CyberGuide - Information Security and Cyber Risk Management



‘Work to be done’ for cyber insurance to keep up with client needs

By Erin Ayers, Advisen

SAN FRANCISCO (Feb. 17, 2020) – Cyber insurance coverage may not be keeping pace with how businesses operate these days or the risks they face, according to a panel of risk managers speaking here at Advisen’s Cyber Risk Insights Conference.

“There’s work to be done there,” said Loren Crannell, head of global risk and insurance for Juul Labs, adding that he is “worried that the policy will not consider something that could happen.”

“I worry it’s not keeping up with how companies work today,” said Michelle Bennett, senior director of risk management and internal audit for CableOne. At the conference on February 12, she said that she’d prefer closer partnerships in the cyber field where insurance partners offer annual inspections and assessments as in other lines of insurance.

“I have yet to see something like that,” she said. Bennett added that insurance should be more than a “fallback,” but rather a way to help the risk manager do their job better.

Heather McPherson, executive director of Kaiser Permanente’s privacy and security program, noted that cyber insurers and brokers can help risk managers tell the right story about cyber risk to the C-suite. The same sort of relationship is needed on insurance market shifts, especially as “tightening” of coverage or pricing occurs, she said.

According to Crannell, risk professionals look for a “co-advocate” to see the entire enterprise and be more than an advisor on cyber insurance.

That type of messaging and commitment would go a long way to improving the take-up rate of cyber insurance, the panel agreed.

Bennett emphasized that insurers and brokers can streamline the cyber insurance process by forging relationships with buyers and helping them understand the process better, especially if they’ve had a bad experience in the past with uncovered claims.

“The transactional approach just doesn’t work anymore,” she said.

Asked by panel moderator Florence Levy, West Coast cyber practice leader for Marsh, where “silent cyber” risks should ultimately be covered, the panelists highlighted another potential area of improvement for the insurance industry. In the view of the panel, the various “buckets” of coverage could be clearer, especially since policies have evolved so quickly.

“I can see where it would become its own specialty … a discipline that gets resolved all on its own,” said Bennett. She cited a need for insurance professionals who understand all the potential damages that could stem from a cyber event.

Crannell suggested a program where cyber and property are combined to access the expertise needed for business interruption and contingent business interruption.

“If we’re trying to protect a whole enterprise and the property is the target, they should be bundled,” he said.

Ultimately, risk managers say they want more certainty of coverage.

“At the end of the day, I don’t want to buy insurance that’s not real,” said Crannell. “If it won’t cover me, it’s just paper.”

Senior editor Erin Ayers can be reached at eayers@advisen.com