Paper Example on Cyber Risk Exposures and Related Insurance

Introduction

Today, technology, social media, and transactions over the internet are taking over as the cornerstone of how organizations undertake their businesses and stretch out to prospective and potential customers. These vehicles driving the modern business transactions serve as gateways to cyber attacks. A cyber attack is an offensive maneuver against computer networks, infrastructure, and computer information systems organized by individuals, nation-states or groups through a variety of malicious means resulting in disruptive consequences where eventually information and identity theft occur or in other cases vital data destroyed (O'Halloran, Robinson & Brock, 2017). Cyber attacks are likely to occur in any organization (small or large) anytime and may result to moderate to severe losses. In 2016 Global Risk Report, cyber attacks were ranked among the top ten global risks being the seventh over the next eighteen months and eighth over the next ten years (MMC, 2016). The scale, scope and impact of cyber attacks increasing rapidly as the private and public sectors resume digitization age. By 2019, it is estimated that data breaches will reach an accumulated cost of $2.1 trillion globally, four times the total breaches in 2015 (MMC, 2016). It is also feared that cyber attacks are gradually shifting from virtual to the physical world. For example, in 2015, a hack on three Ukranian power distribution companies led to energy outages for over 80, 000 customers (MMC, 2016). Undoubtedly, cyber attacks are permanent and persistent risk for businesses implying that a management plan has to be arrived at to decide upon risks to avoid, accept, control or transfer for continuity of business and this is achieved through cyber insurance.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Overview and History

What is Cyber Risk and Exposure?

In insurance, a risk is uncertainty regarding a loss such as a potential for an automobile accident or inability to work and earn income because of disability (Dobbyn & French, 2015). Similarly, a cyber risk entails a potential loss an organization faces as a result of its reliance on information technology, automated processes, and connectivity. Although organizations implement technologies to derive improved efficiencies, they at the same time expose themselves to additional risks from cyber attacks which are inherent in the technology systems.

Exposure, on the other hand, is the potential or susceptibility to risk of an insured party (Dobbyn & French, 2015). For example, the more an insured party drives, the more the exposure for experiencing an accident. Exposure is determined by the insurer to calculate the premiums and evaluate whether or not they will offer an insurance cover. Cyber exposures are directly linked to the responsibility born by the company for electronic information and risks associated with them in case they are misused or compromised (Biener, Eling & Wirfs, 2015). Such risks include intellectual property infringement, personal injury and financial injury as well as obligations related to data privacy regulations and consumer protection.

Exposures are categorized into two; third-party liability and first-party expenses. Third party liability is the risk of a person or group other than the ones involved in the loss claiming that the company in question incurred them losses and this emanates from the company's responsibility to protect a given confidential or private information (Dobbyn & French, 2015). These include claims related to loss of credit card numbers, social security numbers, license numbers and account numbers. For example, when a company suffers from cyber attack, a customer may file a complaint against it claiming damages incurred as a result of their identity being stolen by the attacker from the information base of the company. On the other hand, first-party expenses are the costs directly incurred by the company in question as a result of a cyber attack. They may include credit monitoring, crisis management, cyber investigation, and data regulatory expenses.

What is Cyber Insurance?

A cyber insurance policy or cyber liability insurance or cyber risk insurance is coverage designed to help a firm to mitigate cyber risks and exposures through offsetting third-party liability and first-party expenses in aid to help in recovery after a cyber attack. Cyber insurance is unique and covers specific areas not covered by the general liability insurance. Cyber insurance, apart from offsetting legal fees and expenses, helps an insured in notification about the data breach, restoring lost identities, recovering compromised data and repairing damaged systems (Wang, 2017).

Historical Background of Cyber Insurance

Cyber insurance has its roots in the errors and omissions (E&O). E&O is professional liability insurance that covers companies and their employees against claims advanced by their clients for negligent actions or inadequate work. It covers financial loss caused, alleged failure to perform and omissions in the product (Biener et al., 2015). This became more applicable for companies that often experienced loss of customer information due to cyber attacks but may be considered negligence by the affected customers.

Cyber insurance policies emerged in the late 1990's where the products covered only third-party liability resulting from a hack on the systems. In the early 2000's, versions of the covers were developed to cover breaches occurring at the insured but still had much exclusion including rogue employees, regulatory, fines and penalties and third-party coverage (Armstrong, 2015). In the mid-2000's, first-party coverage was added to offset costs related to cyber business interruption, cyber extortion, and network asset damage.

