Aspen Opinion | 1

ASPEN OPINION

CYBER INSURANCE AN EMERGING MARKET

TOM ALLEN - HEAD OF TECHNOLOGY AND DATA PROTECTION INDEMNITY

Tom Allen believes that data protection insurance - more often referred to
generically as cyber insurance - is responding to some of the most pressing and
complex threats faced by organizations. While the landscape continues to evolve
in this emerging market there are opportunities for those that adhere to the
fundamental tenets of disciplined underwriting.
View this article online at www.aspen.co

No Longer Niche
There has been significant growth in market demand for data
protection coverage, driven in no small part by the recent
surge in sobering news about the aggressively evolving risks
that companies face. For a number of years this was a rather
specialist, niche marketplace that didnt find much traction
beyond a sub-section of interested firms. The risks involved
have been seen for years as being cutting edge, if not rather
theoretical.
This view has changed over the last 18 months. There has
been a steady drumbeat of high-profile losses arising from
data breaches which have received plenty of publicity. In
2014 data breaches in the U.S. totalled 783, an increase of
28% over the previous year.1 The trend looks to be escalating
as in the early part of 2015 there had already been 174
breaches with 99.7 million records exposed.2
2011-2014 Industry Sector
783

800
700

614

600
500
400

421

471

300
200
100
0

2011

2012

Business
Health/Medical

2013

2014

Educational
Financial/Credit

Source: ITRC, IDT911 Breach Statistics 2005-2014

Government/Military

2014 Incident Type

Insider Theft
13%

11%

Hacking

11%

Data on the Move

29%

16%

Accidental Exposure
Subcontractor

12%

8%

Employee Negligence
Physical Theft

Source: ITRC, IDT911 Breach Statistics 2005-2014

Recent events have revealed the fluid nature of the liability,

the adequacy of current cyber security policies on offer and
also company managements attitude to risk acceptance and
mitigation for breach scenarios. Attacks on retailers Target in
2013 and Home Depot in 2014 demonstrated the magnitude
of the threat and the attacks on JPMorgan Chase in 2014 and
Anthem in 2015 confirmed the point. The breach at Sony, late
in 2014, highlighted the fact that the release of confidential
company information can disrupt not only customer relations
but also employee relations. It was not only the reputations
of top executives and their clients that were jeopardized by
the disclosure of emails. Moreover the unfolding saga was
amplified by the media and the data was readily accessed
and replicated from the otherwise rather arcane world of
download sites.
Governments concerned about threats to national security as
well as their economies have engaged in high-profile efforts
to jawbone businesses into taking IT security seriously.
Regulators worried about the rights of individual consumers
and investors have moved decisively to press the issues

Identity Theft Resource Centre(ITRC), IDT91, 2015 Data Breach, 11 March 2015

ITRC, Data Breach reports, 20 March 2015

Aspen Opinion | 2

home. President Obamas 2015 State of the Union address

included an update to the 2011 Cyberspace Legislative
proposal. This included new initiatives on the all-important
breach reporting rules with simplification and standardization
of the existing 47 state laws into one federal statute.
Elsewhere, the U.S. Securities and Exchange Commissions
Office of Compliance Inspections and Examinations previously
announced that its 2014 Examination Priorities will include a
focus on technology, including cyber security preparedness.
Executives are now much more aware of the financial costs
- and the difficulties of estimating them - and also the costs
in terms of their career if an incident should show them to
be ill prepared. The CEO of Target held himself personally
accountable for the breach and resigned in May 2014. The IT
and consulting industries have picked up the theme with their
corporate customers. Demand for related insurance products
has ramped up in the North American market and is gathering
momentum in the EU and elsewhere.
Increasing Complexity
Underwriters and brokers have been working to publicize
these products for years and are of course delighted that the
topic has moved to a more central stage. Yet current events
and the general state of public awareness about the issues
highlight just how complex a challenge the rise of cyber
threats poses to the insurance industry.
First and foremost, the increasing complexity and scope of
attacks resulting in data breaches must challenge the markets
assumptions about the frequency and severity of losses.
Underwriters have always seen the continually evolving
threats to IT security as an arms race between hackers and
the IT security industry; yet many have been surprised at the
ambition and scale of some recent attacks. In this context,
pricing models have limited predictive value and need to be
constantly re-assessed.
At Aspen, we have always held the view that cyber insurance
is an unfortunate term, as it seems to mean everything
and nothing at the same time. Indeed, not all cyber threats
are viewed by the insurance market as being meaningfully
insurable the chief example being the theft of a companys
own intellectual property. Much of the feared impact of cyber
warfare sits outside the scope of most commercial insurance
offerings. Nonetheless, the desire by many brokers for an allrisks policy approach has resulted in a lot of disparate issues
being bundled together as underwriters strive to add new
features to their products.
The market trend, until recently, has been for underwriters
to seek differentiation as opposed to uniformity. The result is
that product approaches, wordings, coverage triggers and so
on vary widely across the marketplace as competitors strive to
add features. Ironically, in our view, one of the longstanding
challenges to the broad acceptance of these products has
been their complexity - buyers sometimes struggle to fully
understand exactly what they are buying.
Another self-imposed challenge arising from the lack of
product uniformity is that it aggravates the difficulty insurers
and reinsurers face in assessing their aggregate exposures.
This is hard enough given that loss scenarios are based on
known/perceived vulnerabilities, which themselves evolve.

Insurance and loss prevention go hand in hand but some

of the risks that governments are seeking to transfer into
the insurance sector might easily challenge the industrys
capital. At some stage in the future, a different approach
may be required for certain risks. As in the case of terrorism,
governments could, via a reinsurance grouping, help fund
high-level risks of the insurance industry. Facilitation of a
market through such an arrangement could increase supply
by spreading large losses and help provide data to support
more accurate pricing of the risk. It would also help increase
demand through encouraging a greater understanding of cyber
risks and the financial value of defending against them.
Specialist Approach
Aspen continues to view this evolving area as presenting
opportunity along with threat. Our focus remains on risks tied
to data protection obligations as well as liability for providers
of IT products and services. Different industries face different
threats and regulation still has a substantial role to play in
shaping risk profiles. In our view, the industry probably needs
to stop trying to bundle so many disparate issues into a single
product. The industry and its customers will all benefit from
the evolution of specialist products. The risks cannot be
effectively underwritten unless the data has been defined,
protection policies understood, the consequences of breaches
identified and employees trained in prevention procedures.
While developments in the big picture are continually
changing, it is even more important to employ a disciplined
underwriting approach with clarity of wordings, transparency
of underwriting method, an alert and responsive claims
service, and a keen ear for customers needs.