Cyber Insurance

Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses (aka cyber insurance) has grown rapidly in the past decade. However, very little is known about these policies and the mechanisms behind the risk assessments. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available. For example, what losses are actually covered by cyber insurance policies, and what are the exclusions? What factors are used to compute the premiums, and how do existing underwriting approaches reflect the technical rate of risk?

Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of a computer-based attack or malfunction of a firm’s information technology systems. For example, one carrier’s policy defines computer attacks as, “A hacking event or other instance of an unauthorized person gaining access to the computer system, an attack against the system by a virus or other malware, or [a] denial of service attack against the insured’s system.”

Despite the strong growth of the cyber insurance market over the past decade, insurance carriers are still faced with a number of key challenges: how to develop competitive policies that cover common losses, but also exclude risky events?; how to assess the variation in risks across potential insureds; and how to translate this variation into an appropriate pricing schedule?

Insurance carriers are required to file notices to state insurance commissions describing each new insurance product. These filings include the full text of the policy (coverage, exclusions, triggers, etc.), a security application questionnaire, and a rate schedule describing the formula for deriving insurance premiums. Therefore, these filings provide a unique opportunity to understand how insurance companies understand and price risks, and specifically, the business, technology and process controls that are considered in a cyber insurance rate calculations.

Three primary components:

• The coverage and exclusions of first and third party losses which define what is and is not covered,
• The security application questionnaires which are used to help assess an applicant¡¦s security posture, and
• The rate schedules which define the algorithms used to compute premiums.

However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage.

The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).

In regard to the rate schedules, there is a variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. Despite these variations, state regulations generally provide the same rules and procedures governing the filing, pricing and coordination of policies and rate schedules.

Admitted vs Non-Admitted Insurance Markets

An important distinction regarding insurance regulation concerns admitted versus non-admitted markets. Carriers that choose to operate in the admitted market must receive a license by the state insurance commission to sell insurance in that state, must comply with all state regulations, and file their policies and rate schedules with the state insurance departments. One advantage of this oversight for consumers is that it helps prevent abuse by insurance companies. In addition, admitted carriers pay into a guarantee fund, which is used to pay the insured in the event that an insurer becomes insolvent and unable to pay the claims of its insureds. This safety feature does not exist for non-admitted carriers, and as one may imagine, the bulk of personal auto and homeowner insurance is written by admitted carriers.

Carriers that operate in the non-admitted market (also known as excess and surplus insurance lines) are also able to sell insurance in a given state, but are not bound by many of the regulations imposed on admitted carriers and are not required to file their policies or rate schedules with the state insurance commissions. Ostensibly, this affords these carriers more flexibility to modify the policies or rates more quickly, and can be very useful when the risks of a new market and insureds are uncertain. Policies from non-admitted insurers are still purchased from state-licensed brokers, and licenses may be denied by the state if the management is deemed incompetent or unethical. Some states even maintain lists of eligible surplus line insurers, or of surplus lines known to be unauthorized.

Some suggest that a sizeable portion of all cyber insurance policies fall under non-admitted markets. Indeed, one estimate suggests that this could be as high as 90% of the cyber insurance market. On the other hand, other experts state that cyber insurance is “moving rapidly into the [non-admitted] market for many industries and for smaller firms” and that “a lot of admitted markets are now providing some form of cyber cover”. Further, many non-admitted insurance companies are owned by admitted market insurance companies, each have non-admitted partners, and leverage the same policy language.

The Theory of Cyber Insurance

With few exceptions, the academic cyber insurance literature consists of strictly theoretical papers that examine the viability of cyber insurance markets; Overall, this body of literature examines the incentives for firms to purchase insurance (demand side), the incentives for insurers to provide contracts (supply side), and the conditions necessary in order for a market to exist. The inevitable tension for firms, as many identify, is whether to invest in ex ante security controls in order to reduce the probability of loss, or to transfer the risk (cost) to an insurer.

As the collective research describes, the defining characteristics of cyber insurance are interdependent security, correlated failure, and information asymmetry. Some of these properties are common to all insurance markets, while others -- and their combined effects -- are unique to the risks of networked computing systems and cyber insurance. First, interdependent security reflects the degree to which the security of one computer network is affected by the compromise of another system (the breached system is said to impose a negative externality on the victim).

Second, correlated failure (also known as systemic risk), is the systematic failure of multiple, disparate systems due to a single event. Correlated failures may occur in multiple ways, such as from a single source (e.g. a criminal group attacking many businesses), failure of a single IT system upon which many businesses operate (e.g. cloud provider or virtualization data center), or compromise of many devices due to a common vulnerability or exploit (e.g. a distributed denial of service attack). (Notice the loss is further amplified by interdependent security.) Finally, information asymmetry in the context of insurance reflects the familiar moral hazard and adverse selection problems (i.e. companies behaving more risky when fully protected from loss; and insurance carriers not being able to differentiate between high and low risk clients).

It should be emphasized that while there are ways of reducing information asymmetries, insurance carriers are mainly concerned with correlated failures because it defines the degree to which a security breach by one firm affects another, and therefore any indemnities paid. On the other hand, firms are mainly concerned with interconnected nodes because this determines how a failure by a business partner may affect them. However, the commonality is interconnected computing systems.

The unified model of cyber insurance consists of 5 components: the networked environment, demand side, supply side, information structure, and organizational environment. First, the network topology plays a key role in affecting both interdependent security and correlated failures. i.e. consider the difference in impact between extremes of independent computers versus a fully connected computing network. Their demand-side models consider the risk aversion of the insured, heterogeneity across wealth, impact, and defense and utility functions of firms. The supply-side discussion considers, among other properties, the competitive landscape of insurers, contract design (premiums, fines), and the carrier’s own risk aversion. Discussion of information structure relates to adverse selection and moral hazard. Finally, organizational environment describes issues such as regulatory forces that may exist to mandate insurance, require disclosure in the event of a loss, and the effect of outsourced security services and hardware and software vendors on a firm’s security posture.

