Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones, Content analysis of cyber insurance policies: how do carriers price cyber risk?, Journal of Cybersecurity, Volume 5, Issue 1, 2019, tyz002, https://doi.org/10.1093/cybsec/tyz002
Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term SearchData breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses has grown rapidly in the past decade. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available about the actual content of the polices and how carriers price cyber insurance premiums. This lack of transparency is especially troubling because insurance carriers are often cited as having the best information about cyber risk, and know how to assess – and differentiate – these risks across firms. In this qualitative research, we examined cyber insurance policies filed with state insurance commissioners and performed thematic (content) analysis to determine (i) what losses are covered by cyber insurance policies, and which are excluded?; (ii) what questions do carriers pose to applicants in order to assess risk?; and (iii) how are cyber insurance premiums determined – that is, what factors about the firm and its cybersecurity practices are used to compute the premiums? By analyzing these policies, we provide the first-ever systematic qualitative analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.
Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars [ 1]. Consequently, the market for insuring against these losses has grown rapidly in the past decade (discussed more below). Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of a computer-based attack or malfunction of a firm’s information technology systems. For example, one carrier’s policy defines computer attacks as a, “hacking event or other instance of an unauthorized person gaining access to the computer system, [an] attack against the system by a virus or other malware, or [a] denial of service attack against the insured’s system”. 1
Although there exists a large, and growing, body of academic literature on cyber insurance, 2 it is almost exclusively theoretical, examining network externalities, asymmetric information and the viability of cyber insurance markets. While this work is necessary for understanding the antecedents of market success and failure, it does not examine the actual legal contracts (the insurance policies) upon which the theories and models are based.
Further, while insurance companies are often seen as the singular organizations with specialized ability to quantify and price operational risks, 3 there is almost no public information about how carriers actually assess – and differentiate – cyber risk across firms and industries, and particularly, how they compute prices for cyber insurance premiums. This lack of transparency in policies and practices is cited as one of the leading obstacles hindering adoption of cyber insurance, 4 and presents significant challenges for senior executives seeking to manage risks across their organizations because they are unable to effectively understand and compare coverages across insurance carriers. Moreover, the lack of transparency prevents these decision makers from using this information to implement security controls that could both reduce their operational costs, and improve their security posture.
Therefore, this research seeks to fill what we perceive to be a critical gap in the design, understanding, and purchase of cyber insurance underwriting by providing fundamental analysis and transparency of actual cyber insurance policies.
Since insurance in the USA is regulated at the state level, insurance carriers are required to file policies with state insurance commissions describing each new insurance product. These filings include the full text of the policy (coverage, exclusions, triggers, etc.), a security application questionnaire, and a rate schedule describing the formula for deriving insurance premiums. It is these filings that provide a unique opportunity to examine how insurance companies understand and price risks, and specifically, which business, technology and process controls (if any) are considered in rate calculations.
In this qualitative research, we seek to answer central questions concerning the current state of the cyber insurance market. Specifically, by collecting insurance policies from state insurance commissioners across New York, Pennsylvania, and California, we examine the composition and variation across three primary components: (i) the coverage and exclusions of first and third party losses which define what is and is not covered, (ii) the security application questionnaires which are used to help assess an applicant’s security posture, and (iii) the rate schedules which define the algorithms used to compute premiums.
Below we provide a brief introduction to the size of the US market for cyber insurance, followed by a description of relevant literature. We then explain our research methodology, data, and results from the content analysis.
The US cyber insurance market has grown rapidly over the past decade. With less than $1 billion in premium in 2012, some experts estimate that the US cyber insurance market will grow to $7.5 billion by the end of the decade [ 4], with others projecting $20 billion by 2025 [5, p. 24]. A recent survey of industry leaders found that 88% of respondents saw cyber as a “potentially huge untapped market” which they anticipated would grow faster than the rest of the property/casualty (P/C) insurance industry [ 6].
While the US market penetration may be more accelerated than other countries, only around one third of US companies have purchased some sort of cyber insurance [ 7], with significant variation in cyber insurance across US industry sectors. For example, barely 5% of manufacturing firms have cyber insurance coverage, whereas the healthcare, technology, and retail sectors have reached an adoption of close to 50% [ 8]. 5 Yet, Marsh [ 10] reports cyber insurance growth rates of 27% across all industries, ranging from 6% in health care to 63% in manufacturing, for US-based clients in 2015.
The supply side of insurance is also growing very rapidly. While only a few firms were offering insurance products a decade ago, the National Association of Insurance Commissioners (NAIC) reported there to be around 500 carriers now offering cyber insurance [ 11]. 6 Reports suggest that the US cyber insurance market is dominated by a handful of carriers, including American International Group, Inc. (AIG), accounting for approximately 22% of the market, Chubb Limited (CB) at 12%, and XL Group Ltd. (XL) at 11% [ 12], with ACE Ltd, Zurich and Beazley also providing coverage.
Average premiums are priced between $10 000 and $25 000, 7 with some carriers writing limits between $10 million and $25 million, and as high as $50 million [ 13]. However, as with most other insurance products, towers of cyber policies can be purchased in the event of extreme losses, and Airmic [ 14] suggests that limits of $200 million and $300 million exist for some industries.
This article is informed by two main streams of literature. The first is research on cyber insurance, which is almost exclusively theoretical [ 15, 16, 17, 18, 19]. 8 Overall, this body of work examines the incentives for firms to purchase insurance (demand side), the incentives for insurers to provide contracts (supply side), and the conditions necessary in order for a market to exist. The inevitable tension for firms, as many identify, is whether to invest in ex ante security controls in order to reduce the probability of loss, or to transfer the risk to an insurer [ 20]. In particular, Böhme and Schwartz [ 16] provide an excellent summary of cyber insurance literature, and define a unified model of cyber insurance consisting of five components: the networked environment, demand side, supply side, information structure, and organizational environment. Here, the network topology plays a key role in affecting both interdependent security and correlated failures. Their demand-side model considers the risk aversion of the insured, heterogeneity across wealth, impact, and defense and utility functions of firms, while the supply-side discussion considers, inter alia, the competitive landscape of insurers, contract design (premiums, fines), and the carrier’s own risk aversion. Discussion of information structure relates to adverse selection and moral hazard, and finally, organizational environment describes issues such as regulatory forces that may exist to mandate insurance, require disclosure in the event of a loss, and the effect of outsourced security services and hardware and software vendors on a firm’s security posture. Despite this body of work, however, none of it examines the form or content of actual insurance policies, or the pricing mechanism used by carriers.
