Cyber: The Tale of Two Outcomes
I saw a story by a consulting firm that predicted cyber insurance sales would fill the estimated $50 billion hole caused by decreasing auto premiums. If accurate, cyber is one huge sales opportunity for agents. $50 billion in premiums equals roughly $6 billion in commissions. Not a bad payday.
That is one possible outcome. Another possible outcome is pure disaster or at least a partial disaster. Cyber nightmares are in three categories: carriers, agents or both.
Did the carriers get the pricing right? Time will tell. Every broken clock is right twice per day so maybe they'll get lucky.
Pricing is inherently more difficult simply because the forms are unique and therefore, not all historic insurance case law is going to apply in the same way as with other forms. We'll find out what that case law is when it happens.
Cyber pricing is also different from other coverage pricing because cyber can be a chain. Most everyday losses are not part of a chain. A fire in Atlanta is not related to a fire in Salt Lake City. Even in a natural catastrophe, damage is geographically limited. This is not the case with cyber claims. One cyber-attack can affect millions over the entire circumference of the globe.
Maybe reinsurance has been or will be developed by named cyber-attack, kind of like catastrophe bonds. But even then, the scale of losses at some level or another could dwarf expectations.
In turn, this would lead to higher overall rates and limited coverage in the worst-case scenarios -- a true hard market.
I've read more than a few forms and I am not certain all carriers know what they have agreed to insure. What happens when they figure this out?
Several reports, and definitely agents' experience suggest pricing is not yet a scientific endeavor. I doubt cyber is overpriced though. If underpriced, a latent reserving issue may be developing.
Agents and Brokers:
E&O, E&O, and more E&O.
I find few agents have any real clue, literally any clue, what they are selling when they offer cyber to clients and prospects. If one does not know what they are selling, how can one know if what they are selling is anywhere close to sufficient?
Huge differences exist between cyber policies. Many carriers offer multiple policies and the differences between those policies are often large. In my experience, a lot of underwriters do not know their own company's cyber policy forms. This means agents can't rely on underwriters. They have to read and understand the policies they are selling.
This is great in theory, but experience teaches that most agents will not read, much less understand, the cyber policies they are selling. Not reading or understanding forms may work when a flood is a flood, but 2,000 plus cyber forms are reported to exist with minimal uniformity, even in the definitions.
The term "cyber" has become generic even if the coverages are anything but generic. Therefore, when a producer sells a cyber policy, what are they actually selling? From the client's perspective, they are buying whatever coverage they need when they incur a claim. Is the producer really selling such broad coverage? I doubt it, but when one uses terms with complex meanings generically, these kinds of huge miscommunications are inevitable.
When I explain that at least thirteen distinct cyber coverages exist, agents are usually shocked. One has to understand all thirteen parts to even have an idea which of the thirteen coverages the policy they are selling even covers. Many policies, maybe most, do not contain all thirteen.
E&O carriers are already seeing an uptick in E&O claims and I would bet that, most often, when the agent was presented with the initial claim call, they had no idea whether the coverage was or was not included.
Where cyber might bite carriers and agents is in the instance of the Mondelez International, Inc. v. Zurich American Insurance Co. claim. This is a $100 million claim. The complexity is such that a quick summary here is entirely insufficient. One key point is that the malware was almost certainly created by a foreign nation. Therefore, the claim is considered, "hostile or warlike action in time of peace or war" by a "government or sovereign power" even though the entity that used the malware was not likely a foreign nation. It is similar to the Russians manufacturing AK-47's and someone else firing them resulting in the firing of any Russian manufactured AK-47 an act of war. It is far more complex than this and it is not as one-sided as my example makes it seem. The virus is the NotPetya malware and total cyber losses, covered or not specific to this virus, is estimated at nearly $100 billion. Carriers almost certainly have not priced or reserved for $100 billion in cyber losses.
Another interesting point is this is not a cyber specific policy claim. The coverage that exists (or doesn't exist) is found under a broad property policy that allegedly protected against damage caused by malicious introduction of a machine code or instruction and protected against physical loss and damage to electronic data, etc. So while not on an express cyber form, the property form under which coverage might be found seems to read much like some cyber specific forms, but the distinction remains important.
If you are selling cyber and not following the progression of this suit, you should be. I am sure this case will set a major precedent regardless of how it is settled. Some feel the cyber market could completely dry up if Zurich (and others as more than one carrier is involved) loses. On the other hand, if Zurich wins, will anyone even want to buy cyber because the coverage may be so light? Woe to the agent that sells cyber where a client's coverage is excluded under Zurich's premise and yet the client thought they had that coverage.
Cyber is likely to be different in another way. Cyber may be a frequency and a severity issue because millions of attacks happen daily. The damages average more than the industry's overall $8,000 per claim average too. So much frequency with higher than normal average claims suggest pricing might not ever be adequate or will be, potentially, unaffordable.
Cyber is unlike any other coverage in many different ways. My suggestion to agents for getting your cake and getting to eat it too is this: Become a cyber expert. Then you can make more sales and reduce your E&O exposure simultaneously. Even better, by knowing what you are selling, your clients will get the coverage they absolutely truly need.
NOTE: The information provided herein is intended for educational and informational purposes only and it represents only the views of the authors. It is not a recommendation that a particular course of action be followed. Burand Insurance Education, Burand & Associates, LLC and Chris Burand assume, and will have, no responsibility for liability or damage which may result from the use of any of this information.