International Cyber Risk Management ConferenceApril 15-16, 2019 – Metro Toronto Convention Centre

Should insurers be required to use standard terminology in cyber policies?

Should insurers be required to use standard terminology in cyber policies?

Written by Bethan Moorcraft at Insurance Business Canada, May 1st, 2019

One of the biggest roadblocks for brokers selling cyber insurance is education. While consumer awareness of the risk is growing rapidly – an inevitable outcome of the mass media attention given to data breaches and hacks involving corporate giants – consumer understanding of cyber risks and their insurance options remains low. This is partly due to a lack of standardization and common terminology in cyber policies, which makes it difficult for insurance brokers to learn about the product and then convince insureds that they need to buy the coverage.

“Really, what we want to do is reduce complexity. We want to get some certainty to an insured around exactly what risk they’re transferring,” said Greg Eskins, managing director, specialties leader, Marsh Canada. “We need to understand the key risk issues that an organization faces and turn those into actual scenarios in terms of what the impacts might be. Insurance is really the last step in that process in terms of transferring that financial risk.

“When we talk about cyber with clients, we should really start from the perspective of the intangible – something that goes wrong in the digital realm that causes some sort of financial loss to their balance sheet. Then the question becomes: ‘Can we insure that?’ If the answer is yes, we then need to determine which policy will trigger. What we must do is provide much more clarity in and around which buckets cyber risk fits into.”

Clarity when selling cyber insurance is key – but clarity is hard to achieve when markets use different terminology to define the same risk. For example, what one market calls silent cyber risk, another market calls non-affirmative cyber risk. The two definitions might refer to the same exposure – potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk – but the markets using differing terminology might back up their choices with varying risk appetites.

Ruby Rai, manager, cyber and professional liability, AIG Canada, explained: “It’s not just whether a common terminology can be achieved; it’s also the appetite between different markets and to the extent that they’re open and willing to offer coverage. A carrier might have a standardized form, but then they’re probably adding layers and layers of added enhancements to it [in order to] provide broadness of coverage and avoid ambiguity. Maybe there will be a future where markets can come together, and a more standardized form could be achieved. I think brokers are going a great job in pushing the markets towards that – it’s definitely open for discussion.”

As long as the cyber insurance product is the value proposition, the markets will always be incentivized to differentiate their products, according to Greg Markell, president and CEO, Ridge Canada Cyber Solutions. But that product differentiation need not come in the shape of divergent terminology, he added.

“I think what we need to get at is a common set of terminology such that if I gave three lawyers the insurance wording, I don’t have three diverging interpretations of that insurance wording,” Markell commented. “There’s difference in D&O policies, but Side A is Side A, Side B is Side B, and Side C is Side C – but then there’s a bunch of nuances in the product that still creates a bit of differentiation.

“There’s an opportunity to create consistency around the intent of what it is we’re trying to cover. One of the really good signs we’re seeing is that broker partners are investing in this. There’s more research being done, and there’s more time being spent on the dissection of the cyber insurance product. There’s absolutely room for improvement and we’re pushing towards that as an industry across the board.”

Original article: https://www.insurancebusinessmag.com/ca/news/cyber/should-insurers-be-required-to-use-standard-terminology-in-cyber-policies-166179.aspx