As reports about cyber risk in the press and board agendasabound, companies are looking to manage that risk. Even with mitigation, riskalways remains.

A cyber insurance program covering those losses isincreasingly seen as part of the solution.

Insurance solutions have been brought to market by innovativeinsurers. Still, risk managers are frustrated at the lack ofavailable coverage at reasonable terms, while insurers marketingthe coverage are frustrated that the market has not taken off.Brokers are stuck in between.

In time, cyber risk will support a vibrant new insurancemarket. For insurers, barriers to offering more economical coverageinclude the lack of claim history to use in pricing, and a hard toquantify clash potential. How cyber is covered depends on the needsof the insured.

Small business

Here coverage is often included as part of the package. Standardlimits are often low, but increases can be purchased. It'simportant to understand what the actual risks are based on theinsureds technology platform, how exposed the systems are, andsystem access points. For most small business riders, the optionsaren't as extensive as for large business, but the needs areusually less unique. If needs are unique, flexible productsdescribed below can be used.

Large risks

A good analogy of how cyber insurance works is boilerinsurance. In both lines, a significant part of the premium isdevoted to engineering the risk. For boiler, physical inspectionsare part of underwriting. For cyber, detailed questionnaires areoften used to understand insureds' risk management policies.

Coverage is available from many insurers for various aspects ofcyber risk covering both first party and third party losses. Formid-sized to larger businesses, these are structured in modularcoverage parts, so a buyer can elect just the coverages they feelthey need, and not pay for coverages they don't need. Typicallythird party coverages include:

Regulatory Investigation Expense: Oftenregulatory fines can't be covered, but insurance for the expense todefend against regulatory actions is available.

Breach or Loss of Data: If data is lost, suitsfor damages can result, which could be class actions. Note there isalso first party cover for remediation and notificationexpenses.

Media Liability: As on-line informationincreasingly replaces traditional sources such as newspapers,television, and radio, losses due to infringement are possible.

First party coverages include:

Crisis Management Expenses: Often the insurerprovides the vendor to manage a loss event, and other expenseassociated with an event such as data loss. This high qualitymanagement of the loss event protects both the insured and theinsurer from further losses.

Breach of the Network: This includes bothremediation expenses and notification to third parties whose datamay be compromised.

Extortion: If a cyber-criminal accesses andencrypts data to charge a ransom for the release, this covers theransom, and other restoration expenses.

Business Income and Extra Expense: Similar toproperty policies, this can be covered subject to agreed waitingperiods.

Other first party coverages that can be available include datarestoration expenses, computer fraud, or fund transfer fraud.

Of course, all of the coverages may be subject to an aggregatelimit of liability, in addition to the specific limits of liabilityfor each coverage part. Be sure to check if the defense costs onthird party coverage is limited or in addition to the limit.

Non-cyber coverage

Coverage for cyber events from insurance that isn'tcyber-specific is rare, but there is some. Inland marineforms on an all risk basis could cover property losses from cyberevents. However, the standard property forms specify causesof loss. Only if a cyber-event triggers a property peril that iscovered, such as an explosion, or fire, the property form mayprovide coverage. The standard General Liability form is usuallyissued with endorsements that exclude cyber coverage. Directors andOfficers insurance (D&O) may cover suits against D&O'sresulting from a cyber loss. Overall, insurance that isn't specificto cyber can't be counted on to cover cyber exposure.

Conclusion

A market for cyber risk is developing. The pace of developmentis frustrating for both buyers and sellers. Insureds need to stayinformed on the risks and coverages, and insurers need to staycreative with the coverage and pricing. As cyber coverage iscomplex and insurers approaches vary, insureds should seek theadvice of a qualified broker.

Chris Nyce, FCAS, MAAA, is a principal in KPMG's ActuarialServices practice. He specializes in helping insurance companiesquantify and manage the many risks they face. He can be reachedat [email protected].