In addition, there is some qualitative research on cyber insurance policies. In addition to conducting very rigorous theoretical modeling of an insurance market, Marotta et al. [ 21] provide an overview of covered loss areas across 14 carriers. Majuca et al. [ 22] mainly describe of the evolution of insurance policies since the late 1990s, as well provide an overview of covered losses from seven carriers, while Baer and Parkinson [ 23] review policies from six carriers. And Woods et al. [ 24] examine 24 self assessment questionnaires provided from insurance carriers.
And so, our research is also informed by qualitative research methods which guide us when examining, in a systematic and rigorous way, a corpus of documents. Specifically, the field of thematic analysis is an inductive (as opposed to deductive) research methodology used for “systematically identifying, organizing, and offering insight into patterns of meaning (themes) across a data set” [ 25]. In particular, “inductive” thematic analysis is used, “in cases where there are no previous studies dealing with the phenomenon, and therefore the coded categories are derived directly from the text data” [ 26]. This approach is appropriate for our research on cyber insurance since, to our knowledge, there is very little previous work that has rigorously examined each of the components of these policies.
Thematic content analysis is a rigorous methodology which has been used for decades and across many disciplines [ 27]. For example, Schwarcz [ 28] performs content analysis on a sample of homeowner insurance policies in order to measure the variation in coverage across insurance carriers, and Davis et al. [ 29] examined US state heath laws regarding prescription monitoring programs in order to determine the qualities of the law’s intended purpose (such as related to countering misuse or abuse, or assisting with criminal investigations, etc.). Yu et al. [ 30] discuss the relationships between text mining (performed by machine learning techniques) and typical human-driven content analysis, providing dozens of examines of text mining across bioinformatics, business systems, engineering and education. And Ingle and Wisman [ 31] perform content analysis on teacher contracts in Kentucky to examine changes over time.
In the USA, insurance laws are statutorily enforced by the McCarran–Ferguson Act (15 U.S.C. §§ 1011-1015) which empowers states to regulate the “business of insurance”, and which is overseen by a nonprofit organization called the National Association of Insurance Commissioners (NAIC). In the 1990s, NAIC developed an online electronic records system called SERFF in order to facilitate the “submission, review and approval of product filings between regulators and insurance companies”. 9 The filed documents include the policy forms (description of coverage, triggers, and exclusions), application forms (the self-assessment questionnaires presented to clients in order to assess their security posture), rate information (equations and tables governing the pricing of premiums), and other supporting documentation required or requested by the state insurance commissioners. As of 2016, 49 states and 3900 insurance companies and filers all participate in SERFF (though not all states allow electronic filing). The adoption of this electronic filing system by multiple states ensures uniformity and consistency of filed documents across all states, and are made available to the public, in part due to state open records laws. 10
There is a distinction regarding insurance regulation related to admitted versus nonadmitted markets. Carriers that seek to operate in an “admitted” market (which is the source of our data collection) must file their policies and rate schedules with the state insurance commissions and comply with all state regulations in order to be licensed in a given state. Alternatively, carriers may avoid some of the restrictions imposed by state insurance commissioners by selling insurance in the “nonadmitted” market (also known as excess or surplus insurance lines). While some suggest that a sizeable portion of US cyber insurance is sold in the nonadmitted market, 11 the NIAC estimates that $1.8 billion in annual premiums is written in this admitted market [32, p. 8]. 12
As mentioned, the goal of this research is to provide transparency around the three main components of cyber insurance policies: coverage and exclusions, security questionnaires, and rate schedules. We therefore leverage a form of qualitative research called directed content methodology, or thematic analysis, which enables us to identify and categorize themes and concepts, and derive meaning and insights across a collection of policies. 13
In order to determine the appropriate number of policies to examine, we employ a common form of qualitative nonprobabilistic sampling known as purposive sampling [ 27]. Sample size in purposive sampling is determined by a concept called thematic saturation, which is the point at which “no additional data are being found whereby the (researcher) can develop properties of the category. As [the researcher] sees similar instances over and over again, [she] becomes empirically confident that a category is saturated” [ 34]. Guest et al. [ 35] further defines thematic saturation as the “point in data collection and analysis when new information produces little or no change to the codebook” while at the same time, the observations are “selected according to predetermined criteria relevant to a particular research objective” [ 35] – such as in our case of studying cyber insurance coverage from a larger pool of all state insurance documents. Specifically, Guest et al. [ 35] state that “the size of purposive samples be established inductively and sampling continue until ‘theoretical saturation’… occurs”.
We estimate the full population of cyber insurance policies to be around 2000–3000, a number larger than this research effort is able to examine. 14 Analysis of state-level insurance regulation, as well as conversations with industry experts and regulators, suggests that for the purpose of this study, there should be no systematic variation across the states in the content of insurance policies. This is not to say that there would be no differences, but just none that would materially bias any results or conclusions. Therefore, for the purpose of data collection, we can reasonably consider all US states to be similar, thus supporting a pooled analysis.
For our data collection, we used the online SERFF system managed by NAIC to search for policies using the keywords: “cyber”, “security”, and “privacy”. We limited the search to the broad category of property and casualty (P&C) insurance since “cyber insurance” is not covered under a single line of business, but instead is distributed across multiple lines of property and casualty insurance. We collected only “approved” documents, and omitted those which were filed but rejected. In total, we downloaded and examined 235 filing dockets from New York, Pennsylvania, and California. These states were chosen because they are three of the largest states by population, and where we therefore expect to see many policies with the most variation, thereby improving our thematic saturation.
The dockets covered years from 2007 to 2017, though not all 235 dockets contained all documents of interest for this research, which we discuss more below. The policies came from both large and small carriers, such as AXIS, Berkshire Hathaway, CUMIS, Chubb, Everest, Famers, Federal Insurance Company, Great American, The Hartford Steam Boiler Inspection and Insurance Company, Philadelphia, QBE, Travelers, XL, Zurich, etc.
