Cyber claim handling vs traditional lines
Generally, a cyber policy consists of the initial incident response, 1st party loss, and 3rd party loss. These elements are not unique to a cyber policy, but there are many differences from the traditional lines of business (e.g., property policies and general liability policies). When it comes to cyber claims handling, nature of loss, and expertise/experience requirements tend to be different from traditional lines. For example, for a traditional property policy that is responding to a fire loss, an inquiry with the insured would be conducted to determine which properties were burnt and if they received soot or water damage. Such information is necessary for understanding the nature of the loss and devising a claim handling action plan. However, in the case of cyber claims, even if the policy covers a cyber incident, it can be difficult to identify the extent or cause of loss. When this information can’t be obtained, especially careful consideration has to be taken on how to handle the claim.
As a first step to finding answers to such questions, we must understand the nature of loss in a cyber policy. In traditional insurance, generally covered losses are property damage to tangible property and bodily injury. Whereas in cyber insurance, in many cases, covered losses refer to confidentiality, availability, and integrity of data. Understanding this difference is the first step in factually determining that the insured suffered from such losses.
The nature of cyber claims handling
In contrast to traditional lines, the breadth of exposure and immediacy in the case of an attack lead to several unique characteristics:
- No strict physical borders: Global connectivity and the nature of IT networks leave companies at risk on a worldwide scale.
- Beyond direct financial loss: A cyber-attack can leave a company or organization unavailable for business, reduce the integrity of their data, and overall confidentiality.
- Pre-breech services: End-customers may need to build up a stronger IT security framework and establish internal cybersecurity expertise as risk reduction measures.
- Incidence response protocol: Proactive cybersecurity risk management that can quickly identify root causes, provide facts on an incident in a timely manner, and pinpoint impacts on operations need to be established.
- Proactive claims management: Response and active discussions with policyholders that work to get incidents resolved quickly and the business back in operation as quickly as possible.
- Volatile landscape: The sheer speed with which cyber-attacks evolve require claim trends to be updated at a much faster pace than traditional lines.
- Intangibility: Oftentimes, cyber incidents, their cause and the extent of loss are not as easily measured as traditional lines. Cyber claims usually cannot be confirmed via photos or on-site investigations.
Cyber Business Interruption loss
Cyber incidents can hamper all aspects of a business operation, including procurement, stock management, manufacturing, sales, logistics, business strategy, internal comms and R&D. It also has the potential to disable operations at multiple locations regardless of physical distance. This can be particularly challenging when branches in two or more countries are impacted. A claim on a cyber BI loss can therefore be very large. Loss mitigation at the initial stage is incredibly crucial.
In many cyber claims, loss due to Business Interruption (BI) can not only affect the market share of an organization but their reputation as well. Therefore, paying attention to the potential impact on the insured’s business and considering the best way to mitigate the BI loss is crucial. In addition, the nature of a cyber BI loss is far complicated than along traditional lines, even though the definition of BI loss is quite similar in both traditional property and cyber policies. For this reason, when an insurer is notified of a BI loss claim, retaining a reliable account needs to be immediately implemented. The subsequent claim handling needs to keep the key differences between Cyber BI loss and BI loss in a traditional line of business in mind.
When handling a manufacturer’s BI losses of a property line, sometimes the loss may be mitigated by consuming stock, regardless of the heavy impact on manufacturing. However, in the case of many cyber incidents, the insured has their hands tied if the systems that manage stock, sales or logistics are disabled.
It is also important to remember that covered loss is usually limited to direct loss caused by the cyber incident. Cyber incidents can impact various aspects of the insured business/operation - including minor impacts. For example, in the case of a downed email server, the sales department cannot communicate with their clients; this could impact the potential for additional sales. A number of different business interruptions could end with the insured losing pre-existing or future customers or even receiving negative press. Unfortunately, generally incidents like these are not regarded as direct losses from a cyber incident. Therefore, Communicating with a client and specifying what is and is not a direct loss beforehand becomes crucial for writing up a cyber cover.
Extortion Loss (Ransom Payment)
Ransomware attacks are nothing new when it comes to malware tactics. However, in the past, many criminals tended to send ransomware to many random computers demanding, in some cases, hundreds of dollars. In recent years, more sophisticated criminals have begun to conduct advanced persistent threats (APT) aimed at well-selected targets with the goal of extorting millions from businesses and organizations.
To respond to such ever-increasing large losses, some cyber policies now cover extortion loss. However, there are many challenges that still to confront. For example, some people attribute extortion loss policies as contributing to further cyber criminality. Another roadblock is that in some jurisdictions, such payment is prohibited. Thus, insurers must conduct a careful check of sanction lists before making such a payment, and the pros and cons of handing over money to an extorting criminal needs to be thoroughly assessed.
In general, claim handlers need to closely assess the legitimacy of every payment, reason behind the payment, economic rationality of the payment, country laws regarding ransom payments, and reasonableness of amount paid. Lastly, extortion cover provides for the costs of retaining experts in addition to ransom payments. No matter if the insured wants to pay the ransom, they should keep an adequate expert who has enough experience if the insured wants to communicate with criminals. As a first safeguard, experts should aim to determine the capabilities of the criminal, the possible breadth of damage they could invoke, and their overall strategy to do so. This can often help in determining whether to even consider paying a ransom.
Continued cyber threat awareness
Claim trends in the cyber world are markedly faster than those in traditional lines. As cyber criminals develop new ways of making money from organizations, IT security vendors rush to update techniques, and governments modernize data protection and data security regulations: Awareness is key. Munich Re is dedicated to being a knowledge leader in this regard and offers cyber trend updates via newsletters, webinars, as well as bespoke consultation from our vast chain of experts.
Even though there are many differences between traditional lines of business and cyber lines of business, understanding the nature of a cyber claim can significantly reduce the degree of uncertainty.
With a general understanding of the nature of a cyber loss, maintaining a reliable network of experts, and vigilance to remain educated on the changes that arise around the subject of cyber threats, you will see that cyber claims are a manageable thing. Munich Re stands by to provide clients with assistance for all of these aspects.