As mentioned, risk management is often framed as a trade-off between investing in controls that reduce the average loss of a security event, and insuring against a loss. As insurance becomes more affordable, there is less incentive to invest in self-protection (IT security) measures. At an extreme, if the price of insurance were very inexpensive, companies would be very unlikely to protect themselves against any kind of loss. Conversely, as insurance becomes more expensive, companies become more willing to self-protect (the price of insurance becomes much higher relative to any security measures). The demand for insurance is increasing in the size of the loss, and decreasing in probability of loss. That is, companies are more willing to insure against larger, less frequent loss events.

Notice that “cyber insurance” is not covered under a single line of business, but instead is distributed across multiple, related lines. Given that these policies were first adapted from professional errors and omissions (E&O) policies, these subcategories are not surprising. Similarly, the other categories may be thought of as related forms of corporate liability policies.

What do Cyber Insurance Policies Cover and Exclude?

Cyber insurance, like most insurance products, generally distinguishes between two broad loss categories, first party and third party. First party losses relate to those directly suffered by the insured (i.e. the “first” party to the insurance contract), while third party liability relates to claims brought by parties external to the contract (i.e. the “third” party) who suffer a loss allegedly due to the insured’s conduct. As one might expect, most policies explicitly stated that the insurer will pay the costs under the conditions that the cyber incident is a) discovered by the policy holder during the policy period, b) reported to the insurance company in a timely manner (usually 30 or 60 days from first discovery), and c) “provided such costs are necessary and reasonable.”.

First Party Coverage

First party coverage covers losses for costs incurred directly by the insured. For example, it includes costs related to investigating the cause of a data breach or security incident, costs associated with restoring business services, the cost of notifying affected individuals, credit monitoring services, costs incurred from public relations and media services in order to communicate the event, extortion and ransom payments, and losses associated with business interruption.

In order to manage the various risks associated with these kinds of cyber incidents, carriers frequently assigned sub-limits (and in some cases, distinct premiums), to groups of first party losses. For example, some policies differentiated among just a couple of categories, such as personal data compromise and computer attack. Personal data compromise relates to the “loss, theft, accidental release or accidental publication of personally identifying information (PII) or personally sensitive information”. A computer attack relates to unauthorized access, malware attack, or denial of service (DoS) attack on any computer or electronic hardware owned or leased and operated by the policy holder.

However, more sophisticated -- or perhaps, risk averse -- policies differentiated among more coverage areas, each with their own sub-limits.

In a number of cases, carriers would declare that firms from certain industries were ineligible to receive coverage. These industries included firms from adult business and gambling or gaming industries. In other cases, carries specifically excluded organizations involved in the sale or distribution of products regulated by the Bureau of Alcohol, Tobacco and Firearms, those involving use of pornographic data or images, or those with greater than 25% revenues generated from online sales. In one very restrictive case, the carrier considered firms within the following industries to be ineligible: education, healthcare, finance, government, publishing, data storage, website design, firms with websites containing information related to children, healthcare, entertainment/gambling, or sale of contraband or counterfeit items.

Cyber policies commonly had these few number of differentiators. For example, covered both personal data compromise and computer attack for 1st party coverages, and network security liability 3rd party coverage, provided by CyberOne. Many other Cyber policies just included coverages for computer attack and network security liability, so it may be the case that separate coverage for personal data compromise is considered something additional. And, if PII is involved, it must result in or have the possibility in resulting in the fraudulent use of such information.

Third Party Liability Coverage

Third party liability covers the cost of defending against public or private litigation, settlements, judgments, or other rulings, as well as fines, fees, and settlements stemming from these lawsuits. For example, network security liability coverage covers costs due to, “a civil action, an alternate dispute, a resolution proceeding or a written demand for money” as a result of “a the breach of third party business information, the unintended propagation or forwarding of malware, the unintended abetting of a denial of service attack.”

Similarly with first party losses, coverage is available, and limits are distributed, across multiple kinds of claims.

Variations Within Policies

Beyond the generalities defined above, below we describe a number of important variations observed from the analysis.

Computer forensic costs

Expenses for computer forensic services (i.e. examining computer systems for indicators of malware or malicious activity) sometimes included the costs of computer expert services, and one policy noted that these expenses are specifically to be used in the case of disclosure of personally identifiable information (PII). For example, a policy states that, “If the incident involves an electronic security breach requiring computer expert forensic and investigation services… we will pay the costs of a computer security expert selected by you in consultation with our Breach Response Services Group from the program’s list of approved security experts.”

Notifications and additional services to affected individuals

Some policies are specific in terms of the kinds of services that can be provided to affected individuals – supplying a list of programs from which the policyholder must choose. For example, policy requires that credit monitoring, identity monitoring, and fraud resolution services coverage only apply if Experian is used (specifically, Experian’s ProtectMyID Alert, Family Secure, and DataPatrol.

Coverage for public relations (PR) costs appeared in the vast majority of policies examined, though sometimes came with restrictions. For example, some policies only covered costs associated with advertising or special promotions, or in situations when a data privacy wrongful act had occurred.

Other policies limited the total dollar amount of coverage, or excluded any costs directed to employees, or when affected individuals had already been notified.

Claims expenses, penalties, defense, and settlement costs Because claims expenses, penalties, defense, and settlement costs can be quite varied, policies that covered these costs often provided extra detail as to what was covered. For example, one policy defined that expenses would be paid for violation of timely disclosure of breach notice laws, regulatory and defense penalties, PCI Fines, claims against the reputation of anyone or any organization, the invasion of privacy, or any claims against website content to include copyright and plagiarism.

Items split between coverages and exclusions

About half of the policies examined covered expenses for data restoration, data re-creation, and system restoration, while the rest explicitly excluded costs incurred to examine or correct a deficiency (those with this exclusion provided (1) only the statement “cost to research or correct any deficiency” without any other explanation; (2) a more, but still generic descriptions of the exclusion: the inspection, upgrading, maintenance, repair, or remediation of a computer system; or (3) more specificity of what it meant, for example exclusions of vulnerability review, physical security review, compliance with PCI or other standards, and damages to non-PII or non sensitive data. Other expenses covered by roughly half of the policies examined included business income loss and legal review (e.g., assessing and determining appropriate legal).

