The cyber insurance model has changed dramatically since the early 2000s. What used to be a drop and go-type offering, where insureds were handed an insurance contract and then left to their own devices, has now transformed into a complete risk management proposition backed by third-party vendors with expertise in breach response, forensics, notification, and legal representation.
There have been three main phases in the evolution of cyber insurance, according to Steven H. Anderson (pictured), head of cyber at QBE North America. In the first phase, all that insurers were guaranteed to do from a risk management perspective was provide an insurance policy. They were not automatically offering services, via vendors, to help insureds through claims. When insureds and brokers expressed discontent at the scope of the support they were receiving, carriers started to build value-added services, such as forensics and legal representation, into their product offerings. Those services - phase two in cyber’s evolution – were reactionary in nature and weren’t necessarily helping insureds become a better risk up-front.
“We’re now in a third phase, where carriers are trying to become proactive rather than reactive with their insureds,” said Anderson. “We’re looking at what we can provide on the front-end. Even before a claim comes in, what expertise can we share with our insureds that will allow them to adopt better risk management and risk transfer? That includes asking questions like: ‘Do you have a data breach response plan in place? Have you tested that plan, and do you have somebody that manages it? From a data storage standpoint, do you know where your data is stored? Do you know where vendors access that data?’ The solution is full circle now. Instead of the insured paying for a policy, and then the insurer saying: ‘Good luck,’ we’re trying to help them on the front-end and the back-end of a claim.”
Many insurance carriers, like QBE North America, have developed what’s known as a panel of vendors. This is a vetted group of third-party vendors with cyber-related expertise, whom the insurers will put forward as potential partners for insureds that need help resolving a cyber situation or a claim. Oftentimes, these vendors include legal counsel, forensics firms, and sometimes corporate communication and brand management companies. For many businesses, especially those in the small to medium-size range, who don’t have large risk management teams or budgets, access to these vendors’ expertise at the time of a cyber incident, like a data breach or a ransomware attack, can be the difference between their businesses surviving or dying.
“If an insured has a ransomware situation and they have a question about what they need to do, they can ring the QBE consultative hotline where they’ll get access to a breach coach,” Anderson told Insurance Business. “Our breach coach is a law firm that specializes solely on data breaches. They’re the only firm in the world with that sole focus, so they’re very specialized in what they do. The breach coach calls the insured back within three to six hours (normally it’s quicker than that) to find out more about their situation and determine what needs to be done. At this point, that individual is not contractually obligated to use our breach coach as their legal counsel. This is free consultation of the situation, which comes as part of their cyber insurance policy.
“In the instance of ransomware, the breach coach will then provide recommendations of multiple forensics firms and the cost of their services. If the insured chooses the breach coach as legal counsel, which they do a high percentage of the time, then the breach coach is basically like the general contractor of the situation. They would contact one of our forensics firms - we have several on our panel of vendors - and the chosen forensics vendor would contact the insured to resolve the situation as quickly and efficiently as possible. On the back-end, our claims department is contacted and briefed on the situation, and, once it is resolved, we figure out the final cost just like we would for any other claim.”
That’s just one example of how a policyholder might deal with multiple parties throughout a cyber incident. Where this is different today than it was 10-years-ago is that it’s all orchestrated via the insurance carriers. But, according to Anderson, there’s still more work to be done. He commented: “I think the industry as a whole can do better at providing technical expertise on the front-end, or tools that our insureds can use to help them be a better risk and gain a stronger understanding of their cyber exposure.”