In addition, some large insurance carriers make their coverage and exclusion policies available online, and so we also collected policies from the public websites of 15 major insurance carriers. Security questionnaires and rate schedules were not available and therefore not included in our analysis.
Each insurance docket consisted of a zipped file, often containing dozens of individual documents which may include (i) the policy coverage and exclusions form, (ii) the security questionnaire, the (iii) rate schedule, in addition to other supporting documents. Each docket was examined individually, though as mentioned, not all documents were included in each docket.
The coding process then began as follows: first the principal investigator created a master codebook for each state (NY, PA, CA) and recorded the following metadata for each docket: the policy identifier (i.e. a unique identifier assigned by the state), state, submission date, the filing insurance company, the product name, the insurance line, and the insurance group. Coverage/exclusion forms, questionnaires, rate schedules and other relevant documents were then embedded into the master codebooks.
Next, two authors of this Article coded the coverage/exclusion forms, while one author each coded the security application, and rate schedule sections. Each team developed their own code book as they examined and processed their respective documents. The codebooks for each section were guided by an inductive approach that enabled investigators to identify themes and patterns within their respective documents [ 34, 36]. For example, the codebook for the coverage and exclusion section coded the covered losses separately from the exclusions. The codebook for the security questionnaires coded each unique question, which were then grouped into major and minor categories, while the codebook for the rate schedules differentiated between distinct categories of rate pricing (discussed more below).
The authors followed common coding practices to first deductively anticipate initial coding variables, and then as each subsequent policy was examined, updated the codebook in order to capture unexpected findings (Bowen, 2009). The themes were adjusted to create new or collapsing redundant themes, as needed. Thematic analysis performed on these sorts of structured documents presents a particular benefit over analysis of very loosely structured content, such as human subject interviews. In interview situations, the subject may provide a response, then backtrack, become distracted, or take an unexpected tangent, leaving the coder to interpret or otherwise search for latent meaning in a body of text, and making coding more prone to measurement error. In our case, however, coding was relatively more objective and straightforward because it was a direct result of whether a topic is present, or not, in the policy document.
We begin the qualitative content analysis by examining the coverages and exclusions (immediately below), followed by the security application questionnaires, and then the equations and methods used to derive the premiums. Note that policy identifiers have been anonymized using “POL-#”, where the “#” symbol is replaced by a unique identifier.
Cyber insurance, like most insurance products, generally distinguishes between two broad loss categories, “first party” and “third party”. First party losses relate to those directly suffered by the insured (i.e. the “first” party to the insurance contract), while third party liability relates to claims brought by parties external to the contract (i.e. the “third” party) who suffer a loss allegedly due to the insured’s conduct.
Of the 235 policy dockets collected from Pennsylvania, New York, and California, 54 had complete coverage and exclusion forms (2 of which were duplicate) filed between 2009 and 2016. In addition, we collected 15 coverage and exclusion forms posted by large insurance companies (from the nonadmitted market), for a total of 67 unique policies.
Our coding process for this section was as follows. For each policy, and for both coverage and exclusion sections, we coded each new criteria as they appeared, extending the codebook to capture the main components as necessary. The codes were generally categorized as covering first or third party losses, such as computer attack, network security liability, and personal data compromise. We repeated this process for all 67 policies. Note again that coding was a fairly objective process, facilitated by the fact that these policies are quite standardized in format, helping to reduce subjective interpretation common to unstructured data (such as from interviews). Once complete, we identified a total of 17 covered losses, and 58 exclusions. As a validity check, 6 randomly selected policies (9%) were checked for accuracy. We achieved a reliability rate of 97% for covered losses (3 discrepancies among 6 policies * 17 codes), and a reliability rate of 94% for exclusions (18 discrepancies among 6 policies * 58 codes).
As shown in Figure 1, we found that the covered losses appeared more consistent across all policies, whereas exclusions were more varied. For example, after reviewing only 6 policies, 88% of the covered losses had been coded, and by the 37th policy, we reached full saturation (upper panel). That is, it only took 37 policies before we identified all covered losses from the policies in our dataset. By comparison, after 16 policies, we reached 71% saturation for exclusions, and achieved full saturation by the 60th policy (lower panel).
Identification of criteria over the course of reviewing policies
As a simple form of robustness check, we compared policies between admitted and nonadmitted markets in order to determine whether there were any systematic differences in terms of new covered losses or exclusions. Carriers from the nonadmitted market were coded as policies 53–67 and as show in the upper panel of Figure 1, no new covered losses were coded, and as shown in the lower panel, only 1 new exclusion was coded (an exclusion for loss derived from an industrial control system, ICS/SCADA).
We find the consistency in coverage across policies to be surprising. From discussions with industry experts, the consensus is that there is so much variation across policies that examining a sample would provide no meaningful insights in industry-wide coverage. The results presented above, however, suggest that there is, in fact, a strong similarity for both coverage and exclusions across many policies and these states. 15
Next, we describe the covered and excluded losses in more detail.
Coverage for losses due to cyber incidents can be categorized in a number of different ways, and one familiar way is to differentiate between losses borne as a direct result of the incident (first party losses), and losses incurred as a result of litigation by alleged injured parties (third party losses). We discuss these more below, and then describe the most common losses overall.
As mentioned, first party coverage includes losses incurred directly by the insured. For example, costs related to investigating the cause of a data breach or security incident, costs associated with restoring business services, the cost of notifying affected individuals, credit monitoring services, costs incurred from public relations and media services in order to communicate the event, 16 extortion and ransom payments, 17 and losses associated with business interruption.
In order to manage the various risks associated with these kinds of cyber incidents, carriers frequently assigned sublimits (and in some cases, distinct premiums), to groups of first party losses. For example, some policies differentiated among just a couple of categories, such as personal data compromise and computer attack. 18 Personal data compromise relates to the “loss, theft, accidental release or accidental publication of personally identifying information (PII) or personally sensitive information”. 19 A computer attack relates to unauthorized access, malware attack, or denial of service (DoS) attack on any computer or electronic hardware owned or leased and operated by the policy holder.
