Insurers are broadening coverage into areas directly impacting treasury; but companies need to be aware of what’s covered and what’s not.
[Editor’s note: this is the second article in a series on cyber risk. See the first article here.]
Can companies get cyber-insurance coverage for breaches besides those of employee and customer data, such as a corporate treasury department’s fund transfers fraudulently diverted to a cyber-thief’s account? And what about a denial-of-service attack that freezes up a bank’s payment system, so its corporate treasury clients can’t make or receive payments for a day or more? Or if an important software-as-a-service (SaaS) provider of treasury risk management is breached and its services are unavailable for days? Stolen property stolen by Cyber thieves can literally be worth billions of dollars, but will insurance cover such losses?
Those were some of the questions treasurers posed at a recent NeuGroup Treasurers’ Group of Thirty meeting; however definitive answers were hard to come by, given cyber adversaries seem to be always one step ahead. A key takeaway was that a company’s own intellectual property (IP) stolen via a cyber-breach remains uninsurable due to complications in valuing the risk exposure.
“Is it valued at the cost to create, or the potential monetization of that IP, or something else?” said Matt Donovan, global practice leader, technology and privacy, at specialist insurer Hiscox. On the other hand, he said, companies can find coverage for legal expenses resulting from a third-party suing them for losing its IP through a cyber-breach of their networks.
“If you’ve lost your own IP, then there’s nobody to sue except yourself, and if it’s leaked in a country like China, good luck getting any IP laws enforced,” Mr. Donovan said.
Most cyber policies until recently have covered personally identifiable information (PII) and personal health information (PHI), covering expenses and losses stemming from breaches resulting in stolen employee or customer data, a market that has grown to about $2 billion in premiums, up from $1.5 billion two years ago. Think of breaches at Target, Premera Blue Cross, and other companies dealing with retail customers.
Other cyber exposures, such as funds stolen from corporate accounts or fund transfers, may be covered by existing crime polices, and property policies can cover losses stemming from business interruptions. However, those contracts must be read very, very carefully.
“Unless customized, most base crime policies only cover employee theft—employees accessing their own company—but what happens if a third party breaks in [through a cyberattack]?” said Kevin Kalinich, global practice leader, network risk and cyber insurance, at Aon Risk Solutions.
Mr. Donovan noted that an emerging scenario is a hacker breaching a company’s network, intercepting a routine invoice, and then changing the routing number so the company voluntarily releases the funds, but unknowingly to a nefarious party. He compared that to a gas station owner handing over cash to someone who falsely claims to represent the regular armored car company.
“It’s not necessarily a covered claim [under crime policies], depending on the wording. You’ve been deceived, but you voluntarily released those funds,” Mr. Donovan said, adding, “So we’re rolling out a ‘cyber deception’ policy to bridge the gap between crime policies and what’s covered under traditional cyber policies, providing a sort of sublimit of insurance so that if you’re deceived into voluntarily releasing these funds you can receive some coverage.”
The Chubb Group of Insurance Companies has been one of the few if not the only carrier to cover losses from cyber breaches impacting electronic payments. Jeff Diorio, managing director at Treasury Strategies, said he spoke to the head of cyber risk at a major package delivery company, which a year ago had been the second of Chubb’s corporate clients to get that coverage.
“The company went to Chubb and said, ‘we already have general liability insurance with you, and we need a rider to cover this scenario [of payment-stream breaches],” Mr. Diorio said. Chubb declined to comment.
Tracie Grella, global head of professional liability at AIG and its cyber insurance efforts, said crime policies have often provided some coverage for losses stemming from fund transfers, but traditional cyber policies have typically excluded the value of the fund-transfer loss. AIG’s off-the-shelf cyber policy doesn’t cover that exposure yet, but Ms. Grella said that as the biggest cyber-policy provider, it is looking to address between cyber and crime policies. Nor does the policy cover losses stemming from trade secrets stolen by hackers—a common exclusion across the industry.
However, AIG’s Cyberedge PC policy does cover a wider and growing range of exposures that traditional cyber policies do not. Its approach is similar to the one Hiscox is pursuing, filling in gaps that may not be addressed by the crime, property and general-legder policies companies already hold.
“It’s not something that’s broadly given,” Ms. Grella said. “One reason for that is we find many organizations are not doing proper due diligence of the third parties they’re working with, and they don’t understand who is responsible for the security, they’re not monitoring those companies, and sometimes they don’t even know who their third-party providers are.”
Ms. Grella added that companies must essentially underwrite their vendors and map out whether they are compliant with industry risk standards. She said companies should ensure their vendors indemnify them and preferably have cyber insurance, and they should monitor their vendors regularly.
“Most companies are very far from having a comprehensive program in space, but those are the things we would look for,” Ms. Grella said.
AIG launched its Cyberedge policy more than a year ago, and it covers risk to physical assets posed by cyberattacks that can lead to equipment failure, physical damage to property, and physical harm to people. The product addresses coverage gaps in property, casualty, energy, aerospace, marine, environmental, healthcare, and financial lines policies, where cyber-related exposures may be excluded or coverage too limited, the company says.
Ben Beeson, Senior Vice President of Cyber Security and Privacy at global insurance broker Lockton Companies, said the Brit syndicate within Lloyds of London has developed a standalone cyber policy addressing property damage and business interruption. He favored AIG’s approach, referred to in industry lingo as the difference-in-conditions, difference-in-limit (DICDIL) approach. It provides a “wrap around specialist policy” that fills in gaps that other insurance policies don’t cover.
“It’s very cutting edge, and AIG has done that with little actuarial data to go on,” Mr. Beeson said. “AIG is the biggest underwriter of cyber insurance. It is the bellwether and should be seen to be taking the lead.”