Cyber insurance policies are notoriously complex and inconsistent. As a relatively young and highly competitive insurance market, carriers are constantly looking for ways to differentiate their cyber products. This means there’s a lot of variation in the policy language, coverage offered, endorsements and sub-limits in the insuring agreements. While market competition is great for insurance brokers because it gives them options to present to their clients, the lack of standardization in the cyber insurance market can be a real headache for the distribution force.
It can be hard to drown out the noise. In the cyber space, insurance brokers and risk managers are being constantly bombarded by markets with new risk transfer offerings, tech companies with “must have” cybersecurity solutions, and the mass media reporting breach incidents, cyberattacks and the latest emerging risks. As such, it’s easy for brokers and risk managers to feel flustered and uncertain as to what cyber insurance policy best meets their needs.
To get around this, there are certain features that brokers and risk managers should look for in a cyber insurance policy today, according to Nick Economidis (pictured), vice president, eRisk, Crum & Forster. First and foremost, they should look for universal triggering definitions between first- and third-party coverages. This is something that many policies lack today, and it can cause problems if claims are covered on one side of a policy and not the other.
“I’ve seen situations where brokers had to explain why a loss isn’t covered on one portion of the policy, while it is being covered on another section of the policy. I strongly suspect brokers find that frustrating because nobody wants to be having that conversation when somebody has a loss,” commented Economidis. “That becomes part of the bigger conversation around why cyber is so complex and so hard to explain to the customer. It’s almost like a shell game where the coverage is inconsistent from insuring agreement to insuring agreement, and then you end up with a 60-page policy with 15 additional endorsements, all of which have sub-limits. It’s really challenging.”
Despite calls for more coverage consistency in the marketplace, Economidis doesn’t foresee any immediate movement, or in fact any real interest from carriers, towards adopting a market-standard cyber contract. While this is partly due to market competition, it’s also about history. He said: “Cyber exists as a line of business because traditional lines of business were unable and/or unwilling to adapt their coverage to the changing exposures. A big part of that problem was the market-standard contracts that you have for general liability and property insurance, where it’s very hard to make changes to those contracts because you have to get everybody to agree.”
In the short-term, with little relief on the horizon, brokers must find successful ways of comparing and prioritizing cyber coverage, and then communicating policy options in a clear and concise way to end-clients. Economidis shared two recommendations around this for brokers.
“First, they should start with a set of standards that they want to see in a policy and then compare the policies against those standards,” he said. “A lot of people struggle by trying to use an existing policy as a standard, and then comparing that against all the other policies, but because the policies are built in different ways, this becomes a frustrating process. So, I always recommend putting together an outline of what you want to see in a policy, determining what should be covered in order to satisfy your customer, and then comparing all policies to that.
“My second recommendation is for brokers to assign weight to what coverage is important and what is less important. People tend to create these coverage spreadsheets, and every line on the spreadsheet carries consistent weight. But I don’t think that every coverage enhancement on a cyber policy has equal weight. For instance, I think coverage for bricking is currently more important than coverage for crypto jacking. I say that because we’ve seen much more significant bricking claims than we have crypto jacking losses.”
The challenge with that is that most carriers hold their loss experience close to their chest. How can brokers assign weight to specific risks without fully understanding their likelihood and potential severity? Economidis pointed out that there are various sources of cyber claims data that brokers can use to make these assessments, such as the annual NetDiligence Cyber Claims Study, the BakerHostetler Data Security Incident Response Report, and the Corvus Security Report.
As well as looking for simple, concise policies with universal triggering definitions, brokers should also seek minimal sub-limits, according to Economidis, as this makes life a lot easier for the end-client. This is something he said they’ve gone to “great pains” to achieve at Crum & Forster.
“Our policy is 15-pages long, and it’s very easy to read and understand,” he told Insurance Business. “We even publish a guide to the policy, which is like an annotated version to help point out where the coverage is. We’ve gotten rid of almost all the sub-limits - keeping just one limit, two sub-limits, and one deductible – compared to a lot other policies, where it’s not uncommon for them to have three or four deck pages with different limits, sub-limits, and retentions or deductibles, and then more sub-limits in the endorsements. We’ve gone to great pains to try to make this really easy to understand so that brokers and clients get the coverage they expect. There are no surprises and no catches.”
A final point for brokers to remember when securing cyber insurance for clients is that the policy needs to work in tandem with traditional P&C insurance policies. It should not exist in a vacuum, as if other insurance does not exist. Economidis commented: “The truth is, cyber insurance buyers also buy general liability insurance, they buy property insurance, they buy lots of other insurance. The cyber policy should be crafted in such a way that it all fits together hand-in-glove. That’s another thing we’ve strived to achieve in our Crum & Forster cyber policy, and it’s something I haven’t yet seen the market adapt to as a whole. I think that’s a huge opportunity, and it helps brokers that are asking for that standard policy because if they know the coverage fits with what they’ve already purchased, it makes it so much easier to explain and sell.”