Will reputational harm coverage grow into its own coverage or will it remain sublimited, as is often the case?
There is currently a lot of variance within the market in how this coverage is offered, if at all. Some insurers require a double trigger, such as a cyber event and a media event following a cyber breach. Others define reputational harm or reputation-based income loss coverage as a drop in stock price, loss of customers or loss of profit, and compare it to parametric triggers. Oftentimes, the coverage is sublimited, and indemnity periods typically range from 30 days to 12 months.
“It’s not widely available in the market, but you are seeing a lot more reputational harm requests in the market,” said John Coletti, chief cyber underwriting officer with AXA XL. “We do hear [clients] asking for it. It comes down to are they going to be able to quantify the actual amount of the loss and then how is it going to be adjusted on the insurer side? I don’t think the cyber market has fully embraced that coverage; you’re seeing it available in sublimits for the most part.”
Coletti discussed reputational harm at NetDiligence’s Cyber Risk Summit Thursday in Toronto during a panel discussion on business interruption (BI) and contingent business interruption.
For CFC Underwriting, reputational harm coverage is one of the fastest growing in terms of incurred losses, said Lindsey Nelson, the insurer’s international cyber team leader. “For a lot of our clients, particularly law firms, that’s the number one reason they are actually purchasing the policy.”
The problem is that damages are often very difficult to calculate. “It’s certainly the one that gets the most questions in terms of is it actually possible to adjust a reputational harm loss yet alone a business income loss as a result of a cyber event?” Nelson said.
Another speaker, Brian Rosenbaum, Canadian national cyber practice leader at Aon Risk Solutions, asked how can an adjuster isolate the factors related to the incident that led to the lack of reputation as opposed to other economic factors in the operation of the organization.
“To me, that’s going to be a very interesting point. If we can do that effectively with our insurer partners and that makes sense to our clients, then I think you’ll see that coverage grow and it’ll be real coverage,” Rosenbaum said. “If we can’t come to some kind of understanding of what that coverage means, whether there’s real coverage and it’s worth paying for if there’s an additional premium, then I don’t know if it’s got legs.”
Several methods can be used to calculate reputational harm damages, Nelson reported. For example, an insurer could look at customer re-order rates and look at where the cyber event occurred during the calendar year against what the projections were.
“It is interesting some of the ones that we have seen that are by and large under $100 million revenue companies that are suffering these losses,” Nelson said. For CFC, “it doesn’t actually require that media-triggered event, it just requires the cancellation of contracts because you’ve notified them of something occurring.”