March 2, 2020 by Greg Meckbach, Associate Editor
Nathan Rose, a senior underwriter with Burns & Wilcox, shares how emerging trends in cyber will lead to untapped business opportunities.
cu | What are the biggest challenges brokers face when selling cyber coverage?
Policy language is still the biggest hurdle faced by most of our insurance brokers, specifically around cyber. A lot of markets are playing catch-up with each other and trying to broaden their coverage to match other carriers’ extensions. It becomes a very confusing landscape.
Probably the biggest challenge in 2020 is going to be terrorism cover as it relates to cyber. Some policies are silent on terrorism. Some actually exclude it. Some say as long as it’s a cyber event, it’s included.
Another emerging issue is invoice manipulation cover, which is an evolution of funds transfer fraud. It essentially means that if a legitimate invoice is intercepted by fraudsters and the client pays money to the incorrect recipient, that would be covered.
Social engineering is another biggie. It’s included under most policies now.
It’s a big exposure. It’s the area with the most claims activity. We have seen widely varying appetites, where it was included in wordings with very big limits, and most markets decided to scale back their appetite.
cu | Why is policy wording important when it comes to social engineering?
Within that social engineering bracket, a significant challenge will be funds held in escrow, which is one of the latest iterations of social engineering exposure. With social engineering, a criminal misleads the client into believing that they are a legitimate payee when in fact that person is a criminal. But what if those funds didn’t belong to the client in the first place? If it’s actually money the client is holding on behalf of someone else, then those are funds held in escrow. So if the client is duped and pays those funds to the wrong person, the client is at risk of the rightful owner suing the client. This would not necessarily have been covered under earlier social engineering but we have always thought that it should be. So that’s now something to which we have turned our attention. We think it’s vital to have that in the policy wording if it’s an exposure for your client. A policy should provide both first and third-party cover for this exposure. This can be an exposure for title agents and real estate brokers. It should be reviewed and underwritten on a case-by-case basis.
cu | Aside from coverage, what are some add-on services that brokers should look for from cyber insurers?
A major component to look for is legal consultations. We see more carriers building pre-emptive legal consultations into their product. This is true risk management advice, not just at the point of a claim or after a claim, but in advance of that — a free hour to speak with legal counsel and talk about security measures they have and their information technology network structure. These guys will say, “These are some of the risk management considerations you need to be paying attention to.”
cu | The federal government made it mandatory to notify people affected by a privacy breach. Did you notice an increased demand for cyber coverage after that?
I did not. It’s fantastic for us that you have this regulatory framework there. It makes sure that notification happens in a timely manner. But in terms of demand for cyber insurance, I don’t think it caused the surge that some expected. Most policies include voluntary notification of breaches as standard. In December, we were still aware of policies in which this was not the case. Essentially, the change to the privacy law means that if a client’s system is breached,
then the client must notify all of the affected individuals. But there are certain, very rare scenarios in which they would not be mandated to do so. This type of scenario wasn’t always covered by a lot of policies. We think it’s prudent that clients go out of their way to notify the affected individuals anyway, just to encourage good risk management. We owe a lot to the broker community for driving awareness of cyber exposures.
cu | When you talk about voluntary notification, what was excluded in the past?
It’s similar to product recall. The government might mandate that you have to recall a product, but there might be certain circumstances in which you know the product needs to come back even though the government had not mandated it at that time. The same goes for cyber. You might have had a breach and you are not actually required to notify the affected individuals, but we don’t want the absence of coverage to be a barrier to you doing so.
cu | When it comes to breach notification, what are some potential sources of confusion?
The thing that confuses a lot of people is the definition of personally identifiable information (PII). The number of personally identifiable records that a client holds is one of your main criteria for underwriting cyber exposure. Because when you are talking about the breach notification costs, the number of potentially affected individuals is your measure of exposure in that area. We find brokers are asking, ‘If you hold multiple records for the same person, are those included in the total number of records?’ There is no consistency in the market for how that should be defined. I do know that causes a lot of headaches. The number of individuals for which records are held is the easiest piece of data to quantify. We try to make the client’s life easy by saying, “You know roughly how many customers you’ve got, you know how many employees you’ve got, so that is your PII count.” Whereas some insurers insist that if you have five policies on one insured, you record that as five separate pieces of PII.
cu | What do underwriters look for to determine the level of a client’s cyber risk?
The real basics are firewalls, anti-virus programs and, obviously, malware detection. You are looking to ensure not only are they there, but are they regularly updated? It’s like having a fence on the perimeter of your property. It’s only good as long as it has not been tampered with and there are no holes in it. So you have to regularly check to make sure it’s actually up to speed and correct. We also look for multi-factor authentication. It’s not there in 100% of scenarios at the moment, but in our mind, it’s invaluable as far as cyber insurance goes. It’s not infallible. It still can be breached. Claims experience is obviously important. Insurers don’t necessarily avoid those clients who have had claims – especially speaking about cyber. Those who have had claims are going to be aware of where their exposures are. So that’s not a bad thing necessarily. It means we can actually identify what went wrong and query what mitigation steps they have put in place.