There is a thread going on through various LinkedIn Groups at the moment concerning whether ‘Cyber Insurance’ needs a new name. Â My take is that there is nothing wrong with using the term ‘cyber’ as a general catch-all term, as long as that is all it is used for. Â If however, we are going to talk about specificÂ exposuresÂ and their corresponding insurances, we should use accurately descriptive and specific terms.
But that is not my point this morning. Â My point concerns problematic thinking within our industry that I fear could slow down development of the kinds of products I think our customers really need. Â It is another reason, if you will, why the current ‘cyber insurance’ model doesn’t work.
I have been amazed that so many of the postings in the various LinkedIn threads seem to suggest something I have noticed before, that ‘cyber insurance’ – whether it is described as Network Security, Cyber Liability, Privacy Liability or Data Breach – really only means one thing to most people in insurance: the unintended release of PII or PHI. Â That’s what I call Data Breach.
As an aside, I suspect this is another good example of the law of unintended consequences. The legislative decision to force firms to notify victims that their data has been released – and so to attach a direct cost to breaches – seems to be that half the insurance industry thinks data breach is the beginning and end of ‘cyber exposure’.
And to be fair, regardless of the fact that PII or PHI data breach exposure is just one of the data exposures firms face (and for many firms will be far from their biggest data exposure), its importance is pushed out of proportion by the cost imposed by legislation, so this is somewhat understandable. Â But only somewhat..
Aside aside, the problem with disproportional thinking is that it inevitably distracts from the main topic that really needs thinking about and that is that insurance is a bottom up service and it needs to become top-down.
To explain that with Data Breach, we see things in terms ofÂ how far Data Breach coverage should extend out from the original breach (so ‘inside-out’ is probably a better term than ‘bottom up’…). Â So, should coverage deal only with the direct costs of the breach – the notification costs? Â How about the less direct costs where, for example, the breach is not caused by some plonker loosing a USB stick in a bar but by a hacker; should the forensics that uncover that be covered? Â And the costs of a patch? Â Defence costs against the (almost)Â inevitableÂ classÂ action? Â Regulatory defence costs?Â What about PR costs to try to minimise the negative publicity? Â What about the business interruption costs? Â What about the costs of rebuilding a damaged brand – not just negative publicity?
My point here is that we vector out from what, for many firms, is a relatively limited part of their data exposure, where I am just not sure that is how our customers think or what they would buy if the alternative were available. Â The alternative? Â A single policy that deals with the effects/costs of ‘cyber’ issues, not lots of different policies (see list above) each trying to compartmentalise exposure but which all end up in the same place – costs – anyway.
Now, I know there are enormous challenges with this idea. Â Selling insurance as a direct response to legislation is an easy sell. Â ’Cause’ is normally followed by ‘effect’, not the other way round. Â Dealing with ‘effects’ would also mean having to think more deeply about the causes of the causes of losses, not just the step or two back to the specific event that produces the loss, which is the approach currently. Â More challenging still are the modelling implications; I am still trying to write Part 2 of this post. Â Most challenging of all would be the capital issues – and its optimal deployment – but that is more than a little tied up with the modelling challenge.
Challenging though these supply side issues are, demand side issues seem to me to be more pressing. Â Among these, two stand out for me.
First, ERM is increasingly best practice, where aÂ holisticÂ (sorry, I hate that word too…) approach is essential. Â Regulation is even imposing ERM in the banking and insurance industries via Basel II and Solvency II and, at least in banking, creating direct incentives (in the form of reduced regulatory capital) if genuinely capital mitigating insurance can be procured.
Second – an old friend on this site – knowledge will become less and less exploitable by insurers as insuredsÂ increasinglyÂ use social techniques to develop faster, better and more immediately actionable knowledge than insurers. Â For example, in the data rich, big data world we are moving towards, the ability to extrapolate knowledge from ever-larger and more complex data sets will mean (I fear) a relatively rapid decline in the value of insurers current silo based and ‘a few steps back’ approach to knowledge management.
Demand side opportunities will, eventually, always trump supply side difficulties. Â I fear narrow thinking – about Data Breach or anything else for that matter – will become increasingly damaging to insurance. Â But I am naturally an optimist…