DENVER -- Treasury and financial professionals are caught between a rock and a hard place on cyber insurance. They know that they need to invest heavily in it. But they also know that it’s not cheap, and sometimes the coverage isn’t even adequate to meet their needs. During a Tuesday morning session at the CTC Executive Institute, Tom Reagan, national cyber practice leader, Marsh, provided treasury and finance executives with some guidance on cyber insurance coverage.
A recent report by Reuters revealed that cyber insurance premiums have skyrocketed following high-profile cyberattacks. Furthermore, some insurers are also raising deductibles and limiting coverage amounts to $100 million. Breaches of the magnitude we've been seeing in recent years can cost a company more than twice that—for example, as of February 2015, the total price tag of the infamous Target breach was $252 million.
Reagan tried to ease corporate practitioners’ concerns by explaining that there’s not a $100 million cutoff for coverage by any means—many providers are offering coverage well beyond that amount. “Capacity continues to expand,” he told AFP in an interview.
Reagan believes that the real reason many policies have been limited to $100 million or less is companies failing to realize the amount of damage cyberattacks can inflict on their organizations. “The limitations around tower size has really been around the economic considerations; the willingness of clients to pay for capacity,” he said. “The capacity is out there; it just may be more expensive than they feel they need.”
The problem is that so many companies these days are not taking a risk management approach and accepting that this is simply another key risk they need to deal with. Once they get rid of that old mindset, the decision to invest in cyber insurance—rather than spend millions of dollars on preventative technology that ultimately won’t keep the bad guys out—becomes clear.
“As soon as you engage in a risk management process, at some point in time, you will come to a point where you have exhausted your ability to feasibly or economically to mitigate that risk,” Reagan said in his session. “At some point, it makes sense to take the risk and transfer it into the marketplace, which is pretty robust and mature.”
Reagan added that cyber insurance is the most rapidly developing space the insurance industry has ever seen. “You’re talking about changes to policy forms coming every six to 12 months,” he said. “That sounds glacial until you recognize that the primary fidelity form most banks use to protect themselves against financial fraud last had a really successful, positively received revision in 1986. So this is moving at light speed.”
Reagan sees this as a very positive development, because the coverage is getting better each time it’s revised. With constant security incidents hitting the news, the insurance industry is being forced to up its game. Policies are adding new risks into their umbrella of cyber insurance coverage, e.g., reputational risk is not covered, but Reagan believes it will be soon.
More and more companies are recognizing that they cannot stop cyberrisk; they have to do something to management. “But we still have a long way to go; total uptick rates are only at about 25 percent,” Reagan said.
Unfortunately, many companies still believe they can get by on their traditional insurance programs. “The sad reality is that these policies won’t cover cyber,” Reagan said. “They’re designed for physical world.”
One threat that traditional policies do cover, however, is the infamous business email compromise (BEC). Because BEC scams involve employees getting duped into voluntarily sending money, it is not typically covered by cyber policies. “Typically the broad cyber market deals with non-financial asset issues; it deals with data, information, things like that,” Reagan told AFP. “But on the crime side and the fidelity side, there are a variety of products that cover business email compromise. So yes, you can buy insurance for that. The market’s not as deep as we would like it to be, but we expect that market to get much deeper in the coming weeks and months.”