Content Analysis Of Cyber Insurance Policies

Content Analysisof Cyber Insurance PoliciesSasha Romanosky, Lillian Ablon,Andreas Kuehn, Therese JonesInstitute f or Civil Justice

Can insurance help decrease privacy risk? U.S. seeks to induce companies andcritical infrastructure to better protect computers NIST cyber security framework Market solutions like cyber insurance have potential Challenges Insuring can backfire (moral hazard) Can insurers differentiate risk between client firms?

Research Questions What is the current state of cyber insurance policies? How do insurance carriers price cyber and privacyrisks?

Current Market Total US premiums approximately 2b annually However, this makes up 1% of all corp. US insurance Typical: premiums between 10k - 25k limits between 10m - 25m and towers of hundreds of millions

Policies collected fromState Insurance Commissioners180 docketsfrom NY, PA, CA, and large carriers (2007–2017)69coverage s

What is covered?Common coverage areasRare, but notable Business income loss E-theft (phishing) Forensic review Website media content Notification to affected individuals Act of terrorism (if electronic) Monitoring expenses Public relations services Cost of claims, penalties, defense,and settlement

SECURITY and PRIVACY QUESTIONNAIRESORGANIZATIONALTECHNICALLEGAL & COMPLIANCEPOLICIES & PROCEDURES

SECURITY and PRIVACY QUESTIONNAIRESORGANIZATIONALTECHNICAL Data collection and handling OutsourcingInformation technology and computinginfrastructure Incident loss history Technical security measures IT security budget & spending Access controlLEGAL & COMPLIANCEPOLICIES & PROCEDURES Healthcare privacy Information and data management Financial security regulation compliance/standards Employee privacyand network security Organizational security policies and procedures

How do carriers price cyber risk? Suboptimally“Limitations of available data have constrained the traditional actuarial methods used to supportrates.”Translation: “We don’t know.”“The base retentions were set at what we believe to be an appropriate level for the relative sizeof each insured.”Translation: “We’re guessing.”“The rates for the above-mentioned coverages have been developed by analyzing the rates ofthe main competitors.”Translation: “We’re using someone else’s guess.”

Carriers base estimates on other insurance lines“Loss trend was determined by examining 10 years of countrywideFiduciary frequency and severity trends.”“The Limit of Liability factors are taken from our Miscellaneous ProfessionalLiability product.”“Base rates for each module of this new product were developed based oncurrently filed Errors and Omissions and Internet Liability rates.”

Pricing strategy #1: Flat rateCoverageFrequency*Severity Expected Loss(Lost Cost)ProfitLoadPremiumComputer Attack0.20% 49,800 99.6035% 153Network Liability0.17% 86,100 147.2335% 227Carriers use data from industry, and academic reportsNo variation by firm, industry, or riskTargeted toward small businesses

Pricing strategy 2: base rate1) Determine revenue2) Base premiumAsset 1 00,000,00 1 250,000,00 1 500,000,00 1Sizeto I 00,000,000to 250,000,000to 500,000,000to 1 ,000,000,000to 2,500,000,to 5 ,000,000,000to I 0,000,000.00to 25,000,000,000to 50,000,000,000to 75,000,000,000to Sl 00,000,000,000BaseRate 5,000 7,000 8,500 11 ,000 26,000 35,000 4 1,000 45,0003) Increase limitsLimit 1,000,000. - ,0.90 .Q0Q 2,500?. 9.0Q 3,000,000 4,000,000 5 ,.000,.909 7,500,Q0Q 10,000,000 15,000,000 20,000,000 64.7866.3067.6688.925

Pricing strategy 2: base rateIndustry - Non-FinancialsAccounling FirmsAdvertis ino F irmsA J,ri cultureConstr --- --- - Not-for-Profit Or g anizationsUnionsBio -Tcehnolo,12,y / Phain1aecutiealData AggregatorsEducational Institutions (Schools, Colleges, Universities)Gaming (ind u.ding Onlin e)Government AgenciesM edical / Healthc ar e Related Services1.001.001.201.201.201.201.201.20

Pricing strategy 3: Security/Privacy questionsSectio n 6: Tbfrd-Pm·ty Modifiers: The appropriate factors should be applied multiplicatively.1. Information System s Security Policy: Relevant questions inc lude:(I) Does the insured maintain an infomrntion systems security policy?(2) Is the information systems security policy kept ctment and reviewed at least annually andupdated as necessa1y?Answe1· YES toTwo of the aboveOne of the aboveNone of the aboveFacto,·0.80 to 0.900 95 to I 05 I. IO to 1.205. Infrastructure Operations Third Parh· Provider: Relevant questions include:( l ) Is a written agreement in place between the insured and the third party provider?(2) Does the agreement require a level of security commensurate with the insured 's informationsystems security policy?(3) Does the insured review the results of the most recent SAS 70 or commensurate riskassessment?—Source: Policy questions from California insurer

How are final premiums calculated?(Source: Final premium calculation from a California cyber insurance policy)(Third party liability base rate) (First party base rate if elected)X (Limit factor)X (Retention factor)X (Data classification factor)X (Security infrastructure factor)X (Governance, risk and compliance factor)X (Payment card controls factor)X (Media controls factor)X (Computer system interruption loss factor, if applicable)X (Retroactive coverage factor) x (Claims/loss history factor)X (Endorsement factor, if applicable)Final Premium

sromanos@rand.org@SashaRomanoskyInstitute for Civil Justice

Research MethodologyWe conducted a directed content methodology–which enables us to identify and categorize themes and concepts, andderive meaning and insights across policiesSample size was determined by purposive sampling, which relies onsaturation:––the point when new information produces no change to the codebook–i.e. we want to saturate our codebook“As [the researcher] sees similar instances over and over again, [she]becomes empirically confident that a category is saturated”

What is excluded?Common exclusionsRare, but notable Criminal acts; trade law violation Caused by a named virus Acts of war or terrorism Collateral damage Theft of intellectual property, exceptwhen caused by breach Outsourcing of data processing Disregard for computer security

What did we learn about cyber insurancepolicies?Coverage is available for most kinds of losses But pay attention to the exclusionsSecurity questionnaires appear to ask a reasonable set of questions Can there be improvements?Despite suggestions, carriers do not appear to have advanced capabilities forassessing riskFuture work Empirical analysis of premium pricing

Market solutions like cyber insurance have potential Challenges Insuring can backfire . Fiduciary frequency and severity trends.” “The Limit of Liability factors are taken from our Miscellaneous Professional Liability product.” “Base rates for each module of this new product were developed based on currently filed Errors and Omissions and Internet Liability rates .