Courtesy of iii.org
There's a road in my city that is generally considered a speed trap. We all know drivers who say they were unfairly stopped and ticket on it. I've never been there, and I thought about it, nor has anyone I talked to about it. Maybe it's because we live in the city and "everyone knows" about the trap.
Cyber is a relatively new, developed risk. Insurers manage their exposures in part by setting coverage limits and excluding events they do not want to insure.
Sure, people get tickets. The road is straight and wide, and I guess some people think they should be able to drive faster than the clearly stated speed limit. Or maybe they think that the "real" limit is slightly north of the number published.
Is it really a "speed trap"?
I think of this way when I hear people say they do not buy cyber insurance for "Everyone knows" cyber claims do not get paid.
Poster children for "cyber" denial
The example of everyone's lips when this topic comes up is Mondelez International, the food and beverage giant hit by the 201
Ironin? The policy in question covered property, not cyber. One could argue – as Mondelez does in a lawsuit – that the exclusion of war is applied unfairly, but companies do not stop buying property insurance because of it!
Cybercrime is difficult to get past, but for nine years NetDiligence has published a cybercrime study that analyzes paid claims. The 2019 study looks at more than 2,000 such claims aggregated in over 20 ways, including types and amounts of losses, causal situations, exposed data types, relevant business sectors, revenue size for receivables and financial impact.
Verisk, whose cyber products help insurers to write coverage based on their policyholders' risk characteristics, does not publish claims data but aggregates and incorporates them into its analysis.
NetDiligence publishes an annual cyber claims study. Verisk aggregates and incorporates claims data into its analysis. Why do so many people think that cyber claims are not paid?
Why the perception / reality gap?
Cyber is a relatively new, developed risk. Insurers manage their exposures in part by setting coverage limits and excluding events they do not want to insure. In a recent survey by the JD Power and Insurance Information Institute, small business owners identified "too many exceptions" as the main reasons why they do not buy cyber coverage.
Claims are often denied due to exceptions that policyholders may not have known or understood. Some insurers include, for example, exemptions from "failure to comply" for claims arising from insufficient safety standards.
If insurers want companies to buy cyber policy and not suffer unpleasant surprises at the time of damages, they need to be aggressively transparent about what is included and excluded. Transferring this to small print is not a good strategy.
Brokers and agents need to be educated about their clients' needs and be quick to adapt coverage recommendations to those needs.
And insurance buyers – those who are most at risk – must understand cyber risks and insurance. For example, insurers require a self-assessment of cyber hygiene from applicants. If the assessment after an event turns out to be incorrect – say if encryption methods were incorrectly presented – coverage can be denied.
Insurance is not a substitute for cyberdiligence. But it can complement it as part of a well-planned risk management program.