“There is a general level
of discomfort over how
well — or not well — [senior
managers] understand where
the cyber-accumulated risk
—Adam Thomas, principal, cyber risk services team,
There is a lot of skepticism that
companies will be able to successfully
resolve a cyber BI or CBI claim should
they face a cyber-related disruption,
said Adam Thomas, principal with
Deloitte’s cyber risk services team, and
“Many insurers have tunnel vision
when it comes to writing cyber policies,
focusing primarily on marketing cyber
products for personally identifiable data
hacks and business disruption while not
offering insurance for the many other
cyber risks that companies face,” the
While some insurers and brokers
have worked with insureds to help
them understand where exposures
exist, Thomas said, uncertainty —
primarily due to lack of good data — is
He noted that coverage is often
ultimately decided by court decisions
and there is not yet definitive case law
relating to this type of claim.
Burke at Hiscox said that CBI
coverage is traditionally found in
the policies of larger insureds and is
making its way down market to smaller
insureds. Some policies may offer
sublimited coverage for all service
providers, while others may provide
coverage only for providers specifically
named by the insured.
“If Dyn had been down for a day,
it would not only result in billions
in economic loss, but in significant
insurance losses,” he said.
Companies face additional
insurance issues if their websites don’t
soon regain profitability.
Linking the recovery of lost revenue
after the site comes back online is a
challenge. There are other factors
that could explain relatively poor
performance, said JLT’s Bridges.
Typically, policies provide 60 to 90
days as the period of restoration, but for
some companies, it can arguably be much
longer before their customers return
and revenue returns to expected levels.
Bigger companies that use cloud
services from providers such as Amazon,
Google, Rackspace, IBM or Microsoft,
may have some leverage to contractually
negotiate responsibility for losses over
a certain amount, Bridges said. Small
companies, not so much.
RISK AGGREGATION FEARS
“I’m not getting a feeling that
insurance companies themselves have
a good idea of how to aggregate these
[cyber] exposures,” said Fred Eslami,
senior financial analyst, property and
casualty, A.M. Best.
“It is scary,” he said, noting that
when Dyn was attacked, about 70
companies were affected, with service
classes of business.”
Recently, the New York State
Department of Financial Services (DFS)
released cyber security requirements for
all companies that operate in the state
that are governed by the DFS. Among
other rules, it requires companies to
demonstrate the ability to recover
from a cyber event and restore normal
operations and services.
Eslami at A.M. Best said the
regulation may help to improve the
resiliency of insurers to a cyber attack.
He noted that the National Association
of Insurance Commissioners also
requires companies to provide similar
It all depends on the elements of
coverage, however. “Policy language is
not generalized and cannot be applied
the same way to all of the companies,”
He said insurance companies
that issue cyber policies may want
to consider limiting their exposure
per industry sector to a certain dollar
amount to give them a better handle
on potential losses — and their ability
to cover those losses.
A.M. Best, he said, has suggested
insurers model potential incurred-but-not-reported losses, and put aside a
contingency reserve in response.
Right now, a huge natural
catastrophe still has a greater potential
to impact company solvency, he said.
That could change as the frequency
and manner of attacks increase,
combined with the growth of cyber
coverage and the Internet of Things.
“There is a 100 percent chance we
will see something worse than Dyn,”
Stransky said. “There’s no way to avoid it.
“In some ways, it’s good it
happened,” he said.
“It was a great wake-up call. It got
people thinking. It’s a good thing if
they are nervous about this. It’s better
to be nervous now than scrambling
around when a big attack happens as
they try to figure out what is going on.
“If they are more prepared, they
will be more resilient when something
ANNE FREEDMAN is managing editor of
Risk & Insurance®. She can be reached at
They may face claims from cyber
policies as well as general liability,
D&O, E&O or policy packages.
A comparable example might be
Hurricane Andrew, which struck
Florida and Louisiana in 1992 and
drove 12 insurance companies out of
business, AIR’s Stransky said.
Although many insurers are
working to solve the risk aggregation
issue, they remain uncertain what
percentage of their book uses specific
ISPs or cloud providers, he said, and
there’s no easy way to determine that.
Thomas at Deloitte said
accumulated risk “is an area that’s been
a hot issue for senior management at
most insurers. There is a general level
of discomfort over how well — or not
well — they understand where the
cyber-accumulated risk sits.”
“Some insurers may fear being
overwhelmed by a sudden aggregation
of losses in which a third-party
provider or cloud computing vendor
that works with a wide swath of
businesses gets hacked and leads to
service failures for all of its users,”
according to Deloitte’s report on
“This sort of systemic event could
spell chaos for the insurance industry,”
“Insurers should consider
implementing more rigorous
underwriting policies to start
minimizing aggregation risk.”
“The exposure [for insurers],” said
Burke at Hiscox, “can aggregate so
quickly and be so massive that I think
it has the potential to put insurance
Some companies, like AIR Worldwide
and RMS, are creating models to help
insurers understand their exposure.
Stransky said the AIR model
analyzes an insurance company’s
portfolio to look at the aggregation
risk, using specific company policy
inclusions and exclusions.
Burke said Hiscox creates its own
scenarios and models them with the
help of third-party providers.
Lloyd’s issued an oversight
framework two years ago that requires
all syndicates, including Hiscox and
Beazley, to have a “specific risk appetite
for exposure to cyber attack across all
SOURCE: DELOI T TE CEN TER FOR FINANCIAL SERVICES
Obstacles for Cyber Coverage
Buyers often don’t understand
cyber risks or their insurance
Cyber risk is spread over a wide
range of coverages.
Cyber policies lack
The legal landscape remains in
Dearth of data.
Cyber attacks keep evolving.
Tunnel vision in coverages
Regardless, “it has been difficult to
prove” a BI or CBI loss, he said.
Often, coverage is not triggered
until a designated waiting period,
typically eight to 12 hours. Plus, it is
difficult even in a property-related
BI claim to quantify losses during the
event or time of restoration, let alone a
cyber BI claim. It requires the expertise
of a forensic accountant.
“Because Dyn was down only three
hours [during the second attack of the
day], there was very little insurance
loss,” said Scott Stransky, assistant vice
president and principal scientist at AIR
Worldwide, although the economic
loss was more than $100 million.
lost for several hours on different
occasions in a 24-hour period.
“I’ve been trying to get information
on what the damage was, particularly
in terms of business interruption,” he
“There is no information right
now. I hear companies are working on
it since October. But it’s apparently a
challenging task to come up with an
idea of what the damage was.”
Imagine, he said, if the attack lasted
24 hours and affected hundreds of
companies. Insurance companies have
“no actuarial or results-oriented data
they can depend on to do their proper
pricing or proper reserving.”