Cyber Insurance and Industrial Control Systems

Ironically, the expanding market for cyber insurance may create problems insuring cyber risk. One broker estimates that the demand for cyber insurance will exceed $2 billion of premium in 2014.[2] But while the market for cyber insurance may be increasing, the available coverages may be decreasing.

Much cyber insurance is focused on risks relating to the disclosure of personal information. The spate of retail store hacks—Home Depot, Target, P.F. Chang’s, and others—that resulted in stolen credit card and other consumer information, cost businesses and their insurers hundreds of millions of dollars in computer forensic expenses, legal expenses, notification expenses and credit monitoring, and other costs. There is thus good reason that policyholders and insurers have focused on managing the financial exposure of this risk.
           
But the focus on retailer risk distracts attention from other, perhaps more serious, cyber exposures. Insurers have taken steps to exclude cyber losses from coverage under their traditional, or what we will call “brick and mortar,” commercial policies and to increase marketing of their specialized cyber policies. Thus, for instance, ISO—the Insurance Services Office, a member of the Verisk Insurance Solutions Group—has taken steps to incorporate exclusions in its forms purporting to bar coverage for privacy and data breach losses, while simultaneously developing a product that provides coverage for these privacy and data breach losses.[3] The insurers’ goal appears to be to transfer coverage for privacy and data breach losses from brick-and-mortar policies to specialized insurance products. However, the exclusions used, although apparently intended to bar coverage for loss arising out of the disclosure of personally identifiable information such as those recently suffered by retailers, might be read more broadly by insurer advocates seeking to limit coverage. The result would be a restriction of available cyber insurance.