However, more sophisticated – or perhaps, risk averse – policies differentiated among more coverage areas, each with their own sublimits. For example, POL-30 distinguished among the following groups as shown in Table 1.
First party coverage sublimits
| Coverage area . | Description . |
|---|---|
| Data Compromise Response | “Provides coverage for specified expenses arising from a personal data compromise involving personally identifying information of affected individuals. Affected individuals may be customers, clients, members, directors or employees of the insured entity.” |
| Identity Recovery | “Provides coverage for Identity Recovery caused by an identity theft of an identity recovery insured first discovered during the policy period.” |
| Computer Attack | “Provides coverage for specified expenses arising from a computer attack on the computer system.” |
| Cyber Extortion | “Provides coverage for the cost of an investigator retained in connection with the extortion threat and coverage for any amount paid by the insured in response to the threat.” |
| Coverage area . | Description . |
|---|---|
| Data Compromise Response | “Provides coverage for specified expenses arising from a personal data compromise involving personally identifying information of affected individuals. Affected individuals may be customers, clients, members, directors or employees of the insured entity.” |
| Identity Recovery | “Provides coverage for Identity Recovery caused by an identity theft of an identity recovery insured first discovered during the policy period.” |
| Computer Attack | “Provides coverage for specified expenses arising from a computer attack on the computer system.” |
| Cyber Extortion | “Provides coverage for the cost of an investigator retained in connection with the extortion threat and coverage for any amount paid by the insured in response to the threat.” |
First party coverage sublimits
| Coverage area . | Description . |
|---|---|
| Data Compromise Response | “Provides coverage for specified expenses arising from a personal data compromise involving personally identifying information of affected individuals. Affected individuals may be customers, clients, members, directors or employees of the insured entity.” |
| Identity Recovery | “Provides coverage for Identity Recovery caused by an identity theft of an identity recovery insured first discovered during the policy period.” |
| Computer Attack | “Provides coverage for specified expenses arising from a computer attack on the computer system.” |
| Cyber Extortion | “Provides coverage for the cost of an investigator retained in connection with the extortion threat and coverage for any amount paid by the insured in response to the threat.” |
| Coverage area . | Description . |
|---|---|
| Data Compromise Response | “Provides coverage for specified expenses arising from a personal data compromise involving personally identifying information of affected individuals. Affected individuals may be customers, clients, members, directors or employees of the insured entity.” |
| Identity Recovery | “Provides coverage for Identity Recovery caused by an identity theft of an identity recovery insured first discovered during the policy period.” |
| Computer Attack | “Provides coverage for specified expenses arising from a computer attack on the computer system.” |
| Cyber Extortion | “Provides coverage for the cost of an investigator retained in connection with the extortion threat and coverage for any amount paid by the insured in response to the threat.” |
As mentioned, third party liability covers the cost of defending against public or private litigation, settlements, judgments, or other rulings, as well as fines, fees, and settlements stemming from these lawsuits. For example, POL-35’s network security liability coverage covers costs due to, “a civil action, an alternate dispute, a resolution proceeding or a written demand for money” as a result of “a [t]he breach of third party business information, [t]he unintended propagation or forwarding of malware, [t]he unintended abetting of a denial of service attack”. 20
Similarly with first party losses, coverage is available, and limits are distributed, across multiple kinds of claims. For example POL-30 distinguished between liability (brought by either a private or public action) due to a data compromise, network security incident, and electronic media as shown in Table 2.
Third party liability sublimits
Third party liability sublimits
Figure 2 shows the top 10 most common covered losses.
Most common covered losses
Beyond the generalities defined above, below we describe a number of notable categories from the analysis.
This includes legal claims expenses related to penalties, defense and settlement costs. For example, POL-20 expressed how expenses would be paid for violation of timely disclosure of breach notice laws, regulatory and defense penalties, payment card (PCI) Fines, claims against the reputation of anyone or any organization, the invasion of privacy, or any claims against website content to include copyright and plagiarism.
Coverage for public relations (PR) costs appeared in the vast majority of policies, though sometimes came with restrictions. 21 For example, some policies only covered costs associated with advertising or special promotions, or in situations when a data privacy wrongful act had occurred, while other policies limited the total dollar amount of coverage, or excluded any costs directed to employees, or when affected individuals had already been notified.
Some policies are specific in terms of the kinds of services that can be provided to affected individuals – supplying a list of programs from which the policyholder must choose. For example, POL-22 requires that credit monitoring, identity monitoring, and fraud resolution services coverage only apply if Experian is used (specifically, Experian’s ProtectMyID Alert, Family Secure, and DataPatrol).
Expenses for computer forensic services (i.e. examining computer systems for indicators of malware or malicious activity) sometimes included the costs of computer expert services, and POL-22 noted that these expenses are specifically to be used in the case of disclosure of personally identifiable information (PII). For example, POL-22 states that, “If the incident involves an electronic security breach requiring computer expert forensic and investigation services … we will pay the costs of a computer security expert selected by you in consultation with our Breach Response Services Group from the program’s list of approved security experts”.
While about two-thirds of the policies covered expenses for data restoration, data re-creation, and system restoration, others explicitly excluded costs incurred to examine or correct a deficiency. For example, “cost[s] to research or correct any deficiency” (POL-49), or costs associated with the inspection, upgrading, maintenance, repair, or remediation of a computer system (POL-8; POL-19). Other expenses covered by many of the policies examined included business income loss, data extortion expenses, and forensic (computer) investigation.
Figure 3 shows the 10 most common exclusions among the policies examined.