Aspects rarely covered

Only a few policies covered costs of data extortion, or expenses resulting from acts of terrorism or war, and even those that did, imposed further restrictions. For example, extortion expenses covered only to the ransom of physical objects, rather than digital data, while covered data extortion expenses only when the item threatened or harmed was a data asset. With the increase in ransomware attacks and availability of ransomware-as-a-service, those policies that cover extortion expenses may become more popular.

In rare cases, policies covered costs of substitute systems used to resume activities and paying salaries (and specifically the overtime salaries) of those assigned to handle inquiries from those affected.

Exclusions

The exclusions most commonly observed were those not necessarily directly related to the cyber realm, but instead criminal, fraudulent, or dishonest acts, errors or omissions, intentional violation of a law, any ongoing criminal investigation or proceedings, and payment of fines, penalties, or fees. Several policies provide additional exclusions for infringement of patents, disclosures of trade secrets or confidential information, or violations of securities laws. We also found exceptions to the exclusions given certain circumstances (which themselves might have exclusions to). For example, any claims or losses arising from any deceptive or unfair trade practices are not covered – unless the claim results from the theft, loss, or unauthorized disclosure of PII, but only if no one involved in the deceptive or unfair trade practices participated or colluded in the theft, loss, or unauthorized disclosure.

Other exclusions related to matters of physical harm (e.g., bodily injury, electric or mechanical failure, fire, smoke, wind or Act of God), aspects of liability suits (e.g., non-monetary relief, and expenses resulting from the propagation or forwarding of malware on hardware or software created, produced, or modified by the policy holder for sale), and losses to systems out of the policyholder’s control (e.g., loss to the Internet, ISP, computer, or system not owned or operated by the policyholder). As mentioned previously, expenses for extortion or from an act of terrorism, war, or a military action were covered in rare cases, but mostly noted as exclusions.

Finally, other rare but notable exclusions included:

• Collateral Damage (i.e., Malware, DoS attack, or intrusion not directly aimed at the policyholder)
• Malware, Denial of Service (DoS) attack, or intrusions affecting governments or private systems and networks
• Claims by any business in which insurance has a percentage of ownership (the percentage most commonly seen was 15%)
• Failure to disclose a loss of PII if an executive of the firm was aware of such a loss
• Salaries, benefits, expenses of employees
• Damages from outsourcing protected information or PII to non-US, non-Canada, non-EU
• Claims on behalf of government organizations (to include federal, state, or local)
• Damages due to defects, deficiencies, or dangerous conditions of any of the insured products
• Unsolicited dissemination of communications
• Nuclear contamination

As consumers and firms adopt more technology and connected devices, there will likely be revisions to losses explicitly covered or excluded by cyber insurance policies. For example, one policy noted that expenses due to defects or deficiencies of the insured product were not covered. However, with the increase of the Internet of Things (IoT) devices, distributed denial of service (DDoS) attacks leveraging IoT devices, code reuse among products, and non-standardized software security practices of developers, exclusions may well become more frequent. We note that, while policies cited computers, networks, and systems, there was not explicit calling out of mobile devices or systems like drones and other IoT devices. It is unclear if these are grouped into the standard “computers, networks, and systems,” or if carriers are even thinking about this new, but growing, group of devices.

Further, with the growing interdependencies of critical infrastructure across consumers, firms, and countries, exclusions for collateral damage or malware, denial of service attacks, or intrusions affecting government or private systems and networks will also likely increase. Perhaps carriers recognize the increased likelihood of being a victim of collateral damage, and as such have decided to exclude coverages from any claims resulting in this (over half of the policies we examined excluded any claims related to war, military action, or terrorist action; and almost half of the policies excluded any claims related to extortion or ransom [although approximately a third did include coverage for extortion or ransom]). We might expect that more policies in the future will include similar exclusions, as the likelihood increases (along with the cost to recover).

What Questions Do Insurance Carriers Ask To Assess Risk?

The next component of cyber insurance policies is the security questionnaires. These questionnaires are furnished by the carriers to the applicant and consist of a list of questions related to information technology, management and policy/compliance practices adopted by the applicant. Ostensibly, these questions are used by the carrier to solicit a comprehensive understanding of (or at least reasonable approximation to) of the overall security posture of the applicant. Ideally, they are a critical mechanism used to assess a firm’s cyber security posture, and to differentiate risks across applicants.

Note that under the broad category of cyber insurance, a wide variety of coverage is offered to include media more broadly, for instance offline print media and broadcasting are sometimes covered in the same policies that offer cyber insurance.

The applications typically begin by first collecting basic information about the company, such as the name, and the contact person responsible for the company’s insurance matters. Information is also collected about the type of business and the industry sector in which the company operates, as well as financial information about revenues and assets. In a few cases, the questionnaires asked the company to submit an audited annual statement. For example, asked for a “Copy of most recent financial statements (10-K, annual report, etc.)” in the questionnaire for its Professional, Technology, Media and System Security & Privacy Liability insurance.

To assess the operation of a business, insurance policies gathered information about the insured clients, including who are the largest and/or most significant clients, the size of their contracts, and the duration of the project and relationship with the clients. Policy asks the insured to provide “details on the Applicant’s top three (3) revenue-producing clients or projects during the last fiscal year”, and asks to “list the Applicant’s five largest clients,” including value and length of contract.

Information is also collected about the company’s past and current insurance coverage, including selected deductibles, and exclusions, if applicable. This information, almost universally collected, likely helps the insurance company to evaluate the company’s past dealing with carriers, and claims history.

