Common Cyber Insurance Myths and Misperceptions

Businesses today are more reliant than ever upon technology. This growing dependence on technology, as well as the significant value that organizations derive from the digitization and processing of large amounts of data, makes businesses more likely to be attacked by cyber criminals. And these attacks are on the rise. For instance, security breaches have increased by 11% since 2018 and 67% since 2014 [1]; and data breaches exposed 4.1 billion records in the first half of 2019 [2]. 

The insurance industry has an important role to play in both mitigating the impact of cyber-attacks on organizations and providing the services and tools to enable them to be more resilient to such attacks. 

It is therefore unfortunate that, at the same time as the value of cyber insurance is being increasingly recognized, a number of myths and misperceptions have developed about the cyber insurance market.

There are a few main reasons for why there are fundamental misunderstandings about cyber coverage. The first is that, as more and more organizations fall victim to a cyber incident, the more frequently they approach their insurance carrier seeking coverage for the damages. Yet many of these cyber-related claims are being made against general insurance and property policies which may be silent on the scope of cyber coverage. The second reason is that as technology rapidly develops, so does the cyber threat landscape. 

Insurers therefore need to be responsive and develop innovative new products to address the changing threat landscape.While a dynamic cyber insurance market, with a steady flow of new product offerings, should be viewed positively, it also tends to create differences in coverage and variations in policy language depending upon the carrier. This also tends to complicate the process when seeking cyber insurance coverage.

In this piece I will discuss in more detail some of the myths and misunderstandings in the cyber insurance market. 

Ultimately, these examples demonstrate that it is essential that the insurance industry provide clarity of coverage so that all parties understand their cyber risk exposure.

We need to do this in order to maintain the trust of our clients, and for the healthy development of the cyber insurance market.

Misperception 1: Silent cyber

We announced in the fall of 2019 that AIG is in the process of transitioning to “affirmative cyber” language for our policies – an initiative that we embarked upon to assist our clients in better understanding how their insurance policies will respond in the event of a cyber incident. 

This initiative addresses the risks posed by “silent cyber” or more precisely “non-affirmative cyber” whereby a policy doesn’t explicitly state whether a cyber-related loss is covered or excluded. Instead, policies in most lines of insurance we offer will now affirmatively state what cyber exposures are covered and what cyber exposures are excluded.

The misunderstanding regarding silent cyber lies in the fact that the lack of an exclusion does not guarantee coverage as traditional policies were not necessarily written with cyber loss in mind. Without addressing the types of losses from a cyber-attack that are covered in traditional insurance, organizations run the risk of not having a physical loss arising from a cyber security failure – such as the losses associated with repairing and/or replacing damaged equipment - trigger the policy. Physical losses resulting from a cyber incident are often overlooked yet they can be sizeable.

Real world examples include an attack in Saudi Arabia that destroyed thousands of computers across six organizations in the energy, manufacturing and aviation industries. Traditional policies were not designed to cover this risk and thus they have a variety of exclusions (e.g., war and terrorism, malicious acts exclusions, wild virus exclusions) that can eliminate coverage for an otherwise covered loss if that loss was caused by a cyber security failure. It is important for organizations and their brokers to work with carriers to address cyber risk in all their insurance products.

Affirmative cyber language in insurance policies provides a more accurate picture of actual cyber risk exposure. Failure to tackle this problem will undermine the health of, as well as the trust and confidence in, the cyber market. Jurisdictional regulators appear to recognize the dangers and are asking firms they oversee to adopt an affirmative cyber approach.

Misperception 2: Conflating coverage due to a cybersecurity incident

There has been a recent rise in coverage disputes between insurers and insureds following a cyber security incident. The suggestion has been made that these disputes are merely attempts by insurers to wriggle out of their obligations and avoid paying claims on a cyber policy. What these critics fail to recognize is that when companies do not buy specific cyber insurance, they often times look to have non-physical claims (for example, loss of data, cyber extortions, or loss of business income) covered under traditional lines (such as a General Liability, Crime, or Errors & Omissions policy). Attempts to rely on other lines of insurance that are not designed to cover these non-physical risks are at the root of these disputes and underscore the value of cyber insurance. 

It is worth mentioning that disagreements over the scope of coverage are commonplace. The legal precedents that are established as a result of these disputes help to clarify and bring about greater consistency in terms of the policy language. For reasons I have laid out above, this is particularly valuable in the context of cyber insurance.

Misperception 3: Malicious versus non-malicious

Lastly, discussion has recently surfaced in some jurisdictions around the provision of coverage for “non-malicious” cyber threats. Specifically, firms underwriting cyber are being asked by regulators in certain jurisdictions to be affirmative in terms of their coverage in this regard. While AIG and other carriers are engaging constructively in order to respond to this request, the issue speaks to the potential misunderstandings that can arise when it comes to cyber coverage. 

In our view, cyber insurance is predominantly meant to address the risks related to malicious cyber threats, such as a hacker targeting a company specifically to steal their data. Non-malicious cyber, on the other hand, could conceivably include just about any computer or software-related failure that happens by chance. Cyber policies are not designed to provide expansive coverage for any and all technology risks. Therefore, explicitly clarifying these differences in policies brings both parties, the insurer and the insured, closer to a mutually agreed upon understanding of coverage.

The common thread between the above myths or misconceptions is the fact that they can all be addressed through affirmative cyber. Clarity of coverage helps to preempt confusion and misconceptions in the marketplace, assist organizations to identify any gaps in their cyber security posture, and help carriers better understand their risk exposures. AIG has already seen positive results from this approach, and firmly believes it can help reinforce the sustainability of the cyber insurance market and raise overall cyber resilience.

+ + +

[1] Ninth Annual Cost of Cybercrime Study, Accenture, March 6, 2019.

[2] Cyber Risk Analytics 2019 MidYear QuickView Data Breach Report, RiskBased Security, August 2019.