Kivu recently attended the Advisen Cyber Risk Insights Conference in San Francisco, participating in two discussion panels over both days. The first, “Combatants: Soldiers, Mercenaries, Terrorists, or Thieves?” was attended by Associate Director Mike Snader, and featured an intriguing discussion about cyber-crime, as well as the stunning factoid that this form of crime has outpaced the illegal drug trade.
The second panel, titled “Ransomware – to pay or not to pay”, saw Associate Director Bridget Choi join the discussion around paying for decryption. A complicated matter, we fully expect to continue seeing this topic on future agendas as opinions continue to diverge.
One particular session we felt was of great interest was the fireside chat titled “Shop Talk: Missed Opportunities in First-Party Cyber” featuring Emy Donavan, the Executive VP and Chief Underwriting Officer at Arceo.ai. Here’s our summary and key takeaways from the talk.
Donavan spoke of shifting the underwriting focus of cyber policies from third party privacy risk to first party risk. She argued that this shift has become necessary as cyber-related business interruption coverage has replaced data breach coverage as the most sought-after cyber insurance coverage.
Previously, cyber policies were focused on providing a risk transfer for privacy-related risk. The focus on privacy risk transfer had begun in 2003, when the state of California introduced the first meaningful breach notification legislation. This law required businesses to pay for the notification of customers in the event of a data breach, as well as holding them responsible for fines, penalties and other liabilities. With California leading the way, similar privacy legislation swept through the rest of the U.S., resulting in cyber insurance policies focusing primarily on privacy risk.
Then ransomware came along, and started causing costly interruption to business operations. As the financial losses mounted, the need for risk transfer became apparent. Instead of focusing solely on privacy risks, organizations now need to also address the financial impact of business disruption and plan for business continuity.
Donavan noted that one of the crucial issues faced by the insurance industry is that cyber underwriters typically have E&O backgrounds, and, while they are excellent at assessing litigation risk, most cyber underwriters do not have the technical expertise to assess the business interruption risk. In contrast, property underwriters have managed this risk for roughly one hundred years.
Donavan also stated that she believes that appetites for cyber business interruption coverage are outpacing the industry supply, leaving some insureds without adequate limits.
The recommended solution might strike some as controversial: if carriers could silo the business interruption risk onto property policies, then insurers could spread losses resulting from a cyber incident across the two policies and obtain greater capacity. Additionally, the E&O underwriting experts would better price and manage the business interruption risk.
We certainly look forward to observing how this area of coverage continues to adjust to changing risk trends.
Want to find out more about how we work with the insurance sector? Contact us, we’d love to talk.