In 2003, California enacted and enforced the Security Breach Information Act in which a business that conducted business within the area was required to notify the resident of breach of personal information if it was believed to have occurred (Armstrong, 2015). The personal information referred to included social security numbers, account, credit or debit card numbers and driving license number. Consequently, many other states enacted similar laws and the outcome was new coverage issued by insurance companies. Such coverage included first-party coverage such as credit monitoring and customer notification and third-party coverage like regulatory defense and fines or penalties. Nonetheless, different covers had strict-sub-limits as each carrier had a different appetite, hot-button issues and varying views of cyber risk.

Beginning 2010 to 2015, different cyber insurance products have continued to evolve as carriers developed changing appetites I response to breaches. But the pricing was still volatile, and coverage terms differed greatly. It was setting the base for more risk management services with insurance policies.

Current Issues around Cyber Risk Exposures and Related Insurance

Cyber Risks and Insurance Growth Rate by Industry

Currently, cyber risks are spread across a wide array of industries with an estimated annual cost of cybercrime to the global economy escalating to $445 billion (MMC, 2016). Given the costly nature of cyber attacks, the awareness on cybercrime has grown and is even escalated by the data breach notification requirements both in the United States and Europe. The growing awareness has, in turn, motivated companies to establish robust risk management approach and response (MMC, 2016). This approach system must establish for early detection, response and recovery to mitigate the consequence of cybercrime while ensuring business continuity.

As the companies strategize to handle cybercrime, there has been significant growth in proactive cyber risk management as well as the purchase of cyber insurance. Total annual cyber insurance premiums reached a total of $2 billion in 2016 and expected to increase to $20 billion by 2025 (MMC, 2016). The United States dominates in the cyber insurance market with approximately 20% of all organizations having a cover and yearly increases in the number of companies seeking coverage. Nonetheless, many organizations are planning to acquire covers against cyber risks with an estimated 25% of companies in Europe planning to explore cyber insurance over the next two years as from 2016 (MMC, 2016). The figure below shows growth rates of cyber insurance by industry in 2015. All industries post a growth rate of 27% with manufacturing industries taking the lead in seeking cyber insurance covers at 63% (MMC, 2016). Healthcare industry is still lagging behind in adopting cyber insurance covers. The relatively low growth of 27% indicates immaturity in the cyber insurance market prompting for efforts to increase it.

Figure 1: 2015 cyber insurance growth rates by industry (Marsh Global Analytics)

Insurance Policies are not Covering Important Losses

Cyber incidents result in a variety of losses which are often difficult to predict and are not covered by the traditional or stand-alone coverage (OECD, 2017). For example, a huge privacy breach from a cyber attack could result in company's reputational damage and adverse effects on its future business. Most policies, however, do not provide for compensation for such a scenario. Also, loss of value of intellectual property resulting from theft through cyber-espionage is hardly covered in stand-alone or traditional coverage. In both cases, cyber insurance can be seen to lack efficiency in quantifying the value of the future business that may be lost due to cybercrime consequently leading to policy products that do not adequately cover losses incurred by the insured.

A Limited Amount of Coverage

Cyber insurance is still limited. There is evidence that larger companies in high-risk sectors receive limited coverage as compared to what they demand (OECD, 2017). The limitation in coverage is aggravated by deductibles and sub-limits. For example, there is an 8-12 hour deductible period imposed before business interruption coverage is activated and this is significantly limiting the available coverage to the businesses.

High Premiums are Charged for Cyber Insurance Coverage

Insurance companies are charging extremely high premiums for cybercrime coverage given the high-risk level. Cyber insurance premiums per million in coverage has been estimated to be about three times higher than for an equivalent amount of coverage for general liability and up to six times higher than for property coverage (OECD, 2017). Also, different insurance companies charge different premiums for the same risks. This makes leaves the insured to the risk of being explored depending on the will of the insurer to do so.

Cyber Insurance Market Challenges

There are several factors affecting the affordability and availability of cyber insurance. One such factor is uncertainty about exposure. Cyber insurance is still new implying lack of historical data to base upon the pricing. Often victims of cybercrime do not disclose or share their incidences for fear of reputational damage, and this denies the insurers the chance of getting data necessary for pricing premiums (OECD, 2017). Another factor is the risk of correlated exposure in which so many cyber-related losses could occur across the insured over the same period. For example, if some businesses are relying on similar software, it means a failure or an attack could occur to many businesses at ago making it difficult for insurers to compensate. Also, insurers and even insured still have a little knowledge about the potential exposures leading to a situation where the insured is making an estimation about premiums without basing it on data. This could lead to higher premiums that ought to be making it expensive.

Solutions

The potential for cyber insurance to mitiga...