Most common exclusions
The exclusions most commonly observed were those not necessarily directly related to the cyber realm, but instead criminal, fraudulent, or dishonest acts, errors or omissions, intentional violation of a law, any ongoing criminal investigation or proceedings, and payment of fines, penalties, or fees. Several policies provide additional exclusions for infringement of patents, disclosures of trade secrets or confidential information, or violations of securities laws. We also found exceptions to the exclusions given certain circumstances (which themselves might have exclusions too). For example, in POL-22, any claims or losses arising from any deceptive or unfair trade practices are not covered – unless the claim results from the theft, loss, or unauthorized disclosure of PII, but only if no one involved in the deceptive or unfair trade practices participated or colluded in the theft, loss, or unauthorized disclosure. 22
Other exclusions related to matters of physical harm (e.g. bodily injury, electric or mechanical failure, fire, smoke, wind or Act of God, release of pollutants), aspects of liability suits (e.g. nonmonetary relief, and expenses resulting from the propagation or forwarding of malware on hardware or software created, produced, or modified by the policy holder for sale, damages related to employment discrimination, contractual liability, theft of intellectual property), and losses to systems out of the policyholder’s control (e.g. loss to the Internet, ISP, computer, or system not owned or operated by the policyholder). As mentioned previously, expenses for extortion or from an act of terrorism, war, or a military action were covered in rare cases, but mostly noted as exclusions. 23
Other rare but notable exclusions included, collateral damage (i.e. malware, denial of service attack, or intrusion not directly aimed at the policyholder), failure to disclose a loss of PII if an executive of the firm was aware of such a loss, and salaries, benefits, expenses of employees. 24
While we found no substantial differences in coverage between state policies and those of large carriers, there were some differences in exclusions, as shown in Table 3.
Exclusions found more commonly/rarely in large carriers vs. state policies
Exclusions found more commonly/rarely in large carriers vs. state policies
Analysis of the covered and excluded losses highlights a number of important insights. First, as with all lines of insurance, there is a clear distinction between first and third party losses (i.e. costs borne by the firm directly, versus those incurred through litigation) which become relevant for establishing dollar values on limits and sublimits. Further, as seen from the most common covered losses in Figure 2, the top four relate to what are essentially cleanup costs. That is, indirect costs borne by the firm in order to comply with laws, manage the firm’s reputation, and reduce further expenses following a breach. Whereas, the other costs (e.g. business income, data restoration, forensic investigation, etc.) are those directly associated with the cyber incident. One may speculate that this is because cleanup costs are more expensive (and/or more quantifiable) relative to direct costs, and therefore, exist because of increased demand by applicants. However, limited survey evidence suggests that direct and indirect costs are relatively equal. 25
As consumers and firms adopt more technology and connected devices, there will likely be revisions to losses explicitly covered or excluded by cyber insurance policies. For example, one policy (POL-24) noted that expenses due to defects or deficiencies of the insured product were not covered. However, with the increase of the Internet of Things (IoT) devices, distributed denial of service (DDoS) attacks leveraging IoT devices, code reuse among products, and nonstandardized software security practices of developers, exclusions may well become more frequent. And while policies discussed traditional computers, networks, and systems, there was no explicit mention of emerging risks from mobile devices, drones, IoT devices, and the growing interdependencies of critical infrastructure.
Perhaps carriers recognize the increased likelihood of being a victim of collateral damage, and have therefore decided to exclude coverages from claims resulting in this (over half of the policies we examined excluded any claims related to war, military action, or terrorist action; and almost half of the policies excluded claims related to extortion or ransom [although approximately a third did include coverage for extortion or ransom]). We might expect that more policies in the future will include similar exclusions, as the likelihood increases (along with the cost to recover). Indeed, the matter of how malicious cyber incidents may or may not trigger these “act of war” exclusions” is currently a hotly debated issue. 26
The next component of cyber insurance policies to be examined is the security questionnaires. These questionnaires are provided by the carriers, and are ostensibly designed to solicit a comprehensive understanding of (or at least reasonable approximation to) the overall security posture of the applicant. Moreover, the questions should help to “differentiate” risks across a portfolio of applicants.
Of the 235 insurance dockets we downloaded and analyzed, 31 had questionnaires. 27 In eight cases, multiple questionnaires were included in a policy and in cases where the questionnaires were distinct (because they were written for different types of applicants, 28 or used different questionnaires for application and renewal), they were coded separately, generating a total of 45 questionnaires. We then found 11 cases of duplicate questionnaires, which we omitted from the analysis. This resulted in 34 unique, coded questionnaires.
Each questionnaire was analyzed in depth, and compared against existing questions and categories in the codebook. While most questions were straightforward to code (e.g. “does the applicant adhere to a particular technical standard?”), some required additional scrutiny in order to differentiate between related questions. Therefore, as is standard practice, coding was done using an iterative process involving adding new questions, or merging/splitting existing questions based on the growing understanding of distinct topics and categories (e.g. capturing new subcategories, such as Management policies, Privacy policies, and Technology policies). For validity, the investigator revisited the codebook to compare and adjust the coding, where necessary. A sample of 10 policies (22%) were then checked for accuracy, with 5 discrepancies found. 29
In total, we identified 118 different topics, some of which were very detailed (e.g. “does the applicant deploy intrusion detection systems (IDS) or intrusion preventions systems (IPS)?”) while others were quite broad (e.g. asking about general “business information”). However, many questions expressed similar themes, such as those pertaining to business information, data type, and questions regarding the compliance with PCI/DSS standards or the deployment of antivirus systems. Therefore, the 118 unique topics were organized into 14 subcategories, from which 4 main themes were created: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Figure 4 illustrates the number of questions for each subcategory. For example, the Data Collection and Handling subcategory contained 11 unique questions, while the IT Security Budget/Spending subcategory had only 2. Overall, the Organization category had 35 questions, the Technical category had 21, and the Policies and Procedures and Legal and Compliance had 51 and 11 questions, respectively.
Number of unique questions per subcategory
As shown in the left panel of Figure 5, after reviewing just 3 questionnaires, 78% of all 118 questions had been coded, and by the 23rd questionnaire, we achieved 100% saturation. In regard to the “total” number of questions per document, there was considerable variation as shown in the right panel of Figure 5. In some cases, the questionnaires were quite long, with almost 70 questions, whereas others only included a few (the median number of questions was 26).
The applications typically begin by collecting basic information about the company, such as the type of business and the industry sector in which the company operates, as well as financial information about revenues and assets. In a few cases, the questionnaires asked the company to submit an audited annual statement. For example, POL-7 asked for a “copy of most recent financial statements (10-K, annual report, etc.)”.
To assess the operation of a business, POL-9 and POL-5 gathered information about the applicants’ clients, including questions about the largest and most significant clients, the size of their contracts, and the duration of the project and relationship with the clients. POL-5 asks the applicant to provide “details on the Applicant’s top three (3) revenue-producing clients or projects during the last fiscal year”, and POL-9 asks to “list the Applicant’s five largest clients”, including value and length of contract.
