements and rates with the Insurance Commissioner of each state
Pay state taxes and fees on behalf of insured (already included in premiums)
Insureds in some states can appeal to the Insurance Commissioner for claim disputes
Generally the go-to option for traditional insurable risks
9
10
Cyber Insurance Coverage Origins
Third-Party Cyber Liability
Data and Network Restoration Expenses
Business Interruption and Extra Expense
Network Security and Data Privacy Liability
Media Liability
Regulatory proceedings, fines & penalties
Data restoration
Lost income during time of cyber incident-triggered technology disruption
Extra expenses to get back up and running
Network Extortion
10
11
Coverage Restrictions
| Specified Incidents |
| SolarWinds Orion MS Exchange Server Vulnerability Log4j Kaseya Vulnerability Open Ports and Unpatched Attack Surface More to come? |
12
Coverage Restrictions
| Policy Language |
| Naming specific laws/regulations rather than blanket coverage Silent on investigation, containment & remediation due to network security failure Limiting restoration expenses to data & software, silent network restoration Narrow definition of computer system that does not address cloud, 3rd party or employee devices Restrictions related to vulnerabilities of 3rd party product |
13
Coverage Restrictions
| Sublimits and Waiting Periods |
| Reduced limits on individual coverages to cap the amount the carrier will pay out for a specific loss Increasing the waiting period of business interruption claims Adding “co-insurance” to ransom payments and other coverages claims Adding “co-insurance” and coverage limitations to claims resulting from unpatched or unsupported software |
14
Ransomware Payment Restrictions
To help reinforce OFAC ransomware payment restrictions carriers are starting to add Endorsements to policies
Watch out for overly broad and confusing requirements that extend beyond OFAC to European and other foreign guidelines.
Typical OFAC Endorsement
15
Coverage for Cyber Terrorism Is Changing
Carriers can no longer be silent on cyber terrorism coverage. This may not always be a good thing.
16
Cyber Terrorism Exclusion/Carveback Example
War Exclusion/Carveback Example
Any war, warlike operation, popular or military uprising, hostilities, insurrection, rebellion, terrorism (certified or not) by an individual or group or action taken by governmental authorities in hindering or defending against any of these.
This exclusion will not apply to Cyber Terrorism.
Cyber Terrorism Cyber terrorism means any actual or threatened attack by individuals or a group against a computer system, to advance ideological, social, religious, or political objectives, with the intent, in whole or in part to: cause harm to a computer system; or threaten an entity or person to further objectives.
Lloyd’s 2021 Addition of Carveback for “Innocent Bystanders” “Paragraph 1.3 shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset.”
Proprietary and CONFIDENTIAL. Do Not Distribute. © 2022 Optiv Security Inc. All Rights Reserved.
“1.1. war or a cyber operation that is carried out in the course of war; and/or 1.2. retaliatory cyber operations between any specified states leading to two or more specified states becoming impacted states; and/or 1.3. a cyber operation that has a major detrimental impact on: 1.3.1. the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service…
16
17
Cyber insurance in the news
17
18
Underwriting Evolution
2015-2019: Short Form Applications
Today: Long Form Applications & Analytics
Challenges of Insuring Cyber Risk
Proprietary and CONFIDENTIAL. Do Not Distribute. © 2022 Optiv Security Inc. All Rights Reserved.
19
20
Breakout #2 – Cybersecurity Insurance has a Big Problem
Group 1: The article points out that the cyber insurance industry lacks historical loss data. The industry has been around for 25 years, why do you think we don’t have the data required? How does a lack of data impact underwriting cyber insurance policies?
Group 2: The article briefly mentions that “4 reinsurers account for more than 60% of premium” in the cyber insurance market. Why do you think this is a potential problem?
Group 3: The author of this article uses a good analogy to describe what organizations should do in the current cyber insurance market. He says, “I’m an avid cyclist, and I have health insurance, but that doesn’t mean I don’t need a good helmet, too.” How does this apply to cyber insurance based on what we have been discussing in class so far?
Group 4: In today’s hard cyber insurance market many business may not be able to afford the cyber insurance coverage they need. Towards the end of the article (2nd to last paragraph) the author provides a strategy for achieving desired cyber insurance coverage limits over time. What does the author suggest and do you think this is realistic for most organizations?
https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem
21
Cyber risk is different
The Ludic Fallacy “The attributes of the uncertainty in real life have little connection to the sterilized ones we encounter in [models] and games.” — Nassim Nicholas Talib
Sterilized Risk Assumptions
