Chubb announced on Tuesday that it has introduced Cyber COPE, a new model for underwriting cyber insurance that is intended to simplify and improve the assessment of both cyber and privacy risks.
Authored by Ross Cohen, director of cyber/privacy services at Chubb, the advisory outlines how the COPE methodology – used by property underwriters for nearly 300 years – can be modified to measure cyber risk. Cyber COPE, an acronym for components, organization, protection, and exposures, relies on the use of simple questions to provide “objective and subjective” measurements to help customers and brokers better assess risk, including business interruption-related losses, Chubb explained in a press release. It also fosters information-sharing so the industry is better equipped to identify future cyber and privacy weaknesses in advance, Chubb said.
The advisory noted that when companies seek property insurance, they answer straightforward, objective questions to obtain the desired coverage, such as “How tall is your office building?” “How close is the nearest fire hydrant” and “Does the building have an alarm system?” However, companies seeking cyber insurance coverage have to answer complex and subjective questions, often making it harder for them to secure the coverage they need. “Do you know if your company encrypts all its sensitive information, has firewalls at all Internet access points, or patches computer systems for all know vulnerabilities?” the Cyber COPE: Transforming Cyber Underwriting advisory asked. “Do you even know who to ask?”
The advisory explained that in property underwriting, COPE stands for construction, occupancy, protection and exposures. Each letter represents a group of data points that contributes to evaluating the overall risk of a particular structure. For example, construction refers to data such as the materials, square footage and the age of a structure, while occupancy refers to what the company does and how the company manages the hazards associated with what they do. Protection measures the factors that can help mitigate various types of structural exposures and exposures describes the potential exposures related to a particular property.
But for the cyber COPE model, Chubb changes construction to components, which represents the objective data elements that provide information on the overall cyber “structure” of a company, such as the number of computers, user accounts and Internet connections. Next, occupancy is converted to organization, capturing the objective data elements related to the people, process, information and overall enterprise risk strategy of an organization. The advisory noted that this might include the company’s industry, number of employees and contractors, and budget allocations for cybersecurity.
The last two elements of the COPE model – protection and exposures – remain the same. However, instead of property, the aim is to capture the subjective data elements that describe a company’s cyber defences (protection) and potential cyber weaknesses (exposures). Examples of protection elements could include encryption, firewalls and intrusion detection, while exposures can include threat actors, system errors and software vulnerabilities.
Specific questions – such as “How many endpoints (e.g., desktops, laptops or mobile devices) are used by your company?” in the components category and “Do you have specific security language built into third-party agreements?” in the organization category – are included in the advisory.
Cyber COPE was first leveraged as the basis for the insurance application for Chubb’s Global Cyber Facility, which helps companies assess their cyber and data privacy risk, incorporates loss control services to mitigate losses, provides access to post-incident services and offers up to US$100 million in primary capacity in a single policy purchase. To implement Cyber COPE, the advisory said, Chubb worked with “strategic allies” within the cybersecurity industry to develop a set of questions that provides the necessary data elements to help underwriters comprehensively assess cyber risk.
“Cyber COPE has been designed to be simple to use and to provide the right balance of objectivity and subjectivity for the underwriter,” said Cohen in the release. “Moreso, it provides a path forward for the cyber insurance industry to begin to break down the historic barriers common with information-sharing. By sharing information and developing a common foundation in which to underwrite constantly evolving cyber risks, the industry will be better equipped to provide the proper coverage and solutions to protect organizations from cyber-related exposures.”