Newsletters
Risk Central
Digital EditionInsurers, Brokers Expect Market to Close Cyber Insurance Gaps
Two insurance trade associations recently took the pulse of the U.S. cyber insurance market, finding that while some perceived gaps in coverage may take three years or more to close, the market is already raising standards, with businesses required to implement minimum cybersecurity practices to secure insurance.
These are among the findings of complementary surveys conducted by the American Property Casualty Insurance Association (APCIA) and the Council of Insurance Agents & Brokers (CIAB). The APCIA surveyed member insurers that write cyber insurance policies on risk selection and marketplace gaps in cyber coverage. The CIAB surveyed a sample of U.S. broker members on cyber placements, using similar questions on limits, gaps and cyber market challenges.
A majority of APCIA respondents, 75%, expect that many of the current gaps in first-party cyber insurance coverage will be addressed in the long-term, defined as more than three years from now. While the CIAB survey’s respondents agreed that marketplace gaps exist, they believe the market will address certain gaps in coverage within the next three years. Fixes are expected sooner, the CIAB survey found, in areas like inadequate coverage limits, incident response services and liability coverage for security breaches, which is a third-party cyber gap.
The two surveys also shed light on business sectors that are struggling to obtain cyber insurance in the current market. Both APCIA and CIAB respondents identified government entities, utilities, education institutions, and health care firms as ones currently facing difficulties in securing cyber coverage, among others.
As a condition of acquiring cyber insurance, more businesses are now required to have minimum cybersecurity practices in place, such as multifactor authentication (MFA). The surveys found that 69% of both APCIA and CIAB respondents are aware of instances where cyber insurance applications were rejected because the applicant did not have these minimum best practices implemented.
“In order for a business or entity to obtain a cyber insurance policy, they typically must have at least basic cybersecurity best practices in place,” said Gary Sullivan, senior director of emerging risks at APCIA. “These underwriting standards are helping to increase our nation’s overall resiliency against evolving cyber threats.”
Challenges in Defining a Catastrophic Cyber Event
Defining a catastrophic cybersecurity event involves considering various parameters, according to the surveys of insurers and brokers.
CIAB respondents, for example, identified total damages, impacts to a specific industry, and the cause or nature of an event as the most important factors in identifying a catastrophic cyber incident. Examples included widespread critical infrastructure outage, self-propagating malware, and zero-day vulnerability exploitation, among others.
APCIA survey respondents suggested a wide range of potential loss thresholds for defining a catastrophic cyber event, noting that the threshold would vary depending on the size and revenue of the affected business. In other words, what might be a catastrophic event for a small business may not necessarily be catastrophic for a large corporation with billions in revenue.
The types of events that could potentially be defined as catastrophic also varied among APCIA respondents. Examples ranged from critical infrastructure attacks that spread to multiple dependencies, to widespread data breaches, cloud outages, self-propagating malware, zero-day vulnerability exploits, and supply chain attacks injected into legitimate software.
Specific Marketplace Gaps in Cyber Insurance Coverage
While the cyber insurance market continues to evolve to meet the needs of businesses, certain coverage gaps still exist. On the first-party coverage side, respondents to the APCIA survey identified limitations in the amount of insurance that can be purchased and the waiting periods that apply.
“For example, insurers offer many coverages on a sublimited basis (contingent business interruption, social engineering, etc.) or subject to a waiting period. However, some insureds want business interruption coverage to apply at minute one of the disruption, which may not be available in the marketplace,” the report stated.
Other first-party gaps noted by CIAB survey respondents include those related to indemnity payments, incident response services, and losses from social engineering and invoice manipulation schemes. Cyber-crime coverage for events like funds transfer fraud is another area where gaps may exist, though some carriers do offer this protection, albeit with a sublimit. Crime insurance policies may also provide some coverage.
On the third-party liability side, both APCIA and Council respondents highlighted security breach liability as a key area where coverage gaps are present. Cyber insurers often exclude coverage for events and losses stemming from cyber war, non-availability of critical infrastructure services like power and internet, nuclear incidents, and natural catastrophes.
View the full survey report here. &