Information is also collected about the company’s past and current insurance coverage, including selected deductibles, and exclusions, if applicable.
There was a concerted effort to understand the kinds of sensitive or confidential information that the applicant collects, stores, processes, or for which it is otherwise responsible. Of particular interest is PII, confidential client information, or corporate intellectual property, such as SSN, credit/debit card numbers, driver license, email addresses, IP addresses, financial and banking information, medical records, protected health information (PHI) as well as intellectual property, and trade secrets. For example, POL-18 asked, “what Third Party electronic information the Applicant collects or stores: ‘Medical/Health Information’, ‘Credit Card Information’, and ‘Personally Identifiable Customer Information, other than Credit Card or Medical/Health Information’”.
In comparison with the “technology and infrastructure” category these questions focus on the kind of data an applicant is managing. This suggests that carriers focus on data and the potential loss at risk. This possibly explains why relatively little information is collected about the technology and infrastructure landscape, or at least suggests that this category is less relevant when assessing an applicant’s risk of filing a claim.
Questionnaires also addressed how the applicant manages its relationships with outscoring providers and the services the applicant relies on to conduct business. Given that it is common to outsource services and use third party service providers, these questions were relatively common. Questionnaires asked the insured to list the outsourced services and provide the names of providers, and some even provided a comprehensive list for the applicant to select. For example, POL-22 asks whether, “the Applicant outsource[s] any part of the Applicant’s network, computer system or information security functions”.
Questionnaires further assessed whether a security, privacy, and/or risk assessment was performed on the third party provider. The history of the third party providers is assessed, with regard to whether they were subject to privacy or security breaches in the past. Further, contracts between the insured and the third party were examined, such as whether they were structured in a way to hold third parties liable for losses resulting from data and security breaches, or whether they included an indemnity clause to transfer risk to a third party. For instance, POL-18 asks “Does the Applicant’s contract with the service provider(s) state that the provider: (a) Has primary responsibility for the security of the Applicant’s information?; (b) Has a contractual responsibility for any losses or expenses associated with any failure to safeguard the Applicant’s data?” In some instances, the questionnaire asked whether the insured requires the outsourcing provider to have sufficient cyber insurance to minimize any liability a customer can claim that results from an incident at the outsourcing provider (e.g. data or security breaches at the site of the outsourcing provider).
In almost all questionnaires, the insurer collected information about the applicant’s experience with regard to past security incidents. While the formulation and framing of the questions varied across the questionnaires, in essence, the following issues were addressed: (i) past data and security breaches and their impact; (ii) privacy breaches and loss of confidential information that triggered the notification of customers and/or employees; (iii) circumstances that could lead to an insurance claim; (iv) lawsuits and claims that are the result of an IP infringement; (v) extortions through the means of cyber, investigations by a regulatory or administrative agency. While other insurance companies often included multiple lengthy questions with regard to the security incident and loss history, POL-26 only asked, “Has the Applicant had any computer or network security incidents during the past two (2) years?” 30
IT security budget and spending provides insights into how much an insured invests in its information and IT security. However, IT security budgeting and spending was addressed in one questionnaire, only. POL-18 asked “What is the Applicant’s aggregated budget for system security” and “How is the system security budget allocated among: (a) prevention of security incidents; (b) detection of security incidents; (c) response in security incidents, all in percentage”.
Understanding the technology and infrastructure landscape of an insured would seem to be a relevant factor to consider in the risk assessment. Yet, only a few insurers cover this aspect in their questionnaire. When they did, only a few questions were posed, such as the number of computing devices, the number of IP addresses, or websites. For instance, POL-26 asked, “What is the Applicant’s total number of IP addresses?” while POL-18 asks “List all website URL’s and static IP addresses utilized by the applicant and its subsidiaries”. In a few cases, policies asked whether the business’ critical software was developed in-house. In another case, POL-52 inquired whether the insured segregated its IT systems that store and process PII from other parts of the network, “Are systems, applications and supporting infrastructure that collect, process, or store personal information segregated from the rest of the network?”
Information about the technology and infrastructure landscape would clearly help a carrier understand, if only at a basic level, the overall attack surface of a potential insured and, with more information, help assess their overall information security risk posture. However, it seems that only very rudimentary information is collected.
Questions regarding technical measures to protect against data theft and intrusions were found in most questionnaires. These included questions concerning the kinds of tools used to secure the applicant’s networks and computers, including antivirus software to perform scans on email, downloads, and devices to detect malicious files or processes; IDS/IPS to detect possible intrusions and abnormalities in networks; and firewalls. POL-7 for instance, asks “Do you utilize firewall and intrusion prevention measures for your network and computer systems?” Encryption for data at rest and in motion was a technical measure that was often mentioned in the questionnaires. In its questionnaire, POL-7 asks, “Do you use commercial grade technology to encrypt all sensitive business and consumer information transmitted within your organization or to other public networks?” and “Do you use commercial grade technology to encrypt all sensitive business and consumer information at rest within your systems?” Some questions also focused on mobile devices, while VPN and two-factor authentication were less frequently listed as technical measures.
From our analysis, questions regarding such technical measures were present in almost all applications. However, there was considerable variation in the types of questions that addressed technical measures.
Access control addresses the means and policies to secure user access, including the assignment of designated rights for users to resources. It attempts to restrict the access to sensitive data on a need to know basis. POL-54 asks, for instance, “Does the Applicant physically protect access to dedicated computer rooms and/or servers?” Beyond matters of access and users rights/privileges, questionnaires addressed whether processes were in place to revoke user rights and privileges once users terminated or left the organization. Furthermore, this includes the monitoring of unauthorized access to or large download of sensitive data, as well as remote shutdown and data wipe out capabilities for computers. Again, POL-54 asks “Does the Applicant utilize remote shutdown of employee laptops?”
This category includes questions with regard to the applicant’s data management practices – the number of records held, whether the applicant sells or shares sensitive information (i.e. PII) with third parties, and whether it processes information for third parties, including the processing or storing of credit or debit card transactions. For example, one insurer in questionnaire POL-22 asks whether, “the Applicant process or store personally identifiable information or other confidential information (including but not limited to payment information) for third parties”.
