Woodruff Sawyer’s head of cyber liability Lauri Floresca, shares her perspective on the risks and trends in this evolving coverage.
IBA: How has cyber coverage changed over the years?
Lauri Floresca: The product continues to evolve, and the risk continues to evolve. With some risks, such as fire, once you figure out how to control it, you can figure out how to insure it. In cyber, the risk keeps changing, so the product has to evolve. For example, data breach wasn’t the original focus of cyber policies; the early products addressed exposures such as virus transmission.
Today, I think when people think about cyber insurance, they assume it’s just about covering a data breach, but a new area of focus is business interruption, and the risk for companies in having their networks shut down as a result of a cyber attack and not being able to operate their business.
Last year, Merck, Maersk and FedEx made headlines because of network outages from the NotPetya virus cyber attack. These types of companies weren’t common buyers of cyber insurance because they didn’t hold a lot of customer data and didn’t think of the data breach exposure. We are seeing more of our clients focused on cyber insurance for the first time because of the reliance on networks to operate the business. Thankfully, the market has been evolving to more proactively cover cyber business interruption and improve coverage around that.
IBA: Is there a risk that’s not covered by cyber insurance?
LF: The area of coverage that companies continually ask about but doesn’t really exist is for the loss of your own intellectual property. People are very worried about foreign hackers stealing company secrets or patent applications. The challenge is that cyber policies will cover the intrusion aspect of the hack and potentially the cost to figure out what was stolen, but not the lost value of intellectual property, partly because it’s so difficult to value.
IBA: How does Woodruff Sawyer help clients manage cyber risks?
LF: First, we help clients identify what those cyber risks are and which ones are most critical to them, whether it is a data breach or a vulnerability to business interruption. Then it’s about helping them pull together their story to explain to underwriters what their risk profile is and how they are managing cyber risks.
We also partner with outside firms that offer external security reports to measure the health of a company’s risk. We provide that to the company so they know how they scored and can potentially make improvements in the areas where they scored poorly. Also, because many underwriters are using those services as an initial underwriting check, if there is anything that is either wrong or needs to be explained, we want to be able to explain to the underwriters and make sure the client isn’t getting penalized when they shouldn’t be.
IBA: What are some of the other challenges in insuring cyber risks?
LF: One challenging area is that there are so many vendors and service providers in this space trying to help companies with their cyber risk that it’s very overwhelming to companies. In many cases, insurance comes bundled with access to vendors and services, but we find that companies are not taking advantage of those. One of the things we are working on is building out our own panel of vendors for clients to access that provide cyber risk assessments, breach response preparedness, penetration tests and more to improve a company’s risk profile.
IBA: How is the new GDPR legislation in the EU impacting cyber insurance?
LF: GDPR, the European data protection regulations that went into effect in May, has been a huge buildup for the cyber insurance industry because, one, everyone is focused on compliance and whether companies are ready, and two, everyone wants to know if there is insurance available for GDPR.
Cyber insurance is unique in that it overtly covers fines and penalties associated with privacy breaches, which is fairly unusual in insurance. With GDPR, the question is if insurance coverage will extend to that.
There are legal opinions suggesting that fines and penalties are not insurable in many
jurisdictions in Europe. There are a lot of questions as to whether that assessment is relevant and appropriate for companies that are domiciled in the US, buying insurance from a US insurer. That’s a huge issue because the potential fines and penalties under GDPR are significant and much higher than what we have seen in the US. Companies are very concerned about the potential penalties and whether their insurance will be able to respond.