Data Collection and Handling

Across the questionnaires, there was a concerted effort to understand the kinds of sensitive or confidential information that the application collects, stores, processes, or is otherwise responsible for. Of particular interest is personally identifiable information (PII), confidential client information, or corporate intellectual property. For example, questions related to the following data types: SSN, credit/debit card numbers, driver license, email addresses, IP addresses, financial and banking information, medical records, protected health information (PHI) as well as intellectual property, and trade secrets. For example, in its questionnaire for cyber liability insurance, asked to indicate “what Third Party electronic information the Applicant collects or stores: ‘Medical/Health Information’, ‘Credit Card Information’, and ‘Personally Identifiable Customer Information, other than Credit Card or Medical /Health Information’.”

In comparison with the “technology and infrastructure” category these questions focus on the kind of data an applicant is managing. This suggests that carriers focus on data and the potential loss at risk. This possibly explains why relatively little information is collected about the technology and infrastructure landscape, or at least suggests that this category is less relevant when assessing an applicant’s risk of filing a claim.

Outsourcing

Questionnaires also addressed how the applicant manages its relationships with outscoring providers and the services the applicant relies on to conduct business. Given that it is common to outsource services and/or use third party service providers, these questions were relatively common. Questionnaires asked the insured to list the outsourced services and provide the names of providers, and some even provided a comprehensive list for the applicant to select. For example, asks whether, “the Applicant outsources any part of the Applicant’s network, computer system or information security functions? Check all that apply and name the organization providing the services.”

Questionnaires further assessed whether a security, privacy, and/or risk assessment was performed on the third party provider. The history of the third party providers is assessed, with regard to whether they were subject to privacy or security breaches in the past. Further, contracts between the insured and the third party were examined, such as whether they were structured in a way to hold third parties liable for losses resulting from data and security breaches, or whether they included an indemnity clause to transfer risk to a third party. For instance, asks “Does the Applicant’s contract with the service provider(s) state that the provider: (a) Has primary responsibility for the security of the Applicant’s information?; (b) Has a contractual responsibility for any losses or expenses associated with any failure to safeguard the Applicant’s data?” In some instances, the questionnaire asked whether the insured requires the outsourcing provider to have sufficient cyber insurance to minimize any liability a customer can claim that results from an incident at the outsourcing provider (e.g., data or security breaches at the site of the outsourcing provider).

Incident Loss History

In almost all questionnaires, the insurer collected information about the insured experience with regard to past security incidents. While the formulation and framing of the questions varied across the questionnaires, in essence, the following issues were addressed: (a) past data and security breaches and their implications on the insured; (b) privacy breaches and loss of confidential information that triggered the notification of customers and/or employees; (c) circumstances that could lead to an insurance claim; (d) lawsuits and claims that are the result of an IP infringement; (d) extortions through the means of cyber, investigations by a regulatory or administrative agency. While other insurance companies often included multiple lengthy questions with regard to the security incident and loss history, only one, “Has the Applicant had any computer or network security incidents during the past two (2) years?

IT Security Budget & Spending

IT security budget and spending provides insights into how much an insured invests in its information and IT security. However, IT security budgeting and spending was addressed in one questionnaire asked “What is the Applicant’s aggregated budget for system security” and “How is the system security budget allocated among: (a) prevention of security incidents; (b) detection of security incidents; (c) response in security incidents, all in percentage.”

Information Technology and Computing Infrastructure

Understanding the technology and infrastructure landscape of an insured would seem to be a relevant factor to consider in the risk assessment. Yet, only a few insurers cover this aspect in their questionnaire. When they did, only a few questions were posed, such as the number of computing devices, the number of IP addresses, or URLs. For instance, “What is the Applicant’s total number of IP addresses?”, “List all website URL’s and static IP addresses utilized by the applicant and its subsidiaries.” In a few cases, policies asked whether the business’ critical software was developed in-house. In another case, inquired whether the insured segregated its IT systems that store and process PII from other parts of the network: “Are systems, applications and supporting infrastructure that collect, process, or store personal information segregated from the rest of the network?”.

Information about the technology and infrastructure landscape would clearly help a carrier understand, if only at a basic level, the overall attack surface of a potential insured and, with more information, help assess their overall information security risk posture. However, it seems only very rudimentary information is collected.

Technical Security Measures

Technical measures to protect against data theft and intrusions were found in most questionnaires. These included questions concerning the kinds of tools used to secure the applicant’s networks and computers, including anti-virus software to perform scans on email, downloads, and devices to detect malicious files or processes; IDS/IPS to detect possible intrusions and abnormalities in networks; and firewalls. For instance, asks “Do you utilize firewall and intrusion prevention measures for your network and computer systems?” Encryption for data at rest and in motion was a technical measure that was often mentioned in the questionnaires. In its questionnaire asks, “Do you use commercial grade technology to encrypt all sensitive business and consumer information transmitted within your organization or to other public networks?” and “Do you use commercial grade technology to encrypt all sensitive business and consumer information at rest within your systems?” Some questions also focused on mobile devices. VPN and two-factor authentication were less frequently listed as technical measures.

From our analysis, questions regarding such technical measures were present in almost all applications. However, there was considerable variation in the types of questions that addressed technical measures. Further, as found questionnaires, questions concerning re-application were shorter and often focus on key changes to address the business environment – as one might expect – rather than technical measures.

Access Control

Access control incorporates means and policies to secure user access, including the assignment of designated rights for users to resources. It attempts to restrict the access to sensitive data on a need to know basis.policy asks, for instance, “Does the Applicant physically protect access to dedicated computer rooms and/or servers?” Beyond matters of access and users rights/privileges, questionnaires addressed whether processes were in place to revoke user rights and privileges once users terminated or left the organization. Furthermore, this includes the monitoring of unauthorized access to or large download of sensitive data, as well as remote shutdown and data wipe out capabilities for computers. Again, asks “Does the Applicant utilize remote shutdown of employee laptops?”