The most common question in this category was whether a data retention and destruction policy existed. For example, POL-54 asks “Does the Applicant maintain procedures regarding the destruction of data residing on systems or devices prior to their disposal, recycling, resale or refurbishing?” Interestingly, the questions do not exclusively address digital data, but rather, data management is conceived more broadly to also include written records that warrant protection (e.g. handling of sensitive information such as client or human resource information, etc.).
The need for a corporate policy for record and information management and a classification system that determines what data must be protected was only expressed in a few questionnaires. In only one instance, did an application inquire whether the responsibility for records and information management was assigned to a senior executive.
Questions concerning an applicant’s privacy policy, and information and network security policy were common but varied in detail. In some instances, the questionnaires assessed details of how a policy was implemented and tested, and whether a policy was reviewed by the legal counsel and approved by the board of directors. POL-9, for example, asks “Does the Applicant have Security and Privacy Policies that are updated continually and implemented and, are there policies and procedures in place to ensure the Applicant is in compliant with requirements that govern the Applicant’s industry?” If the applicant answers yes, the questionnaire continues to ask “If ‘Yes’ have the policies been reviewed by a qualified attorney?”
While privacy, and information and network security policies were the most common policies mentioned in the surveyed questionnaires, usage policies for the internet, social networking, and/or email were mentioned. Less common were policies for software development (i.e. the use of secure coding standards) and password policies (e.g. the use of strong encryption).
However, aside from these, the questions did not cover the substance of a particular policy (i.e. what should be in those policies, and how should they regulate particular issues) but rather only tested their existence. In numerous cases, the questionnaires asked whether the responsibility of privacy and information and network security and their respective policies are assigned or “owned” by a Chief Privacy Officer (CPO) role and a Chief Information Security Officer (CISO) role, respectively. In most questionnaires, the CPO and/or CISO roles were explicitly stated, in rather few cases was it referred to as responsibilities assigned to an individual. For instance, in POL-9 asks “Does the Applicant have a designated person that is responsible for the management, implementation and compliance of the Applicant’s security and privacy policies and procedures”.
In addition to technical measures that are implemented to protect the information system in the daily business operation, organizational measures and procedures describe a set of measures to maintain and strengthen information security. Questions in this category related to penetration testing, vulnerability scanning, assessment, and management. Further, questions related to security and privacy assessment conducted by internal first parties or external third parties were asked, as were measures with regard to physical security (e.g. physical access control to computing facilities). For instance, POL-18 asks “Does the Applicant run vulnerability scans or penetration tests against all parts of the Applicant’s network? If ‘yes’ how often are the tests run?” The applicant can then indicate the frequency by checking the box for “Daily, Weekly, Monthly, or Greater than Monthly”. Several questionnaires assessed whether a business continuity plan (BCP), disaster recovery plan, as well as an incident response plan (IRP) were in place. Extended questions were concerned about the assignment of, and approval by, senior executives for the BCP and IRP. Further questions addressed data backup procedures as well as training with regard to information security procedures.
Over the years, a variety of laws and regulations on the federal and state level, as well as industry standards have emerged that aim to protect consumers from the consequences of cyber incidents and data breaches. These laws, regulations, and standards are widely acknowledged in the questionnaires. Almost every questionnaire includes language about HIPPA, PCI/DSS, and GLBA, but also other US federal and state laws. In some but not all cases, the questionnaires ask to provide metrics about how well the respective standards are implemented and adhered to. PCI/DSS as an industry standard for payment processing was prominent in many questionnaires. Further, questions concerning PCI/DSS commonly exhibit a significant amount of detail. For example, one insurer asks: “How many credit or debit card transactions does the Applicant process annually?” and then continues to collect information about whether the applicant: “(a) Mask[s] all but the last four digits of a card number when displaying or printing cardholder data; (b) Ensure[s] that card-validation codes are not stored in any of the Applicant’s databases, log files or anywhere else within the Applicant’s network; (c) Encrypt[s] all account information on the Applicant’s databases; (d) Encrypt[s] or use tokenization for all account information at the point of sale; or (e) Employ[s] point-to-point encryption, starting with card swipe hardware.” 31
So far, this analysis begins to provide transparency into the information that carriers are concerned about when assessing cyber risk. For example, we observe an emphasis on the amount of data (i.e. number of records) and the type of data (i.e. sensitive and confidential data) managed by the firm. The focus on sensitive data, particularly those to debit and credit card transactions and the detailed questions concerning PCI/DSS standard compliance is not surprising given that in the past decade data protection industry standards and data breach laws have developed and have been widely institutionalized in the USA.
On the other hand, there is little attention given to the technical and business infrastructure, and their interdependencies with environment in which the applicant is operating. These rather technical areas could provide further insights into the risk situation and security posture of an applicant. With regard to organizational processes and practices, it was surprising that risk management and IT security management as corporate functions and processes did not receive more attention.
It is noteworthy, however, that standards and frameworks for information technology management, such as the ITIL and COBIT are not mentioned, and in only one instance was an ISO standard mentioned. Also, the recently developed NIST Cybersecurity framework 32 is not mentioned, though from conversations with carriers, they are beginning to integrate it into these questionnaires.
Only in one instance, did a questionnaire asked about the size of the IT/information security budget and how it is spent with regard to prevention, detection, and response to security incidents. This finding was surprising given the amount of money spent on IT and information security could serve as a useful indicator for security maturity.
In addtion to the analysis described above, we did not observe any substantial changes in policy length, style, or composition over time. Conceivably, carriers may develop institutional knowledge that would lead them to improve and refine the questions ove time, or, perhaps the questions would be found to be too generic, requiring more details solicited from applicants.
We mentioned earlier that insurance is regulated at the state level, and state laws require that insurance rates are not “excessive, inadequate, or unfairly discriminatory”. 33 “Excessive” implies that the premiums are not priced unreasonably high, “adequacy” implies that the premiums are high enough in order to support the business for the carrier, and “discriminatory” implies that any price differences appropriately reflect variation in actual risk across firms. 34 But what are firms charging, and how do carriers determine these prices?
