Businesswoman standing in the rain holding umbrella showing that cyber insurance coverage may not be what was expected
Businesses Are Finding Out That Cyber Insurance Coverage Might Not Be What They Thought

Businesses Are Finding Out That Cyber Insurance Coverage Might Not Be What They Thought

Given the growing prevalence of data breaches, cyber attacks and network security failures, it’s perhaps no surprise that businesses of all sizes are exploring their options when it comes to cyber insurance coverage. But are these policies really going to cover them in the event of real cyber attacks? Evidence is building that many of these cyber insurance policies might be close to worthless, as insurance companies look for any excuse possible to avoid paying out the full amount of a claim.

Current flaws in cyber insurance coverage

One of the most extensive studies on the state of cyber insurance coverage comes from Mactavish, the UK’s leading expert on insurance governance. The company recently launched its own Cyber Risk Consulting Practice, and sought to determine the current parameters of the cyber insurance market. What they found was disappointing, to say the least. Overall, there were at least eight major flaws in how cyber insurance coverage is determined and eventually paid out. What insurance covers can be very confusing.

The leading flaw, according to Mactavish, is that most insurance claims are limited to attacks and unauthorized activity, and do not include coverage from accidental errors and omissions. Thus, when deciding whether or not to pay out a claim, an insurance company could simply point to a factor like human error and refuse to pay out the claim for a hacked computer system.

Another major shortcoming of cyber insurance coverage, says Mactavish, is that most claims are limited to only paying out losses incurred during an actual network interruption, and not for the entire period that the business has been disrupted. Thus, if a cyber attack occurs over a weekend, but the business remains incapacitated for a week or more, the claim would only cover the weekend of the attack, and not any business interruption later (such as any loss of customers or media liability from a website being down or a company being closed for a prolonged period of time).

In fact, the whole Mactavish report paints a pretty discouraging view of cyber insurance coverage. Cases involving third-party contractors and outsourced service providers are routinely turned down for cyber insurance coverage. And even cyber attacks on recently updated systems can be turned down for coverage. The net result is that a company might assume its cyber insurance policy will pay out millions of dollars, but the actual amount paid out is just pennies on the dollar.

Case in point: the one cyber insurance coverage case that has everyone’s attention right now is the case of Everest National Insurance Company vs. National Bank of Blacksburg in Virginia. After a major cyber attack resulted in a cyber breach and significant operational downtime, the bank filed a cyber claim with its insurance company in the amount of $2.4 million. After investigating the claim, however, the insurance company has only agreed to pay $50,000 of the total amount. The case goes to court in 2019.

Cyber insurance is becoming a profitable niche industry

And this is hardly an isolated example of insurance coverages turning out to be worth much less than originally thought. A recent investigation by the Financial Times, for example, found that cyber insurance policies tend to be very profitable for insurance companies. The way to see this is by calculating the “loss ratio” of any insurance policies, which is simply the amount of claims paid out divided by the premiums paid in. In 2016, the loss ratio on cyber insurance policies was 46 percent. By 2017, that figure was just 32 percent. In other words, for every $1 million in premiums that customers are paying each year, insurance companies are paying out just $320,000.

Cyber liability insurance is obviously a fairly profitable business, so it’s no surprise that many insurance companies are rolling out their own policies. For these companies, it’s seemingly the perfect business model – at the very moment when cyber threats are growing in scale and intensity, and businesses are clamoring for these policies to protect them, the insurance companies are actually reducing the amount of claims they are paying out. According to RBC Capital Markets, for example, sale of cyber insurance coverage has increased by 25 percent year-over-year.

In all fairness to insurance companies, they suggest that they are being unfairly characterized by the media. According to insurer CFC, for example, cyber denial rates (i.e. the percentage of cases that are denied payment) are “in the single digits,” while the denial rates for other traditional insurance products are closer to 10-15 percent.

And, in the case of Everest National Insurance Company vs. National Bank of Blacksburg, individuals connected with the case say that there has probably been a giant misunderstanding about what was covered under each type of insurance policy. Cyber liability insurance, for example, typically only covers network security and liability. A general liability insurance policy covers injuries and property damage stemming from products or services. So, it might require a different type of insurance to cover cyber attacks that are criminal in nature.

Market reform needed for cyber insurance market

At a certain point, though, doesn’t it seem like the big insurance companies are playing games with small businesses, forcing them to choose between a confusing mix of options? Nationwide Insurance, for example, offers three levels of cyber insurance, and it’s up to customers to figure out which one is best for them. The so-called “CyberOne Protection” seems to provide the best coverage against a conventional cyber attack, including the cost of restoring and recreating data. But there’s also something called “Data Compromise Protection,” which appears to focus primarily on the loss of sensitive information and data. So which of these two policies would be best in the case of cyber events such as cyber extortion or credit card fraud?

The big takeaway lesson here is that businesses need to be aware of potentially broad exclusionary language that would prevent a cyber claim from being paid out. Most cyber insurance coverage, for example, won’t pay for business interruption and the cost of lost business. For small businesses, this might actually be the most damaging aspect of a major cyber attack.

Right now, the market for cyber insurance is new and untested. Insurance companies appear to be rushing cyber policies to market right now, and businesses are snapping them up at a record pace. If insurance companies continue to deny claims brought under these policies, the time may soon come for greater oversight and regulation of this market.