Information and Data Management

This category includes questions with regard to the applicant’s data management practies – the number of records held, whether the applicant sells or shares sensitive information (i.e., PII) with third parties, and whether it processes information for third parties, including the processing or storing of credit or debit card transactions. For example, one insurer in questionnaire asks whether, “the Applicant process or store personally identifiable information or other confidential information (including but not limited to payment information) for third parties”

The most common question in this category was whether a data retention and destruction policy existed. For example, asks “Does the Applicant maintain procedures regarding the destruction of data residing on systems or devices prior to their disposal, recycling, resale or refurbishing?” Interestingly, the questions do not exclusively address digital data, but rather, data management is conceived more broadly to also include written records that warrant protection (e.g., handling of sensitive information such as client or human resource information, etc.

The need for a corporate policy for record and information management and a classification system that determines what data must be protected was only expressed in a few questionnaires. In only one instance, did an application inquire whether the responsibility for records and information management was assigned to a senior executive.

Employee, Privacy and Network Security

Questions concerning an applicant’s privacy policy, and information and network security policy were common but varied in detail. In some instances, the questionnaires assessed details of how a policy was implemented and tested, and whether a policy was reviewed by the legal counsel and approved by the board of directors. For example, asks “Does the Applicant have Security and Privacy Policies that are updated continually and implemented and are there policies and procedures in place to ensure the Applicant is in compliant with requirements that govern the Applicant’s industry?” If the applicant answers yes, the questionnaire continues to ask “If “Yes” have the policies been reviewed by a qualified attorney?”

While privacy, and information and network security policies were the most common policies mentioned in the surveyed questionnaires, usage policies for the internet, social networking, and/or email were mentioned. Less common were policies for software development (i.e., the use of secure coding standards), and password policies (e.g., the use of strong encryption).

However, aside from these, the questions did not cover the substance of a particular policy (i.e., what should be in those policies, and how should they regulate particular issues) but rather only tested their existence. In numerous cases, the questionnaires asked whether the responsibility of privacy and information and network security and their respective policies are assigned or “owned” by a Chief Privacy Officer (CPO) role and a Chief Information Security Officer (CISO) role, respectively. In most questionnaires, the CPO and/or CISO roles were explicitly stated, in rather few cases was it referred to as responsibilities assigned to an individual. For instance, “Does the Applicant have a designated person that is responsible for the management, implementation and compliance of the Applicant’s security and privacy policies and procedures.”.

Organizational Security Policies and Procedures

In addition to technical measures that are implemented to protect the information system in the daily business operation, organizational measures and procedures describe a set of measures to maintain and strengthen information security. Questions in this category related to penetration testing, vulnerability scanning, assessment, and management. Further, questions related to security and privacy assessment conducted by internal first parties or external third parties were asked, as were measures with regard to physical security (e.g., physical access control to computing facilities). For instance, asks “Does the Applicant run vulnerability scans or penetration tests against all parts of the Applicant’s network? If “yes” how often are the tests run?” The applicant can then indicate the frequency by checking the box for “Daily”, “Weekly”, “Monthly”, or “Greater than Monthly.” Several questionnaires assessed whether a business continuity plan (BCP), disaster recovery plan, as well as an incident response plan (IRP) were in place. Extended questions were concerned about the assignment of, and approval by, senior executives for the BCP and IRP. Further questions addressed data backup procedures as well as training with regard to information security procedures.

Legal and Compliance

Over the years, a variety of laws and regulations on the federal and state level, as well as industry standards have emerged that aim to protect consumers from the consequences of cyber incidents and data breaches. These laws, regulations, and standards are widely acknowledged in the questionnaires. Almost every questionnaire includes language about HIPPA, PCI/DSS, and GLBA, but also other U.S. federal and state laws. In some but not all cases, the questionnaires ask to provide metrics about how well the respective standards are implemented and adhered to. PCI as an industry standard for payment processing was prominent in many questionnaires. For example, one insurer asks: “How many credit or debit card transactions does the Applicant process annually?” and then continues to collect information about whether the applicant: (a)Mask[s] all but the last four digits of a card number when displaying or printing cardholder data; (b) Ensure[s] that card-validation codes are not stored in any of the Applicant’s databases, log files or anywhere else within the Applicant’s network; (c) Encrypt[s] all account information on the Applicant’s databases; (d) Encrypt[s] or use tokenization for all account information at the point of sale; or (e) Employ[s] point-to-point encryption, starting with card swipe hardware.

The focus on sensitive data is not surprising given that in the past decade data protection standards and data breach laws have developed and have been widely institutionalized in the United States.

On the other hand, there is little attention given to the technical infrastructure, and its interdependencies with broader technological environment in which the applicant is operating. These rather technical areas could provide further insights into the risk situation and security posture of an applicant. With regard to organizational processes and practices, it was surprising that risk management and IT security management as corporate functions and processes did not receive more attention.

It’s noteworthy, however, that standards and frameworks for information technology management, such as the ITIL and COBIT are not mentioned, and in only one instance was an ISO standard mentioned. Also, the recently developed NIST Cybersecurity framework is not mentioned, however, carriers are beginning to integrate this framework (and compliance therein) as a differentiating risk metric across applicants.

In addtion to the analysis described above, we did not observe any substantial changes in policy length, style, or composition over time. Conceivably carriers may develop institutional knowledge that would lead them to improve and refine the questions ove time, or, perhaps the questions would be found to be too generic, requiring more details solicited from applicants.

Finally, only in one instance, did a questionnaire asked about the size of the IT/information security budget and how it is spent with regard to (1) prevention, (2) detection, and (3) response to security incidents. This finding was surprising given that amount of money spent on IT and information security could serve as a very useful indicator for security investment.

How Do Carriers Price Cyber Insurance?

Cyber insurance underwriting has always been mysterious. How much do carriers know about cyber risks?; how do they assess these risks?; and, how are premiums actually computed? Not surprisingly, the answers to these questions are rarely, if ever, released or openly discussed. In this section, we examine the rate schedules from over 100 distinct cyber insurance policies.

How much do carriers know about cyber risk?

In addition to the coverage and rate documents, the insurance forms that we acquired sometimes included justifications and explanations of the carrier’s rates to the state insurance auditor. It is in these documents that we observe insights into the fascinating process by which rate and other insurance pricing is conducted, and what information carriers actually have when it comes to pricing cyber risk.

