Transferring risk through insurance is the last step in the risk management process. Traditional insurance products have fallen short of providing protection that is required as solutions for property, fidelity, general liability and professional liability only cover very clear and precise areas of risk. While there may be overlapping coverage for some cyber risks, various exclusions mean they generally do not cover privacy and cyber perils.
Economic and technological developments often bring new and unforeseen risks. The (re)insurance sector has a strong record of developing specialty covers as new and evolving risks become critical issues for companies. The creation of cyber insurance products is a strong example of this.
Creating new insurance products often involves a certain amount of refinement as the risks and coverage evolve, particularly in the fast-moving world of technological change. This refinement has already occurred for cyber insurance products as the narrowly drawn policies with little relevance beyond the dot-com space have been broadened to include coverage that now addresses nearly all aspects of technology-based risk faced by modern companies.
In examining the need for cyber coverage, companies should consider the following:
- Are they exposed to network security or privacy risks?
- Does their current portfolio of risk transfer adequately address those risks?
With very few exceptions, the answer to these questions is that the risks exist but the coverage does not.
Every company that utilizes technology and collects or handles data should therefore consider cyber cover. The need is there for both small and large companies as recent studies have found that technology failures and data breaches are equal opportunity risks. Companies of all industries and sizes, from small and medium enterprises to Fortune 100 multinationals, are exposed to cyber risk. The only difference is the size and specifics of the potential loss. To date, cyber insurance coverage in the United States has seen the largest uptake among financial institutions, technological companies, retailers and healthcare providers, though interest is growing across all industries.
In fact, the factor that determines the uptake of cyber protection seems to be linked more to geography rather than industry. Companies in Europe and Asia, for example, have been slower to embrace cyber coverage than their North American peers, likely due, with few exceptions, to the lack of breach notification laws outside of the United States. A lack of clarity around what cyber risks are included or excluded in existing insurance policies is also contributing to the limited uptake outside the United States.
For companies that have purchased or are considering purchasing cyber protection, carriers have adapted their offerings to include a variety of loss prevention and risk mitigation tools. These tools range from services that are best described as turnkey breach response teams to proactive risk analytics that can be deployed by an insured in their daily operations. The importance of such practices is proven by the increasing number of insureds who are purchasing cyber coverage as much for these risk tools as for the financial risk transfer elements of the coverage. A vibrant cyber insurance market is emerging as a result.