Insurance coverage for cyber risks

Overlaps & gaps in cybersecurity coverage

As cybersecurity risks expand and evolve, so too does the need for a layered, sophisticated insurance program. Cyber policies have grown to incorporate many cyber-related risks but are still too narrow to cover the full gamut of cyber-related risks.

Cybersecurity failures are not straightforward incidents.

For example, a data breach or ransomware attack requires a company to determine:

What information was lost, who was affected, and how to restore data, which could trigger first-party cyber losses.

What remedies are needed for those affected by the stolen data, which could trigger third-party cyber losses.

Whether the attack disrupted normal operations, causing additional costs and introducing business interruption coverage.

How much was lost from a fraudulent funds transfer or a ransomware payment, which could trigger crime coverage.

Whether there was any damage to physical property as a result of the cyberattack, and whether that property belonged to the insured organization or a third party, which could trigger property or casualty coverages.

Who was to blame, which could implicate errors and omissions or directors and officers liability coverages.

Clearly, these events trigger a cascade of insurance coverages, some of which may fall outside a cyber policy and others that may be covered by more than one insurance line. AI and its usefulness to threat actors can accelerate multiline losses.

The increasingly interconnected business world is another factor that will amplify this phenomenon.

The concentration of information technology services, particularly cloud vendors and software, to a handful of dominant providers, and the dependency of businesses upon these services, increases aggregation risks to primary carriers and reinsurers.

Then there are gaps in coverage. A common misconception among policyholders is that cyber policies cover anything related to computers or electronic devices.

A policyholder carrying on under this assumption may wonder why their cyber policy did not respond when an employee was duped into transferring funds to an unauthorized account by a threat actor’s convincing AI-enabled deepfake ruse. Losses of this type in the $250,000 to $500,000 range may be covered under a cyber policy, but larger losses may not.

On the other hand, if the employee had been tricked into releasing employee tax documents containing highly confidential personal information to a threat actor, a cyber policy would respond. In many cases, the purloined data can impose a greater financial burden on a company than a fraudulent funds transfer, as employees may sue the organization for surrendering their private information.

Underwriters are increasingly sharpening their pencils

Policyholders in general have recognized the peril of cybersecurity threats and adopted reasonably effective defenses against common attacks. Companies with cyber insurance have shown greater resilience than those without, partly because of the expectations policyholders must meet to receive coverage.

As AI proliferates, businesses should expect to receive increasingly detailed questions about how they use AI when renewal time comes. Underwriters want to know the company’s practices, policies, and governance of AI use. Are employees trained on how to use and not use AI? Are employees only using sanctioned, enterprise-level AI applications for work purposes? How are company leaders enforcing their AI policies?

Conversely, businesses can demonstrate to underwriters how they use AI to defend against cyberattacks.

Underwriters have also placed greater emphasis and scrutiny on third-party exposures, particularly vendor concentration and supply chain dependencies that can lead to aggregation and systemic risk.

Companies should be prepared to describe the risk assessments they have conducted for their information technology vendors, particularly cloud companies, managed service providers, and software-as-a-service (SaaS) partners. Reinsurers in particular are concerned about the potential for significant losses from systemic risks and whether the primary insurance market has fully appreciated the potential for downstream effects of a major incident.