Overall, many carriers described how “cyber” is a relatively new insurance line, and that they have no historic or credible data upon which to make reliable inferences about loss expectations (e.g. “Limitations of available data have constrained the traditional actuarial methods used to support rates,”. In these cases, firms either employed the services of other companies in order to help develop premiums. Alternatively, or additionally, the carrier would collect industry, academic, or government reports to provide basic loss data.

In some cases, carriers used external services, but then augmented them with additional information or their own for the same types of accounts and then at a composite rate of the carriers writing more expansive cyber coverage for larger and more technologically sophisticated accounts.

Further, it was not unseen for carriers to examine their competitors in order to define rates, (e.g. “the rates for the above-mentioned coverages have been developed by analyzing the rates of the main competitors as well as by utilizing our own judgment”, and “the program base rates and rating variables were based on a competitive review of the marketplace and underwriting judgment”.

In only a few cases were carriers confident in their own experience to develop pricing models, for example, one carrier wrote, “Underwriters collectively have over 40 years’ experience in e‐commerce, cyber, privacy and network security liability insurance. The collective knowledge of underwriters, including a deep understanding of competitive rates and feedback from the wholesale and retail brokerage industry, was used to establish rates for the program”.

In a number of instances, we observed how carriers would turn to other insurance lines to price premiums because of their lack of data. One carrier admitted, “We are not using claim counts as the basis for credibility because we have not experienced any claims over the past three years”. And in such cases carriers would base cyber risks on other insurance lines. For example, “Loss trend was determined by examining 10 years of countrywide Fiduciary frequency and severity trends. Because CyberRisk is a developing coverage we chose to use Fiduciary liability data because it has a similar limit profile and expected development pattern.”. Other carriers also leveraged loss history from other insurance lines, “the Limit of Liability factors are taken from our Miscellaneous Professional Liability product,”, and “Base rates for each module of this new product were developed based on currently filed Errors and Omissions and Internet Liability rates”.

In conclusion, regardless of the formal (and sometimes veru informal) methods used in the underwriting process, it appears that state regulations require that carriers be vigilant about ensuring fair and accurate pricing. This is done, in part, by ensuring the underwriters are empowered to adjust premiums appropriately, when necessary, (e.g.“The rating modifiers…allow the underwriter to debit or credit the policy premium based on the unique attributes of an insured. These modifiers reflect objective criteria associated with the cyber risks and controls of an insured”. And further, this required concrete advisors by insurance auditors, where one auditor wrote, “Please be advised that the company is required to maintain statistical data, including incurred losses and loss adjustment expenses, on reported and unreported and outstanding and paid categories, on this program separate and apart from its other coverages. In addition, the experience should be reviewed annually, and appropriate rate revisions filed” to which a number of carriers replied, “we will monitor our book’s performance as we develop our own experience to ensure that our product remains competitive and profitable”.

How do carriers assess cyber risk?

Unlike the analysis presented above for the coverage and questionnaire sections, we found that the calculation of premiums across carriers exhibited much less variation in structure and composition. Indeed, some policies offered simply a flat rate to all applicants, while other policies adjusted that price according to many variables.

Of the non-flat rate pricing, there were three broad categories of variables used: those relating to the applicant’s assets/revenue, those relating to standard insurance criteria (e.g. limits, retention, claims history, etc.), those relating to the applicant’s industry, and those relating to the applicant’s information security posture. Because the first three categories are standard to all lines of insurance, and the last category (information security controls) is primary focus, the rate schedules into three categories: flat rate pricing, base rate with modifications, and information security pricing.

Flat Rate Pricing

The simplest approach to computing premiums used by 50% define flat rates for both first and third party coverage to all insureds. While this approach offers a quick method for establishing premiums, it affords no differentiation by firm or industry. For example the CyberOne policy, developed by Insurance Services Organization (ISO), is used by many smaller insurance companies and offers first and third party premiums.

The final premium is then a function of the expected cost, and the profit load of 35%. Profit loading ranged from 25% to 35%. Factoring in the profit loading then produces the final premiums.

Overall, this approach is simple and straightforward. However, it relies entirely on estimates of frequency and severity of cyber events and litigation costs. We examine the source of these numbers in the next section. Note that while this approach was used by many carriers, there was some variation across carriers with regard to the frequency, severity, profit loading, and therefore premiums as they incorporated other information.

Base Rate with Modifications

Base premium is assessed as a function of the insured’s annual revenues or assets (or, with some niche products, number of employees or students). This base premium is then adjusted according to (multiplied by) multiple variables relating to standard insurance and industry-related factors.

The factor that assigns the greatest influence on the premium is the base asset value or revenues of the applicant’s firm.

Standard Insurance Factors

Standard insurance factors include variables such as changes to the limits or deductible (retention) of a policy. In addition, the premium will be modified based on factors such as coinsurance, time retention, prior acts, extended reporting period, and business interruption. Co-insurance adjusts for whether the insured carries coverage with other carriers. Time retention and extended reporting period adjust for the length of time an insured signs the contract, and is decreasing the longer is the insurance contract.

Historical claims refers to the number of times the insured has suffered an incident and filed a claim in past years. Premiums typically increase about 10% for each event.37 However, one carrier provides a more descriptive offering for claims history.

Industry Classification

Carriers attempt to control for risks to the insured based on the industry in which it operates. However, from the policies examined in this research, there was no consistency regarding approach, or any consensus on what the insurance industry would consider the “most” risky.

Policy assigns the energy, entertainment and hospitality sectors a weighting of 1.0 (meaning no adjustment – essentially neutral risk), while firms in the accounting, advertising, construction, manufacturing industries receive a weighting of 0.85 (less risky), and firms in the bio-tech, data aggregation, gaming, and public sectors receive a weighting of 1.2 (more risky). How these relative weightings are determined is unclear and never described.

Some policies are very simple in their approach and define only 3 hazard groups:40

- Low Hazard Classes possess a low amount of Personally Identifiable Information. Examples of these classes include most farming and agriculture risks.

