What is creating confusion in the cyber insurance market?

The lack of understanding around what is covered and how products are priced continues to sow confusion in the cyber insurance market.

Robin Shufelt, assistant vice president of technology and cyber with The Sovereign General Insurance Company (a member of The Co-operators), said that the general lack of understanding is due to a number of factors. This includes the novelty of the coverage, the lack of standardization around cyber language, and different pricing options.

“Cyber insurance is still a relatively new coverage for many, as is thinking about the exposures related to the interconnectedness of technology,” she said.

For clients, cyber products lack standardization across carriers, making it “very difficult” for a client to compare coverages, Shufelt said. “Each carrier has its own terminology and definitions, and its own way of addressing coverage,” she noted. “There are many endorsement-type products on the market that offer some coverage, but the lack of clarity around what they cover could lead clients to feel that have more protection than they actually do.”

Take, for example, data breach or privacy breach products on the market. Some offer no insurance protection at all, but do offer third party services to help an insured in the event of a breach; others offer third party services with some expense coverage to help in the event of a data breach. Still others offer third party services with complete coverage, expenses and third party liability. “The challenge for the client is understanding which coverages various products provide,” Shufelt said.

Kevvie Fowler, partner, cyber risk with Deloitte Canada, agreed that the lack of clarity around coverage can be an issue. For example, a policy may state that the client can use any cyber response firm or cyber expert to help respond to an incident. But hypothetically, if the client tries to submit a claim, the insurer could say to the client, “Since you did not use one of our panel members, coverage is only $500,000 as opposed to $5 million.”

So “you have to be very careful on all the clauses,” Fowler said. If a client sees something is allowed, but there is an asterisk or footnote, the client should take a closer look. “Just because something is allowed, doesn’t mean you have full coverage,” he said. “If it’s allowed, how much of it is allowed within specific scenarios?”

From a pricing standpoint, endorsement options that focus on one risk in particular can be more attractive to a client, Shufelt said. There is also a need to address the varying needs of small businesses and personal and large commercial businesses, which has led to different product offerings as well.

“Cyber should eventually be considered as a peril on every policy, so you may see the industry adapt and eventually have it included more broadly in more traditional lines of insurance, rather than as a separate policy,” she said.