The Challenges to Effective Cyber Risk Transfer: Guest Blog #2 from Towne Insurance

Post # 2 Bridging the Gap

Guest blog by Danny Plante, EVP, Towne Insurance

Considerable energy and ink have been committed to characterizing and enumerating the threats in cyber space. It is well known that these are increasing in frequency and severity, and that both the industry of breach prevention (and perpetration) continue to attract talent. As data points accrue around the various ways in which fraud can be exacted, data stolen, extortion committed, and they converge with representative samples of the investigative and corrective expenses that accompany them, and the financial resources needed to afford indemnity, the insurance industry evolves better modeling to shape the manner and extent to which it can deploy support and relief.

Suffice it to say that few opportunities have befallen the otherwise staid insurance industry with both the prospect of such extraordinary premium growth, and such a vast and fluid array of potentially catastrophic outcomes.

Predictably enough, everyone wants “in”, which presents a number of misaligned expectations.

Insurance companies are regulated by their state of domicile, and such regulation exists to assure that policy holders get what they pay for, in other words, that expectations are met.

The problem with emergent and maturing risk like “cyber”, is that very little consensus exists about the value proposition:

  1. what is minimally acceptable in terms of perils insured,
  2. the terms under which such perils will be indemnified,
  3. the limits considered adequate,
  4. the language facilitating a response,
  5. or the extent to which any of these items might be categorically excluded.

Accordingly, unlike other forms of insurance which are standardized by the state of domicile (workers compensation), or by the federal government (commercial auto), or industry trade groups like ISO…the Insurance Services Office (property, general liability)…, coverage for cyber is a function of “buyer beware”.

To that end, the industry allows the existence of such forms as “admitted inland marine”…the policies of which are not filed with the state regulatory authority, but which are guaranteed for financial solvency, or “non-admitted” liability, for which policies are neither approved by the regulator, nor afforded financial solvency guaranties.

This is not to say that in either case the coverage provided is inadequate for the particular need at hand, but rather to illustrate how a market is allowed to evolve and adapt within the context of an unmet need characterized by exposures that are uncertain, and financial capacity that is finite and requiring attentive management.

Commercially viable coverage for a new exposure, therefore, is often a balance of carefully described coverage triggers, modest limits, and finicky insuring agreements. In the hands of the inept, these features become quite hazardous; in the hands of the informed, these features evolve along a continuum of robustness and associated cost.

Within the financial industry, the insurance sensibility remains that of conservative laggard. This is no accident, given the fact that policy holders want institutions with the capacity to meet their obligations; reliability is important in such a relationship, and it often comes at the expense of flexibility and responsiveness. Moreover, cyber liability, for the majority of property and casualty generalist agents, represents a comparatively modest risk and reward relationship. Given the fact that tremendous variation exists among policy forms, that policy language is non-admitted and therefore subject to considerable change on short notice, and that perils insured are complex and fluid and insuring agreements difficult to understand with emergent and often consequential turns of phrase, it is no wonder that the graying, golf club wielding broker masses choose to defer on the matter entirely. Getting cyber coverage right simply takes either considerable work, or considerable commitment, to get right. Within the property and casualty space, there are simply far easier ways to make a good living.

Similarly, those with accountability for cyber oriented exposure typically have limited familiarity with old-world insurance themes, and an industry founded upon tortuous language and a handshake. Cyber Insurance is indeed today’s commercial manifestation of the “generation gap”.

If you would like to get in touch with Towne Insurance, please email