Cyber crime still evolving, many breaches uninsured: Crawford & Company

Crawford & Company has released a white paper meant to help insurance companies and adjusters better understand the current cyber risk environment and how insurers are addressing a risk that continues to be a global threat to millions of commercial enterprises and consumers.

Cyber crime is a still-evolving area that insurance companies and adjusters are studying and analyzing carefully to try to stay current or possibly even ahead of its development, notes a statement issued this week by Crawford & Company, announcing the release of The Future of Cyber Insurance.

“The cost to organizations worldwide of data breaches is growing and most of the consequential losses currently remain uninsured,” Benedict Burke, report author and senior vice president of Crawford & Company, says in the statement.

Beyond the immediate financial impact of recovering lost or damaged data “the cost of notifying customers and other stakeholders, the fines and penalties potentially levied by regulators and the lasting reputational harm a breach can cause mean that the $ value of a cyber attack is escalating,” the paper notes.

“One of the key challenges in aiding the development of a viable cyber insurance market is finding the right approach to handling the multiple interlinked elements of complex cyber claims,” Burke suggests.

Citing Data Breach Today, the white paper reports that 2013 was the worst year to date for data breach, with 740 million data files viewed or stolen around the world.

At present, many cyber losses involving digital attacks and data breach are uninsured. “Insurers currently lack the data and claims history to build an accurate picture of the exposure, and in lieu of this, are reluctant to offer broad coverage wording and capacity to fully indemnify against first and third party cyber risks,” the paper states.

In the United States, “where the market is most developed, annual gross written premiums are around $1.3 billion,” it notes, citing last year’s Betterley Report.

“Very few carriers are able to offer indemnity in excess of $50 million, with the majority writing a maximum limit of $10 million or under. In Europe, the market is catching up, but the capacity on offer remains limited,” the paper adds.

“With such an unsubstantial commercial insurance market for cyber, some insurance buyers are opting to put these liabilities through their captive insurer – if they have one – or simply retaining the risk on their own balance sheet. We anticipate this will change as the market develops, urged on by brokers requesting broader coverage terms and greater capacity and, in part, driven by changing legislation,” the paper adds.

“As the standalone market for cyber insurance grows and as existing covers expand to encompass cyber exposures, we will see more and more claims come into the market. Involving claims experts with the capability to handle the inherent complexity of such losses will be a crucial step in convincing risk managers the industry is ready to offer a real solution.”

A feature that all cyber claims have in common is their high degree of complexity, notes the paper, adding the overall impact of a network failure or data hack can be minimized with timely response.

“A dialogue between risk managers, information officers, their brokers, insurers and claims professionals is essential in building a distinct methodology for coping with cyber claims,” the paper states. “This is best done in advance of the breach; being part of an agreed approach to the loss/claims quantification methodology.”

It is suggested an effective response will encompass business continuity, third-party notification, crisis management and forensic IT investigations.

The white paper summarizes cyber risk categories, cites recent well-known corporate victims of cyber crimes, and describes current and potential future responses by insurers and government to help manage cyber risk. Among other things, seven aggregations of cyber risk are presented and the differences in cyber risk coverage activity for Europe and the United States explored.