Tom Allen is Head of Technology and Data Protection Indemnity at Aspen
No Longer Niche
There has been significant growth in market demand for data protection coverage, driven in no small part by the recent surge in sobering news about the aggressively evolving risks that companies face. For a number of years this was a rather specialist, ‘niche’ marketplace that didn’t find much traction beyond a sub-section of interested firms. The risks involved have been seen for years as being cutting edge, if not rather theoretical.
This view has changed over the last 18 months. There has been a steady drumbeat of high-profile losses arising from data breaches which have received plenty of publicity. In 2014 data breaches in the U.S. totalled 783, an increase of 28% over the previous year.1 The trend looks to be escalating as in the early part of 2015 there had already been 174 breaches with 99.7 million records exposed.2
Recent events have revealed the fluid nature of the liability, the adequacy of current cyber security policies on offer and also company management’s attitude to risk acceptance and mitigation for breach scenarios. Attacks on retailers Target in 2013 and Home Depot in 2014 demonstrated the magnitude of the threat and the attacks on JPMorgan Chase in 2014 and Anthem in 2015 confirmed the point. The breach at Sony, late in 2014, highlighted the fact that the release of confidential company information can disrupt not only customer relations but also employee relations. It was not only the reputations of top executives and their clients that were jeopardized by the disclosure of emails. Moreover the unfolding saga was amplified by the media and the data was readily accessed and replicated from the otherwise rather arcane world of download sites.
Governments concerned about threats to national security as well as their economies have engaged in high-profile efforts to ‘jawbone’ businesses into taking IT security seriously. Regulators worried about the rights of individual consumers and investors have moved decisively to press the issues home. President Obama’s 2015 State of the Union address included an update to the 2011 Cyberspace Legislative proposal. This included new initiatives on the all-important breach reporting rules with simplification and standardization of the existing 47 state laws into one federal statute. Elsewhere, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations previously announced that its 2014 Examination Priorities will include a focus on technology, including cyber security preparedness. Executives are now much more aware of the financial costs – and the difficulties of estimating them – and also the costs in terms of their career if an incident should show them to be ill prepared. The CEO of Target held himself personally accountable for the breach and resigned in May 2014. The IT and consulting industries have picked up the theme with their corporate customers. Demand for related insurance products has ramped up in the North American market and is gathering momentum in the EU and elsewhere.
Underwriters and brokers have been working to publicize these products for years and are of course delighted that the topic has moved to a more central stage. Yet current events and the general state of public awareness about the issues highlight just how complex a challenge the rise of ‘cyber threats’ poses to the insurance industry.
First and foremost, the increasing complexity and scope of attacks resulting in data breaches must challenge the market’s assumptions about the frequency and severity of losses. Underwriters have always seen the continually evolving threats to IT security as an arms race between hackers and the IT security industry; yet many have been surprised at the ambition and scale of some recent attacks. In this context, pricing models have limited predictive value and need to be constantly re-assessed.
At Aspen, we have always held the view that ‘cyber insurance’ is an unfortunate term, as it seems to mean everything and nothing at the same time. Indeed, not all cyber threats are viewed by the insurance market as being meaningfully insurable – the chief example being the theft of a company’s own intellectual property. Much of the feared impact of cyber warfare sits outside the scope of most commercial insurance offerings. Nonetheless, the desire by many brokers for an allrisks policy approach has resulted in a lot of disparate issues being bundled together as underwriters strive to add new features to their products.
The market trend, until recently, has been for underwriters to seek differentiation as opposed to uniformity. The result is that product approaches, wordings, coverage triggers and so on vary widely across the marketplace as competitors strive to add features. Ironically, in our view, one of the longstanding challenges to the broad acceptance of these products has been their complexity – buyers sometimes struggle to fully understand exactly what they are buying.
Another self-imposed challenge arising from the lack of product uniformity is that it aggravates the difficulty insurers and reinsurers face in assessing their aggregate exposures. This is hard enough given that loss scenarios are based on known/perceived vulnerabilities, which themselves evolve.
Insurance and loss prevention go hand in hand but some of the risks that governments are seeking to transfer into the insurance sector might easily challenge the industry’s capital. At some stage in the future, a different approach may be required for certain risks. As in the case of terrorism, governments could, via a reinsurance grouping, help fund high-level risks of the insurance industry. Facilitation of a market through such an arrangement could increase supply by spreading large losses and help provide data to support more accurate pricing of the risk. It would also help increase demand through encouraging a greater understanding of cyber risks and the financial value of defending against them.
Aspen continues to view this evolving area as presenting opportunity along with threat. Our focus remains on risks tied to data protection obligations as well as liability for providers of IT products and services. Different industries face different threats and regulation still has a substantial role to play in shaping risk profiles. In our view, the industry probably needs to stop trying to bundle so many disparate issues into a single product. The industry and its customers will all benefit from the evolution of specialist products. The risks cannot be effectively underwritten unless the data has been defined, protection policies understood, the consequences of breaches identified and employees trained in prevention procedures. While developments in the big picture are continually changing, it is even more important to employ a disciplined underwriting approach with clarity of wordings, transparency of underwriting method, an alert and responsive claims service, and a keen ear for customers’ needs.
- Identity Theft Resource Centre(ITRC), IDT91, 2015 Data Breach, 11 March 2015
- ITRC, Data Breach reports, 20 March 2015