Consistency within cyber insurance policies is something the industry has been grappling with for nearly a decade, according to speakers at the annual RIMS Riskworld conference, held this year in Atlanta, but the industry is beginning to see a light at the end of the tunnel.
“I can’t underscore enough how much better the cyber marketplace has gotten in that regard,” said William Bennett, partner at Saxe Doernberger & Vita. “There are still policies with two insuring agreements and policies with 25 agreements and 400 definitions, but at least now they largely get to the same place.”
Bennett was speaking during a session about cyber coverage responses to the current global risk climate on the second day of the conference. Thomas Francavilla, director of insurance programs at Stratus Risk Associates, was speaking alongside Bennett. He pointed to an example of an exercise the Stratus team recently did with a broker client that is 51 percent owned by a banking group. The company was transitioning away from having standalone cyber policies in place for each broker in favor of one parent-owned cyber policy.
“Every single one of them — the brokers — had their opinions about why the cyber form that they had already was the best one and why that’s the one the parent should use,” he said.
Francavilla said his team worked on putting together a side-by-side comparison of all nine standalone forms in order to find the best solution.
“It really did range from literally policies with one first-party insuring agreement, one third-party insuring agreement and then excluding stuff out, and two policies with 25 insuring agreements and definitions within definitions that only exist with the purpose of defining other definitions,” he said.
At the end of the exercise, however, Francavilla said his team found it difficult to make a recommendation to the client about the best form to use.
“Almost all of them were missing something the other forms had, but they were all also almost entirely overlapping,” he said. “If we had done that exercise 10 years ago, it just simply wouldn’t have been true, not at all. So, from the risk manager’s perspective, now we’re in a much better place in terms of what you’re getting. There are still things here and there that you can do to improve the policy, but it’s a lot more consistent.”
This consistency is serving the industry well, particularly when it comes to silent cyber, both panelists agreed. Bennett defined silent cyber as “the idea that there’s still some cyber coverage lurking out there in other policies that aren’t cyber policies.”
He pointed to Merck & Co.’s NotPetya case as an example of the need for clarity in terms of exclusionary language and definitions within policies. This comes as Insurance Journal reported in May that the appellate division of New Jersey Superior Court upheld a state trial court opinion that the war exclusion in drugmaker Merck & Co.’s all-risk property insurance policies does not apply in the case of the cyber attack the company suffered in 2017. The appeals court affirmed that insurers could not use the policy exclusion to avoid covering about $1.4 billion in damages Merck said it suffered from a spring 2017 cyber attack known as NotPetya.
“Again, clarity is great,” Bennett said. “Those situations involve ambiguous exclusions, and that one was great to the lawyers, right? Billions and millions of dollars were spent litigating those property claims.”
In addition to clear exclusionary language, Bennett emphasized the importance of ensuring different lines of coverage fit together.
“You want to make sure that when you’re losing [coverage] in one place, you do still have it in that other place,” he said.
Francavilla agreed.
“Our approach to all of our clients is generally to make sure that your policies are working together, you know, to make sure…you have coverage in the appropriate place,” he said.
The conversation about silent cyber points to another challenge for organizations: gaining access to the right cyber coverage in the first place. As cyber policies adapt to the evolving risk landscape, insureds will need to evolve as well, both speakers agreed.
“To get coverage, you have to be a cyber secure organization, generally speaking,” Francavilla said. “Cybersecurity is continuously evolving, and the bad actors are moving quickly. They’re very innovative in finding new ways to breach systems, whether it’s through something as simple as a phishing attack or whether it’s something as complex as a state-sponsored situation.”
Think Like a Tech Company
He said this means that every company needs to fundamentally be thinking like a technology company.
“Whether that’s your internal systems, whether that’s an internal network, whether that is a client-facing system that gathers data, or even just how you internally handle your files,” he said, “there’s an email address, there’s a computer server, there’s a client-facing application that is at risk.”
He said this means it’s important for companies to have a chief information security officer and retain consultants to perform 24-hour monitoring of systems, as well as establish backups in case systems are disconnected from the network, ensure multi-factor authentication is in place, and offer robust training for employees.
“Make sure that if you have a company with lots of employees that access your systems, that they’re being tested, and it’s not always the younger or less experienced employees that you’re worrying about in a situation like that,” he said. “Some of our clients actually have noticed that the more senior executives tend to fall for the phishing attacks far more frequently than the younger employees. Younger employees tend to have the benefit of growing up with the technology and being a little bit more naturally suspicious.”
He said at Stratus, his team was recently put to the test when they received a fake phishing email from Francavilla.
“Our security folks found ways to integrate with the Microsoft Active directory and to send out those test emails using my name — very official. And all of [my team members] called [me], which I thought was a very positive response,” he said. “That’s something that carriers are going to be looking at, you know—what is your testing and training regimen?”
Becoming a Better Risk
In addition to training regimens, Francavilla said it’s important for companies to establish a business continuity policy that is also being tested. This can help companies understand how to respond if an attack does occur.
“Becoming a better risk for an insurance company will make you are a more secure company,” he said.
Despite any changes that have occurred within cyber insurance policies, more changes are likely on the horizon, the speakers said. Artificial intelligence is just one way the industry could be kept on its toes, Bennett said.
“It’s just the next of many, many ways that the market will have had to react and adapt,” he said. “Certainly at the moment, it seems like it’ll be one of the most significant.”
He said that although he expects insurance policies to address AI in the future, it’s still too early to make predictions with any certainty as to how policies will need to change.
“Anything that’s been written so far would be nothing but speculation,” he said. “I would have to believe that within the next year of renewals, there will be something in that policy somewhere that addresses [AI], but it’s really hard to say at this point.”
Francavilla added that while he has seen questions on applications that are starting to touch on AI, nothing significant has come across his radar just yet.
“I think, you know, the fundamentals don’t change, right?” he said. “The fundamental [questions] of: How is it being implemented? Where is the technology actually being housed? How is the access to that technology being monitored? I think some of the fundamentals around that don’t change. It’s the nuance of what’s coming out of that AI and how it’s being utilized in the business.”
That said, RIMS attendees could see more AI topics on the agenda next year, Bennett said.
“I’ll try to find another catchy presentation title,” he joked. “Ask us about it again next year.”