Will cyber insurance ever be fully standardized?

Will cyber insurance products ever become completely standardized?

While aspects of cyber insurance, such as language around data breach, have become more standardized, there is still an overall lack of standardization across the line. Canadian Underwriter has also heard suggestions that brokers want standardization, but insurers don’t. So how do brokers approach a sale with this in mind?

“I don’t necessarily think insurers don’t want to standardize language, I think it’s quite difficult to do in a rapidly emerging class such as cyber,” James Burns, cyber product leader with CFC Underwriting, said in a recent interview with Canadian Underwriter. “This is a relatively nascent product line, it’s a much younger product than many of the established classes.

“We’re seeing the nature of the threats change, meaning we feel the need to update our language to make sure we’re taking into account new threats that exist,” Burns said. “Based on the claims experience we see, we’ll adapt our language in the policies to make sure it’s more fit for purpose. I guess the problem is that each insurer does this in isolation, so it means there is less standardization between different insurers.”

Burns said he does sympathize with brokers, as there are many cyber insurance providers “with different products that look different and feel different, and it’s difficult for brokers to necessarily keep track of what’s good for their client.”

Burns’ advice for brokers is to look for and partner with a smaller number of insurers where they’ve “got absolute confidence in [the insurer’s] experience in the class, and their ability to handle claims and incidents.

“For me, that’s got to be absolute priority, and then look at making sure that they’ve got a best-in-class where possible policy form alongside that as well,” he said. “If brokers are doing that, if they’re partnering with cyber markets based on their experience and ability to handle cyber claims, there’s only so far wrong that they can go.”

When a new cyber insurer comes to market, they’ll tend to want to include at least all the covers that the existing markets have, so there tends to be a lot of replication between cyber insurers, Burns added.

Will policy language ever become fully standardized? Burns said he think it’s inevitable there will be some degree of standardization. Even within cyber insurance now, there are certain areas that have become more standardized than others. “If you look at the language around data breach, that’s probably what’s been in most cyber policies for the longest time, and much of the way that cyber insurers confirm cover around the cost of notification.”

Liability covers that exist in cyber insurance also tend to be more standard, just because they’ve been around for much longer, Burns said. But then in more emerging areas such as social engineering, theft of funds, and business interruption to an extent, the language is less standardized because they’re much newer with cyber policy forms.

“I think naturally over time as exposure area within cyber start to mature, it’s probably to be expected they will become more standardized between cyber forms,” Burns said.

“Now will they ever be as standardized and as homogenous such as more traditional classes such as property or even liability classes such as professional liability?” he asked. “Difficult to tell and potentially not just because you’re dealing with a class of business where the threat landscape will continue to change. So, I think it’s a bit of both, there’ll be a degree of standardization, but not 100% just because we know the threat landscape with cyber changes much more frequently than it does with any other class.”