Cyber insurance first came to life in the 1990s. It was developed to protect the first breed of dot-com companies against perils like the destruction of data, unauthorised systems access, and computer viruses. As the pioneers of online trading, the dot-com babies had huge exposure to system downtime and business interruption, especially if it meant they couldn’t trade and generate profit.
The first breed of dot-com companies had it fairly easy when you compare the cyber risks they had to combat against the matrix of cyber threats companies face today. In 2019, any entity holding personally sensitive data – whether that’s financial, health, or simply personally-identifying information – is vulnerable to cyber crime or accidental data breach. The cyber insurance product has transformed in the past 20-years to reflect this ever-evolving risk.
Cyber insurance specialist, CFC Underwriting, has always been at the forefront of cyber risk solutions. The firm has the largest cyber underwriting and in-house cyber claims and incident response teams in London, covering over 40,000 businesses in more than 60 countries. CFC cyber product leader, James Burns, spoke to Insurance Business about how the product has evolved in recent years, and more importantly, where it’s heading.
“Business interruption is almost like the prodigal son of the cyber insurance market,” he said. “If you look right back to the 1990s / early 2000s when cyber insurance policies were first developed, there was no meaningful privacy legislation, even in the US. At that point cyber insurance was all about business interruption. It was developed for the first breed dot-com companies, who were trading online and therefore had big exposure to system downtime.
“In 2003, the state of California in the US introduced the first meaningful breach notification legislation. It stated that if a business lost consumer data, it was responsible for paying to notify consumers, and could also be held liable for fines, penalties and other liabilities as a result. After that, similar privacy legislation swept through the rest of the US, and cyber insurance policies in the US reinvented themselves to become all about privacy. The product really took off in the US because privacy is quite an easy concept for consumers to understand and for brokers to sell.”
Cyber insurance sales in the rest of the world have lagged slightly behind the US – something Burns attributes to the slower evolution of meaningful privacy legislation. Without strict privacy legislation, lots of organisations outside of the US believed they didn’t have enough exposure to privacy risk to necessitate a cyber insurance purchase. However, that’s changed in recent years thanks to the introduction of the General Data Protection Regulation (GDPR) in Europe and other stringent privacy laws like the Australian Privacy Act.
“In the past few years, we’ve seen a massive uptick in cyberattacks, particularly driven by ransomware, as well as an increase in non-criminal system failures. Whether caused by criminal activity or not, we’re seeing insureds’ systems being taken out, causing huge interruption to business operations and significant financial losses. That’s completely separate from the privacy risks businesses have finally grown to understand,” Burns told Insurance Business.
“This new type of exposure is very similar to the exposure that the first breed of dot-com companies faced, and it’s becoming more apparent and relevant to the business community as organisations become reliant upon technology. The industry is calling this exposure cyber-triggered business interruption risk, and that’s where cyber insurance policies are moving now. Cyber insurers are working to develop policies that are broad enough and have the right level of limits so that all types of companies can protect themselves against cyber-triggered business interruption risk, and not just data breach exposure.”
CFC Underwriting recently announced an upgrade to its cyber insurance product, introducing what it described as “market leading” business interruption cover and expanded cover for a variety of cybercrime activities. With the new product, businesses will see business interruption cover triggered by IT system failure, in addition to malicious cyber events. There’s also full supply chain business interruption cover so that if the system of a technology supplier of the insured is impacted, or that of a named non-technology supplier, cover will kick in.
Prior to coverages like this being developed within the cyber market, policyholders were turning to add-ons in their property policies to cover cyber-triggered events. However, while many property policies would include sub-limited coverage for damage to data, lots of insurers continued to require a physical trigger before offering business interruption coverage, which was a problem for non-physical cyber events. Some traditional property policies were picking up cyber-triggered business interruption, but oftentimes it was without the property markets intending on them doing so. Burns added that it’s largely felt that this is an exposure that belongs in the cyber market and that “the cyber market is here and ready to take it on”.
“The challenge we’ve got is that because cyber products have developed into these fairly broad all-encompassing solutions for any business’s full range of intangible assets, that means there’s a lot of different specific exposure points that need explaining. The more exposure points there are, the more confusing it can appear for clients and brokers in relation to what coverage is being offered,” he commented. “That’s why I think privacy really helped launch cyber as a mainstream product line in the US. Privacy is quite an easy concept to understand. If you’re a business that holds data and someone steals that data, you’re at financial risk, so they want to buy a solution to protect against that.
“Cyber-triggered business interruption is potentially a slightly more difficult concept for people to understand. In a traditional property policy, if you have physical damage and it leads to financial loss, it’s fairly easy to grasp because there’s cause and effect. Non-physical damage is that one step beyond, but it’s no less of a risk exposure for so many businesses. There’s a lot of education work to do, and I think the way the industry responds is going to be really important. Businesses have to become aware of how non-physical events can have business interruption impacts, and it’s our job as cyber insurers to explain that exposure to them.”