Image by NASA.
A white paper on the topic of "Cyberinsurance" provided by the National Association of Insurance Commissioners this year highlights the difficulties for insurance companies in underwriting the stuff.
The starting point of the question comes toward the end of the NAIC's "topic" paper or white paper. The NAIC reports that "cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data."
Insurers "compensate" for the lack of facts surrounding cyber risks and cyberinsurance "by relying on qualitative assessments". Translated into English, this means that insurance underwriters understandably enough substitute opinions for facts because they have so few facts.
"Managing cyber risks through insurance is relatively new," the NAIC acknowledges. The market for cyberinsurance "is expected to grow dramatically". The problems in this area come from the risks to be assumed, in more ways than one. "With each announcement of a system failure leading to a significant business loss, the awareness grows." Note the NAIC's quiet but exclusive emphasis on "significant business losses" here.
Yet, the risks to be assumed under one or more forms to be determined in the burgeoning field of cyberinsurance are so broad and spreading so wide as to include risks to individual persons as well as to businesses. The NAIC paper even mentions the following cyber risks, among others:
- Hacking or inadvertent disclosure of personal information.
- Business interruption.
- "Introduction of malware, worms and other malicious computer code."
- "Lawsuits alleging trademark or copyright infringement."
Clearly, many of these sorts of risks affect persons as well as business entities. Further adding to the island of unknown risks, so to speak, are pressures to protect information of all kinds, from personal information to trade secrets; to repel the sources of "cyber-attacks," including other nations, terrorist and other organizations, criminals, "and activists"; and to protect the policyholder's money including to prevent unauthorized access to the policyholder's and others' money.
The NAIC attempted to clarify the area in 2015 beyond a paper on "Cyberinsurance," however. In April, its Cybersecurity (EX) Task Force issues its Principles for Effective Cybersecurity Insurance Regulatory Guidance. The regulatory guidance in question is directed to "insurers, producers, and other regulated entities".
Please Read The Disclaimer. ©2015 by Dennis J. Wall, author of an anthology in progress of "Insurance Claims and Issues" articles, to be published by Thomson Reuters in 2016. All rights reserved.
Comments