Consistency within cyber insurance policies is something the industry has struggled with for nearly a decade, according to speakers at the annual RIMS Riskworld conference, held this year in Atlanta, but the industry is starting to take notice a light at the end of the tunnel.
“I can’t explain how much better the cyber market has gotten in that regard,” said William Bennett, partner at Saxe Doernberger & Vita. “There are still policies with two insurance agreements and policies with 25 agreements and 400 definitions, but at least now they have mostly reached the same place.”
Bennett spoke in a session on cyber coverage responses in the current global risk climate on the second day of the conference. Thomas Francavilla, director of insurance programs at Stratus Risk Associates, spoke with Bennett. He pointed to an example of an exercise the Stratus team recently carried out at a brokerage client that was 51 percent owned by a banking group. The company is moving away from having standalone cyber policies in place for each broker in favor of a parent-owned cyber policy.
“Each of them – the brokers – have their opinions as to why the cyber form they have is the best and why that should be used by the parent,” he said.
Francavilla said his team is working to put together a side-by-side comparison of all nine standalone forms to find the best solution.
“It ranges from literally policies with one first-party insurance agreement, one third-party insurance agreement and then excluding items, and two policies with 25 insurance agreements. and definitions within definitions that exist only for the purpose of defining other definitions,” he said.
At the end of the exercise, however, Francavilla said his team struggled to make a recommendation to the client about the best form to use.
“Almost all of them lack something that the other forms have, but they all also almost completely overlap,” he said. “If we had done that exercise 10 years ago, it would not have been true, not at all. So, from a risk manager’s perspective, now we’re in a much better place in terms of what you get. There are things here and there that you can do to improve the policy, but it’s pretty consistent.
This consistency has served the industry well, especially when it comes to silent cyber, both panelists agreed. Bennett defines silent cyber as “the idea that there’s still some cyber coverage hiding out there in other policies that aren’t cyber policies.”
He pointed to the NotPetya case at Merck & Co. as an example of the need for clarity in terms of non-participatory language and definitions within policies. This comes as the Insurance Journal reported in May that the appellate division of the New Jersey Superior Court upheld a state trial court opinion that the war’s exclusion of all-risk property insurance policies in Merck & Co. does not apply in the case of the cyber attack the company suffered in 2017. The appeals court confirmed that insurers cannot use the policy’s exclusion to avoid covering the $1.4 billion in damages that Merck said it suffered from a spring 2017 cyber attack known as NotPetya.
“Again, clarity is good,” Bennett said. “Those situations involve ambiguous separations, and that’s a good thing for lawyers, right? Billions and millions of dollars are spent litigating those property claims.”
In addition to clear exclusive language, Bennett emphasized the importance of ensuring the various lines of coverage match.
“You want to make sure that if you lose [coverage] in one place, you still have it in another place,” he said.
“Our approach with all of our clients generally is to make sure that your policies are complementary, you know, to make sure … you have coverage in the appropriate place,” he said.
The conversation about silent cyber points to another challenge for organizations: getting access to the right cyber coverage in the first place. As cyber policies adapt to the evolving risk landscape, insurers must also evolve, both speakers agreed.
“To get coverage, you have to be a cyber secure organization, generally speaking,” Francavilla said. “Cybersecurity is constantly evolving, and bad actors move quickly. They can be very innovative in finding new ways to breach systems, even if it’s through something as simple as in a phishing attack or if it’s something complicated like a state-sponsored situation.
Think Like a Tech Company
He said this means every company needs to think like a technology company.
“Whether that’s your internal systems, whether that’s an internal network, whether that’s a client-facing system that collects data, or even how you manage your files,” he said, ” there’s an email address, there’s a server computer, there’s a client-facing application at risk.”
He said this means it is important for companies to have a chief information security officer and retain consultants to perform 24-hour monitoring of systems, as well as establishing backups. when systems are not connected to the network, ensure multi-factor authentication is in place, and offer robust training for employees.
“Make sure that if you have a company that has a lot of employees accessing your systems, that they are tested, and that it is not always the young or less experienced employees that you are concerned about in a situation like that,” he said. . “Some of our clients have actually noticed that more senior executives tend to fall for phishing attacks more often than younger employees. Younger employees tend to benefit with growing technology and more natural suspicion.”
According to him in Stratus, his team was recently tested when they received a fake phishing email from Francavilla.
“Our security people found ways to integrate with Microsoft Active directory and send test emails using my name – very official. And all [my team members] called [me], which I think is a positive response,” he said. “That’s something carriers look at, you know — what’s your test and training regimen?”
Be a Better Risk
In addition to training regimens, Francavilla said it is important for companies to establish a business continuity policy that is also tested. This will help companies understand how to respond in the event of an attack.
“Being a better risk for an insurance company will make you a safer company,” he said.
Despite any changes occurring within cyber insurance policies, more changes are likely on the horizon, speakers said. Artificial intelligence is just one way to keep the industry on its toes, Bennett said.
“This is just the next of many, many ways that the market will have to react and adapt,” he said. “In fact, at the moment, it seems to be one of the most important.”
He said that although he expects insurance policies to respond to AI in the future, it is too early to make predictions with certainty about how policies will change.
“Anything that has been written so far is nothing but speculation,” he said. “I have to believe that in the next year of changes, there will be something in that policy somewhere that addresses [AI]but it’s really hard to say at this point.”
Francavilla added that while he has seen questions about applications that are starting to touch on AI, nothing significant has come up on his radar yet.
“I think, you know, the basics haven’t changed, right?” he said. “The basic [questions] in: How is it implemented? Where is the technology installed? How is access to that technology monitored? I think some of the fundamentals of the environment will not change. It’s the nuance of what’s coming out of AI and how it’s being used in business. “
That said, RIMS attendees will see more AI topics on next year’s agenda, Bennett said.
“I’ll try to find another catchy title for the presentation,” he joked. “Ask us about it again next year.”