Posted: 10 Mar 2017
Date Written: March 7, 2017
Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of a computer-based attack or malfunction of a firm’s information technology systems. For example, one carrier’s policy defines computer attacks as, “A hacking event or other instance of an unauthorized person gaining access to the computer system, [an] attack against the system by a virus or other malware, or [a] denial of service attack against the insured’s system.”
Despite the strong growth of the cyber insurance market over the past decade, insurance carriers are still faced with a number of key challenges: how to develop competitive policies that cover common losses, but also exclude risky events?; how to assess the variation in risks across potential insureds; and how to translate this variation into an appropriate pricing schedule?
In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums.
Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).
In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.
Keywords: Cyber Insurance, Cyber Liability, Pricing Cyber Risk
Suggested Citation: Suggested Citation
Romanosky, Sasha and Ablon, Lilian and Kuehn, Andreas and Jones, Therese, Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? (March 7, 2017). Available at SSRN: https://ssrn.com/abstract=2929137