By Matt Prevost, Senior Vice President, Cyber Product Manager at Chubb
Cyber-attacks are expected to cost companies more than $2 trillion in 2019, according to Juniper Research. Consequently, many companies—especially the larger ones—have already realized that cyber threats top the list of corporate risks and have incorporated cyber provisions into their existing insurance policies.
However, as recent media coverage—and high-profile lawsuits—have proven, the increasingly complex and ever-evolving nature of cyber threats has led to misunderstandings in the marketplace, which are particularly prevalent when it comes to the lines of distinction between the provisions of traditional property insurance policies versus those of cyber insurance policies. While this distinction may sound simple, it’s not, and the nuance could impact billions of dollars in losses in the event of a large cyber-attack.
Physical vs Digital Cyber Threats
To better contextualize these situations, it is first important to understand that as cyber-attacks have grown, evolved, and changed, and today’s cyber threats are blurring the lines between the strictly ‘digital’ attacks and the ‘physical’ impacts of an event.
As an illustration, consider the following scenario: the elevator control panel in a high-rise commercial building is hacked, causing the elevator to malfunction and fall 30 stories. While this is a cyber-attack that results in damage to physical property, several different insurance policies could respond to the consequences of the attack.
For example, typical general liability policies would respond to claims for bodily injury made by individuals who were hurt as the result of the elevator collision, against potentially responsible parties. Similarly, typical property policies would respond to the direct physical damage and resulting business interruption loss because the cyber-attack caused the elevator to collide with other property, and elevator collision is normally a covered caused of loss. Conversely, if outcomes from the hack did not result in direct physical loss or damage or bodily injury, but rather rendered the elevator unusable, then the result would be limited to business interruption (BI) loss. In this scenario, most property policies would not respond to the BI loss because there was no direct physical loss or damage. However, a cyber policy would generally respond to this type of digital disruption loss.
Put simply, a variety of different insurance policies could respond to the consequences of a cyber event depending on the circumstances. As a result, now more than ever, it is important to work with an insurance carrier, along with an agent or broker, to find enterprise-wide insurance solutions that fit your business’ specific needs and entire risk profile.
What to Look for In the Cyber Insurance Process
As cyber events have changed over time, so too have the associated risks. While cyber-specific policies are key to protecting against cyber risks, a comprehensive analysis of the entire scope of a company’s risks is critical to preparing for all potential exposures.
When exploring your options, executives should focus on two key characteristics—the first being a diligent underwriting process and an agent or broker willing to engage fully in the entirety of the insurance portfolio. This process should contemplate complex situations and focus on obtaining a portfolio of insurance solutions comprised of multiple insurance policies that seamlessly address your company’s exposures enterprise-wide. Secondly, this portfolio of solutions should include access to inclusive risk mitigation tools, such as integrated loss control services, continuous threat analysis, comprehensive claims management, and post-breach services.
While most traditional cyber insurance policies offer robust standalone insurance protection, some insurers have created additional umbrella policies—that use the above characteristics to go beyond standard risk transfer by incorporating a holistic risk management solution into a single policy purchase and thereby closing unanticipated gaps in the scope of your insurance protection. Although it is important for companies to find a robust standalone cyber policy, it is equally critical for executives to work with producers and insurers to find additional umbrella provisions that provide critical additional limits for large unforeseen events and contemplate the broad array of cyber exposures affecting companies.
The Importance of Education & Communication
Now more than ever, it is important to find an insurance policy that offers your business protection against the dynamic and ever-evolving risks of cyber-attacks and resulting loss. In order to do so, it is important to have in-depth conversations with your insurance agent, broker, and/or risk manager about the protections and policies that will work best for your business.
Every business and insurance policy is different, but by working with an experienced carrier to evaluate your company’s complete risk profile, you can better ensure your business will be prepared and protected in the event of a loss. As the number of cyber incidents continues to rise—The ChubbCyber IndexSM of proprietary claims data shows that cyber claims have increased by 67% since 2016—this threat is more imminent than ever.
About the Author