- Medium Hazard Classes possess low to moderate value and volume of Personally Identifiable Information. Examples include Wholesale Operations and warehousing.

- High Hazard Classes possess moderate to high value and volume of Personally Identifiable Information. Examples include Retail and Merchant store operations.

Another carrier takes a more aggregate approach by differentiating non-profit, for-profit, and only a few other industries

Information Security Pricing

The most sophisticated approach accounted for characteristics of the applicant’s information security controls when determining the final premium pricing. Adjustments based on the applicant’s actual security posture vary widely across polices, ranging from basic risk categories to more detailed metrics. One very simple approach considers broad categories of data protection, and adjusts based on qualitative ratings above or below what one may consider to be “average” maturity of controls.

While simple (and possibly appropriate), this particular policy provides no guidance on how an underwriter is supposed to assess an applicant based on these properties. For example, there is no rubric provided as to differentiate “Below Average” from “Above Average” or even what would be included in a firm’s collection of privacy controls.

A slightly more detailed and thoughtful approach is found in the Freedom Specialty Insurance Company filing which differentiates a firm’s overall security posture along 6 dimensions (factors): data classification, security infrastructure, governance, risk and compliance, payment card control, media controls, and computer system interruption loss. Each factor provided 4 qualitative options (poor, fair, good, excellent) with a weighting.

The benefit of this approach relative to other simpler or more complex approaches is that it affords a reasonable tradeoff between specificity and practicality. For example, other polices adjust the premium based on specific answers to self-assessment questionnaires (whether the firm uses 2-factor authentication, industry standard firewalls, proper best practices), it is highly unlikely that any insurance underwriter would know the marginal reduction in risk that any of these provide. The information simply doesn’t exist to determine a meaningful answer. Therefore, this approach affords the underwriter the ability to investigate a firm’s controls and make reasonable assessments. This policy also intelligently provides useful scoring rubrics for each category. For example, the data classification category describes the following:

“The Data Classification Factors are determined by assigning a hazard group factor which is based on the type(s) of data handled, processed, stored or for which the Insured is otherwise responsible for safeguarding. Examples of Data Types are credit card numbers, financial account information and/or personal health information. The appropriate factor should be applied multiplicatively. What type of data is processed, stored or maintained by or on behalf of the insured? Can the data be used to create a false identity, i.e., SSN, DOB, or not, i.e., e-mail address, passwords? Is the data subject to regulation (federal or state), i.e., protected health information (PHI) under HIPAA or driver’s license numbers (PII) under state notification laws, etc. Does the data include corporate confidential information of a third party, such as trade secrets and intellectual property?”

Other policies took another approach to adjust the premium based on the firm’s responses to each question from the application (i.e. security questionnaire).

How are premiums finally computed?

Once the base asset/revenue value is determined, the final premium is computed as the linear product of each of the factors contained in the rate schedule. One policy describes the process as, “Pricing is calculated by applying modification factors to a base premium. The modification factors are determined by various criteria including the Limit of Liability and Deductible purchased, the coverage enhancements or restrictions negotiated with the insured, and the risk’s financial characteristics. All modification factors are multiplicative, unless otherwise indicated.

For some policies, there may only be a few factors, while for others there may be many. For example, one policy is computed as:

Premium = [Base Premium] x

[Loss Rating] x

[Professional Experience] x

[Longevity of Operations] x

[Use of Written Contracts] x

[Risk Characteristics] x

[Prior Acts Factor] x

[Coverage Adjustment] x

[Deductible]

While another formula is composed of 6 groups of factors and 13 separate security-related questions, producing a final expression of:

Premium = (Section 1 Base Rate) x

(Section 2 Industry Factor) x

(Section 3.1 Increased Limits Factor) x

(Section 3.2 Retention Factor) x

(Section 3.3 Coinsurance Factor) x

(Section 6 Third-Party Modifier Factors)

Another policy further extends expands the security properties, producing the following expression:

Final Premium = (Third Party Liability Base Rate) +

(First Party Costs Base Rate, if elected) x

(Limit Factor) x

(Retention Factor) x

(Data Classification Factor) x

(Security Infrastructure Factor) x

(Governance, Risk and Compliance Factor) x

(Payment Card Controls Factor) x

(Media Controls Factor) x

(Computer System Interruption Loss Factor, if applicable) x

(Retroactive Coverage Factor) x

(Claims/Loss History Factor) x

(Endorsements Factor, if applicable)

The first and most important firm characteristic used to compute insurance premiums was the firm’s asset value (or revenue) base rate, rather than specific technology or governance controls. This appears to be the single most common proxy for firm size, and therefore risk.

While some carriers have sophisticated algorithms for premium estimates, policies that cater to small business are very simple. In addition, premiums that capture third party losses (i.e. liability coverage) are generally more costly than those associated with first party losses, suggesting that carriers expect legal actions to be more expensive relative to direct losses suffered by the insured.

While a few carriers incorporate specific information collected from the policy’s security self-assessment forms, many policies used more generic security risk categories (e.g. high, med, low). And while many policies incorporate industry factors into the underwriting process, no explanation or justification for how the actual risk weighting is provided. Further, the industries listed rarely match industry standard coding schemes like SIC or NAICS.

Beyond the specific equations, however, it is unclear which level of sophistication of premium calculation is optimal for the firm, and is best able to assess an applicant’s risk. Indeed, this remains an outstanding issue among carriers.

Cyber Insurance Litigation

The volume of cyber attacks in recent years has highlighted material gaps coverage for both comprehensive general liability (CGL) policies and standalone cyber policies. As this market is relatively young, language regarding coverage is not yet standardized, and there are many potential exclusions which the insured may overlook when selecting a policy. While lawyers often counsel insured to buy standalone cyber coverage on top of CGL, even the combination of the two may not be enough to protect the insured from costly losses in the event of a cyber attack.

