Stand-alone cyberinsurance is a critical component of enterprise risk management. But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem. This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.
One example is physical damage caused by cyber events. Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property. Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage. And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events. Rock, meet hard place.
Gap, meet AIG’s Cyber Edge products. These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.
Another gap I’ve covered is that between typical fidelity or commercial crime coverage and cyberinsurance. When bad guys (or girls) impersonate others using social engineering or BEC scams to cause wire fund transfers under false pretenses, one might reasonably turn to either type of coverage. Your cyber policy may require actual unauthorized access to your network, which carriers have contended these types of scams are not. And your crime/fidelity coverage may not cover theft accomplished through cyber attacks.
Enter Willis Towers Watson’s proprietary CyFi coverage. Willis developed this policy for financial institutions to cover losses caused by social engineering scams. These scams have resulted in many multi-million dollar frauds, with the FBI recently estimating that since 2015, this fraud has resulted in over $2 billion in losses.
Having been involved in the cyberinsurance procurement process for a number of insureds, I can safely say that gap identification is an important part of the process. Many buying cyberinsurance for the first time believe that there is only one gap – all things cyber – and that buying this coverage fills that gap. Not so. The market is relatively young, and gaps are constantly being identified and addressed. Push your broker to explore novel coverage solutions, and analyze cyberinsurance in conjunction with existing coverage to identify and potentially fill the gaps.