A single cyber event can create multiple exposures with potential effects on one or more of a company's insurance policies.
Cyber underwriters grappling with liability from such events would do well to learn from property underwriters who have a wealth of experience addressing similar issues in the following three areas:
Until recently, aggregation exposure was best known in property insurance, most typically related to natural disasters. For example, following an earthquake in Los Angeles, insurers would ask themselves how many insureds are in the city and what is the total aggregate loss.
But as demonstrated by recent ransomware attack WannaCry, which affected 230,000 computers in 150 countries, aggregation is an issue for cyber as well. Who could have imagined vulnerabilities in older versions of the Microsoft Windows operating system could cause worldwide damage to companies that failed to use an update patch?
Cyber insurers need to follow the lead of property insurers by expanding the range of possibility and determining aggregation issues.
For instance, today more than a million businesses manage finances on Quickbooks Online and store critical bookkeeping data in the cloud. Imagine if QBO went down, disrupting mission-critical functions such as invoicing clients and doing payroll.
Find out what popular software and cloud-computing services are being used by the insured to identify issues and losses. As property carriers track ZIP codes to determine aggregation, cyber underwriters could track software and underwrite to those providers.
One of the toughest challenges property underwriters and companies confront is determining exposure from downtime and consequential loss. With technology playing a pivotal role in operations, a breach or unleashed virus could cause disruption to a plant or to registers processing sales transactions. Recently, Starbucks was forced to close many outlets because glitches from a routine software update adversely affected operations.
Clients now want to add business interruption coverage from such events to cyber policies, but cyber underwriters are
grappling with how to value and underwrite this exposure. Cyber underwriters need to do a better job of risk assessment. They should approach business interruption with rigor and employ a multidisciplinary strategy that includes soliciting input from property underwriters versed in the firm's industry.
Property requires the highest levels of risk management. It's not unusual for property underwriters to mandate risk mitigation measures to prevent losses and deny coverage when requirements aren't being met. For example, one property policy stipulated fencing be put around a new building construction site. When the insured failed to do so and an intruder burned the building down two weeks before opening, the loss wasn't covered.
Cyber underwriters should take a similar risk management approach. In the aftermath of WannaCry, it's easy to imagine mandating the insured fix holes in operating software within several weeks of notification or the policy won't respond. Similar risk management mandates could be applied to financial transactions to minimize social engineering fraud schemes, whereby a duped employee wires money into a fraudulent account.
The risk management approaches already being utilized for property policies could go a long way toward protect all sides by encouraging insureds to take appropriate steps to mitigate risk.
About Lisa Doherty
Lisa Doherty is president of Windsor, CT-based Business Risk Partners. Phone: 860-903-0002. Email: email@example.com.