First party coverage generally includes forensic investigations, breach notification costs, and costs related to data loss/damage, while third party coverage covers lawsuits and regulatory fines/investigations. Camp’s Grocery, Inc. v. State Farm (2016) was a prime example of the need to pay attention to first vs. third party liability coverage in insurance policies. Camp’s was sued by several credit unions after a data breach, and it was ruled that Camp’s comprehensive general liability (CGL) policy excluded third party coverage. The ruling explicitly noted that insurance policies typically cover either first or third parties, suggesting that policies that cover both are vital (as provided in many standalone cyber policies).

Additionally, the cause of the release is also vital in determining liability. Zurich American Insurance Co. v. Sony Corp. of America (2014), found that Sony’s CGL policy did not cover the theft of personal identifiable information (PII) by the hackers, as it was not the policyholder that caused the information release, but rather a third party.

“Publication” of information is also not usually defined in CGL policies; dissemination could be to the broad public or one individual, and there is also a question of whether publication implies only the potential accessibility of information, or its actual use. Recall Total Information Management, Inc. v. Federal Insurance Co. (2015) found that no coverage was warranted when IBM lost a number of tapes containing PII, but could not prove the tapes were accessed. In contrast, Travelers Indemnity Co. of America v. Portal Healthcare Solutions (2016) found that publication of PII on the internet was a public release of information that should be covered by the insured regardless of proof of access. While many hoped that the Travelers ruling would imply more liberal coverage of PII publication in the future, Dilworth Paxon LLP argues that CGL policies since the writing of Travelers (in 2012/2013) have explicitly excluded coverage for lawsuits arising from data breaches (ISO standard exclusion CG 21 06 05 14), and thus it is unlikely that similar cases in the future will be decided in favor of the insured.

Other explicit exclusions are commonly found in CGL policies under Coverage A and B. In Coverage B, a number of exclusions to CGL may prevent coverage of damages readily available under another policy. In National Union Fire Insurance Co. of Pittsburgh, Pa. v. Coinstar, Inc. (2014), the insured was found to violate a state statute regarding transmission of information, an exclusion explicitly listed in the policy, and thus was not covered. However, in Hartford Casualty Insurance Co. v. Corcino & Associates found that despite the Coverage B exclusion due to statute violation, the insurer was responsible for liability for damages that would have occurred absent the existence of such an act. The treatment of Coverage B exclusions and alleged statutory violations is not uniform, suggesting that future court rulings may set precedent in this area (Armenti and Cantarutti, 2016).

Yet another murky realm with regard to coverage of CGL policies is whether or not the loss of data counts as property damage. In Carolina Casualty Insurance Co. v. Red Coats, Inc. (2014) the district court ruled that the theft of laptops with PII did not constitute property damage, as the policy excluded electronic data from the definition of property damage, and the PII was not rendered unusable/lost. Upon appeal, this decision was vacated due to a failure of the district court to determine whether exclusion of electronic data was dependent on state law; no further decision was reached due to settlement by the two parties in question. Nationwide Insurance Co. v. Hentz (2012) found that the theft of a CD-ROM from an insured accountant was covered by her homeowner’s policy, as the CD-ROM was tangible property; it did not enumerate whether the ruling would apply to solely electronic data.

Even for actual physical damage incurred (e.g., control taken over an automated system that results in a physical accident), it is not clear that this damage is covered under most CGL policies, as many exclude damage “arising out of” cyber attacks. There has not yet been definitive litigation on the subject. Standalone cyber policies usually also exclude physical damage, implying that additional gap coverage is needed for a comprehensive plan.

In addition to the gap created by physical damage, social engineering is another topic that is not necessarily covered by typical CGL or standalone cyber policies. Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA found that the insured was not covered due to an authorized user’s input of information to transfer funds to a fraudulent source, rather than unauthorized entry. In contrast, the opposite was found in Apache Corporation v. Great American Insurance Co., in which the use of a computer to fraudulently transfer funds (as covered in the policy) was deemed to include an authorized user emailing the information to the social engineer (Rand 2016d). Coverage also exists to fill this social engineering gap, which the FBI has estimated has cost at least two billion in losses since 2015.

While most cases thus far have involved policies with cyber endorsements, one of the first standalone cyber insurance lawsuits was Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., in which Federal Recovery withheld data from Global Fitness due to a payment dispute. The court ruled that Federal Recovery was not insured by technology errors and omissions liability, as it willingly withheld data from Global Fitness. Such a dispute regarding the coverage of intentional and non-negligent acts under errors and omissions policies is common under traditional insurance realms; in most instances courts have found that intentional and non-negligent acts are still covered. As K&L Gates LLP points out, this ruling has several important lessons for the general cyber insurance market—“ Until the governing law applicable to an insurance contract—“cyber” or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper”, and it is vital to focus on language at initial coverage/renewal stages, as cyber policies are much more negotiable than traditional policies.

One additional recent case, P.F. Chang’s China Bistro Inc. v. Federal Insurance Co., determined that P.F. Chang’s was contractually obligated to pay Bank of America Merchant Services as a third party for the loss caused by its data breach, as P.F. Chang’s policy explicitly excluded contractually assumed liability, an exclusion common in CGL policies. This exclusion, as Dilworth Paxon LLP points out, is one that could easily be struck from an insurance contract with negotiation.

Due to the growing nature of the cyber insurance industry, and the consequent lack of standardization of policies, some of the uncertainties are being resolved in the court room rather than between insurers and the insured. Most cyber insurance lawsuits thus far have questioned the coverage of cyber endorsements of previous policies rather than standalone cyber insurance, suggesting that endorsements may obfuscate critical areas such as the differences between first and third party coverage. Another hotly contested area is an insurer's responsibility to cover physical damage either under commercial general liability (CGL) policies or standalone cyber polices; this is often written into a policy's exclusions, and some policies may go as far to exclude events such as pollution created by a cyber attack. Social Engineering is yet another realm that is often not covered by either CGL or standalone cyber policies, but may be purchased as separate gap coverage. Much of this litigation could be avoided through the careful writing of cyber policies, given that the nature of the industry also makes insurers much more flexible about amending coverages/exclusions.

Souce: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2929137