Buying cyber cover requires sharing most sensitive dataReprints
VENICE, Italy — While the nature of cyber risk has evolved rapidly over the past two years, the actual process of buying insurance can heighten a company's exposure to cyber risks and may deter some organizations from buying the coverage, a risk manager said.
That reluctance may partially explain why only a minority of organizations in Europe purchase the coverage, he said. But more companies are buying the coverage as they get a better understanding of the risks and the market develops cyber insurance to offer broader coverage, insurance experts said.
The disclosures that organizations must make to insurers as a requirement of purchasing coverage include some of their most sensitive security information, said Philippe Cotelle, head of insurance risk management at Airbus Defence & Space, a division of Airbus Group in Toulouse, France.
“The underwriting information that insurers need is the key security information of a company. Are you willing to give that information to an external party?” Mr. Cotelle asked during a session of the Federation of European Risk Management Associations' 2015 Risk Management Forum in Venice, Italy, this week.
In addition, the reputational damage companies suffer as a result of a cyber breach may be more costly than the breach-related costs covered by cyber insurance, Mr. Cotelle said. As a result, companies may be unwilling to risk the disclosure of a breach by making an insurance claim.
Finally, as part of claims inspections, third-party experts working for insurers would gain insights into critical systems operated by the policyholder, he said.
But other factors may deter companies from purchasing cyber insurance, said Stephen Wares, cyber risk practice leader of Europe, the Middle East and Africa at Marsh Ltd. in London.
While Marsh research shows that cyber risk is a major concern for organizations and that the insurance offered in the market covers the risk managers' main concerns, some organizations may not understand their level of exposure to data breaches, he said.
The research also implies that “exposure analysis has not been done adequately,” Mr. Wares said.
For organizations that do buy cyber coverage or are considering buying it, its scope has broadened considerably, said Lori A. Bailey, Boston-based global head of specialty lines at Zurich Insurance Co. Ltd.
In addition to established cyber insurance, such as coverage for breach response expenses, coverage also is available for exposures such as:
• Contingent business interruption. “This is starting to emerge because more and more companies are relying on cloud computing … But it needs a whole different level of analysis,” Ms. Bailey said.
• Administrative cost coverage. This covers errors made by employees that lead to a data breach and bridges the gap between cyber liability policies and errors and omissions coverage, she said.
• Regulatory fines and penalties. This coverage is sometimes permitted in the United States, but often is prohibited in Europe, Ms. Bailey said.
• Emergency costs. This covers the costs related to a breach response where decisions have to be made very quickly and before approval for the expense can be granted by an insurer.
• Bodily injury and property damage. Only a limited number of insurers offer this coverage, she said.
In addition, “cyber has opened up a whole new world with respect to services” that are offered by insurers, Ms. Bailey said