Cyber insurance has been around for more than ten years, but compared to the centuries-old marine insurance market, it's still at a relatively immature stage so you can't assume that if something is covered by one provider or policy, it's covered by them all.
“There's a lack of uniformity in the cyber insurance market, both in the UK and internationally, as policies are evolving with new threats following every new solution,” Scott Sayce, European underwriting director for technology and cyber risks at CNA Europe, told SCMagazineUK.com.
Nonetheless, there is enough data for general trends to have emerged. Banks were the first to insure for cyber-crime, and remain one of the higher risk categories due to the type of personal and financial records kept and their volume, and these criteria remain key in setting premium levels. Cyber insurance can cover both first party claims against immediate financial losses and the costs entailed in shutting down a system and remediation, but also extend to third party liabilities such as those arising from the loss of information, including payment of PCI DSS fines.
“We can cover fines where the law allows, and this varies by country – but regarding the five percent of global turnover that may potentially be fined in the next EU Data Protection regulations – there is no precedent set yet, nor is it clear whether it would be in the public interest to be able to insure against,” commented Sayce.
Sarb Sembhi, director at consultancy Storm Guidance, and a prominent member at ISACA UK told SCMagazineUK.com: "There are different views on whether it is acceptable to insure against fines – in the US it is OK, while in the UK it is not considered something that should be insured against, but as time goes on it is likely to slowly become more acceptable, but (insuring against fines under the Data Protection Act) will have a big impact on premiums.
"It will cost a lot for companies fined, so policies may say cover the first US$ 50 million (£30 million) or US$ 100 million (£60 million), whereas the proposed maximum fine is five percent of global turnover or US$ 100 million, whichever is the greater. There is clearly dissatisfaction from the EU regarding the treatment of EU citizens by the likes of Google (so it is likely such fines will happen)."
Costs of cyber insurance are reported to have come down considerably thanks to the increased data available, with starting prices of five figures just five years ago, whereas now SMEs are able to find appropriate cover; also, business interruption cover used to start at 72 hours, and can now start after just after an hour.
Alex Deshuk manager of technology and innovation for the city of Mesa, Arizona, led a team that made the decision to purchase a cyber insurance policy to cover the city, and told SCMagazine in the US, “the cost per million [US dollars of coverage] is relatively inexpensive compared to other liability insurance in what it covers.” The US$ 5 million (£2.9 million) policy, which Mesa had underwritten by ACE Group, is “fairly complicated,” says Deshuk; but, it generally offers the city protection and coverage in the case of an online exposure.
Sembi adds: "Unlike other areas of insurance, there is not enough actuarial data. Therefore underwriters assess the probability of attacks, the likely number of attacks, and their likely cost. They don't have the data for some of the assumptions, so some policies are difficult to claim against because they have so many exclusions and extras, whereas others would cause the insurer to be stung if they were claimed against.
Sembi believes that prices may go up again as more claims are made, but then come down again as more companies accept cyber insurance and get insured." It's mostly a specialist offering, though some cover for cyber is included in some more general IT insurance policies and there is an overlap. Cyber insurance is an excellent option for risk transference of cyber risk, otherwise companies are missing a trick. But they need to choose policies carefully. Target was covered for much of the immediate costs of a breach including setting up call centres for customers. But the impact on the business and its reputation was not covered."