Cyber Insurance: Anxious Demand Spurs Growing Market

Subscribe To Download This Insight

By Michela Menting | 1Q 2018 | IN-5042

A February 2018 announcement by tech OEMs Apple and Cisco revealed a new partnership with insurers Allianz and Aon. Allianz has certified products from both vendors (Cisco Ransomware Defense; and Apple iPhone, iPad, and Mac devices) with respect to their security and will offer organizations using them more favorable cyber coverage, including better terms and conditions, reduced deductibles, cyber resilience evaluation (by Aon), and incident response services.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Apple and Cisco Strike Deal with Insurers

NEWS


A February 2018 announcement by tech OEMs Apple and Cisco revealed a new partnership with insurers Allianz and Aon. Allianz has certified products from both vendors (Cisco Ransomware Defense; and Apple iPhone, iPad, and Mac devices) with respect to their security and will offer organizations using them more favorable cyber coverage, including better terms and conditions, reduced deductibles, cyber resilience evaluation (by Aon), and incident response services.

A Propitious Offering with Variable Coverage

IMPACT


The partnered offering is a good indication of the growing market demand for cyber coverage. Continued persistence of cyber threats and the increasing costs of breach in terms of damage and remediation (the Petya ransomware cost Maersk US$300 million in lost revenue) are driving a dynamization of a two-decades-old market. Better understanding of risk management has pushed executive boards to increasingly subscribe to cyber insurance. Insurers that can provide more comprehensive coverage will stand out amongst the intensifying competitive landscape. The addition of an evaluation process, the use of products certified secure, and the availability of an incident response service add significant value to a market that has, to date, been marred with obstacles and restrained from reaching maturity.

For Apple and Cisco, the partnership allows them to showcase their security prowess. For Apple especially, it vindicates the company’s siloed approach in design and development and the walled garden of its application ecosystem. Further, this timely buy-in from the insurance heavyweights is an opportunity for the OEMs to capitalize on the last-minute rush of organizations needing to comply with recent and upcoming cybersecurity regulation (E.U. GDPR, E.U. NIS Directive, and U.S. NYDFS Cybersecurity Regulation, notably). While this tech/insurer combo may interest many small- and medium-sized organizations keen to avoid the financial fallout for non-compliance, most cyber-savvy pundits will see the limitations of the offering.

Currently, the largest barrier to growth is the lack of actuarial data about cyberattacks and breaches. Actuarial data provides the statistics, which enables insurers to estimate the probability and the potential cost of an event. With regards to the regulations, the uncertainty around the specific cybersecurity technology requirements and the potential value of fines that will be levied for non-compliance are the main barriers to an accurate assessment of cost. Most experts believe that the European Union will make an example of offenders, while others believe it will be lenient in the first year. Pricing of cyber coverage will be volatile until the first non-compliance cases have been dealt with and the insurers have a better understanding of what kind of capital reserves they will need to cover eventual claims. However, to what extent the Apple, Cisco, and Allianz partnership even covers GDPR or other regulatory non-compliance is still unknown, and such uncertainty makes for a volatile market.

Navigating Turbulent Insurance Waters

RECOMMENDATIONS


For organizations looking to transfer cyber risk to an insurer, many factors need to be taken into consideration. Cyber insurance that can offer evaluation, secure product recommendation, and incident response is a commendable option. However, there needs to be clarity on the specific coverage available. Currently, there are quite a number of excluded risks from cyber insurance policies, including claims brought by government or regulators; vicarious liability; unencrypted data; failure to install software updates or security patches; first-party notification expenses for disclosure of PPI or health information; data as an asset (e.g., IP, trade secrets); operational mistakes (true negligence); reputational damage; industrial espionage; and catastrophic events such as critical infrastructure failure, state-sponsored cyberattacks, and cyber terrorist acts, for which most insurance providers believe the government should be responsible.

Further, recommendations and lower deductibles for using specific hardware is just the tip of a comprehensive cybersecurity strategy. Organizations need to be aware that just having secure endpoints or defensive systems is only a small part of implementing cybersecurity. A comprehensive implementation is multi-layered, covering hardware, software, and networks; ranging from design to end-of-life; considering pre-emptive as well as defensive mechanisms; and involving training, awareness raising, and continuous management.

The cyber insurance market will undoubtedly continue to evolve to cover more comprehensive security technologies, and increasingly take into account the costs beyond just data leakage, but also those of system and network breaches. The difficulty will be in determining the risks of more intangible assets than data and embracing concepts such as resiliency and availability. Beyond that, in the longer term, insurers will have more than IT systems to consider, including newly connected endpoints emerging from the unrelenting growth of the Internet of Things.

For insurers, the expansion of the IoT brings in a host of new problems that they need to consider today. Older insurance policies may well provide coverage for physical and structural damage. With the digitization of operational technologies, this means that cyber threats can realistically disrupt and damage such systems. Insurance providers that have not explicitly excluded cyber from such coverage may be in the position of having to cover a type of damage that has not been originally underwritten. Providers will need to reassess older insurance policies and look to redefine them in light of cyber damage.

In short, insurers have a lot to consider going forward, and have little past experience on which to create policies that can encompass the potentially broad effects of a cyber event. Providers and organizations should tread carefully going forward, running a fine-toothed comb through every term and condition to thwart surprise liabilities.

Services

Companies Mentioned