In this section, we examine the forms and equations used by insurance carriers to price cyber risks (formally known as “rate schedules”). 35 We first examine justifications that carriers provide to state auditors when determining pricing policies, and then analyze the pricing schemes used to compute premiums. We conclude this section by showing the actual equations used to derive those premiums.
Coding in this section was accomplished in two steps. First, the principal investigator (PI) searched through each policy docket for files containing rate schedules or and any written justification of the premium calculation process. Second, for each policy that included justification of the premium calculation process, the text was copied and pasted into the master codebooks (previously described). In addition, a new codebook was generated in which the PI coded the type of policy, and the factors used to price the final premium, such as industry, claims history, etc., and where available, the number of security questions posed. As a validity check, all policies were reviewed a second time to ensure they were coded properly, and to identify any duplicates (of which 3 were found).
We first discuss the rate schedule justification, followed by the premium equations.
Of the 235 dockets examined, 56 included explanations for the state insurance auditor concerning the carrier’s approach for deriving premiums. It is in these documents that we observe the process by which insurance pricing is conducted, and what information carriers may have in order to price cyber risk. From our analysis, we detected five main themes that carriers used for determining prices: (i) relied on external sources, (ii) estimated or guessed, (iii) looked to competitors, (iv) leveraged the experience of their own underwriters, and (v) adapted prices from other insurance lines.
Overall, many carriers began by stating how “cyber” is a relatively new insurance line, and that they have no historic or credible data upon which to make reliable inferences about loss expectations (e.g. “Limitations of available data have constrained the traditional actuarial methods used to support rates”, POL-11).
In a number of cases, though, carriers employed the services of other companies to help develop premiums, or additionally it collected industry, academic, or government reports themselves that contained basic loss data. For example, POL-50 stated:
Frequency was derived from data gathered from the 2011 Computer Security Institute Computer Crime and Security Survey and from the HSB/Ponemon survey. Severities were calculated for three of the sub-coverages (data restoration, data re-creation and systems restoration) using data drawn from the HSB/Ponemon survey and from the 2003 Graziado Business Review which were then combined with dollar amounts that represented the costs of repairing various kinds of covered damages. These costs were obtained from a variety of IT repair resources, including surveys and published rates. 36
In other cases, carriers used other public information, which was augmented with additional sources or their own, limited experience. For example one carrier wrote, “We reviewed the rates for a less robust cyber product developed by Hartford Steam Boiler (‘HSB’) for the same types of accounts we are targeting[,] and then at a composite rate of the carriers writing more expansive cyber coverage for larger and more technologically sophisticated accounts. These two rates then became the two outside points of reference for establishing our rates” (POL-61).
Or, in some cases, the carrier would appear to guess [e.g. “The base retentions were set at what we believe to be an appropriate level for the relative size of each insured” (POL-6)], while many carriers employed what (limited) experience they had (e.g. “Rates for this coverage have been developed based upon the experience and judgment of our underwriters, claims personnel, and actuaries” (POL-25).
Further, in a number of occasions, we observed that carriers based their rates on the pricing of their competitors. For example, POL-36 states “the rates for the above-mentioned coverages have been developed by analyzing the rates of the main competitors as well as by utilizing our own judgment”, and POL-31 states, “the program base rates and rating variables were based on a competitive review of the marketplace and underwriting judgment”. While this may seem like an odd practice, discussion with insurance professionals suggest that this is, indeed, a common and appropriate occurrence.
In only a few cases were carriers confident enough in their own experience to develop pricing models, for example, one carrier wrote, “Underwriters collectively have over 40 years’ experience in e‐commerce, cyber, privacy and network security liability insurance. The collective knowledge of underwriters, including a deep understanding of competitive rates and feedback from the wholesale and retail brokerage industry, was used to establish rates for the program” (POL-2).
In a number of instances, we observed how carriers would turn to other insurance lines to price premiums because of their lack of data. One carrier admitted, “We are not using claim counts as the basis for credibility because we have not experienced any claims over the past three years” (POL-73). And in such cases carriers would base cyber risks on other insurance lines. For example, “Loss trend was determined by examining 10 years of countrywide Fiduciary frequency and severity trends. Because CyberRisk is a developing coverage we chose to use Fiduciary liability data because it has a similar limit profile and expected development pattern” (POL-43). Other carriers also leveraged loss history from other insurance lines, “the Limit of Liability factors are taken from our Miscellaneous Professional Liability product” (POL-25), and “Base rates for each module of this new product were developed based on currently filed Errors and Omissions and Internet Liability rates” (POL-104).
Regardless of the formal (and sometimes very informal) methods used in the underwriting process, it appears that state regulations require that carriers be vigilant about ensuring fair and accurate pricing. This is done, in part, by ensuring the underwriters are empowered to adjust premiums appropriately, when necessary [e.g. “The rating modifiers … allow the underwriter to debit or credit the policy premium based on the unique attributes of an insured. These modifiers reflect objective criteria associated with the cyber risks and controls of an insured” (POL-6)]. And further, this required concrete advisors by insurance auditors, where one auditor wrote, “Please be advised that the company is required to maintain statistical data, including incurred losses and loss adjustment expenses, on reported and unreported and outstanding and paid categories, on this program separate and apart from its other coverages. In addition, the experience should be reviewed annually, and appropriate rate revisions filed, (POL-49)” to which a number of carriers replied, “[w]e will monitor our book’s performance as we develop our own experience to ensure that our product remains competitive and profitable” (POL-63).
Next we examine the actual rate schedules and analyze the methods used to price cyber insurance premiums.
Of the 235 total policies examined, 72 contained a rate schedule, 3 of which were duplicates. 37 The 69 remaining forms were then segmented into 4 categories according to how they priced the premium. First, we distinguished between “flat rate pricing”, and “base rate pricing”. The flat rate pricing approach, as the name suggests, provides a single rate to all insured, regardless of their size, or any specific security controls by the insured, while the “base rate” pricing approach uses a series of lookup tables and modifiers to compute the premium, such as modifiers relating to the applicant’s standard insurance criteria (e.g. limits, retention, claims history, etc.), and the applicant’s industry. In addition, for each of the flat rate and base rate pricing structures, we also identified policies that incorporated either basic hazard metric (coded as “flat rate with hazard groups”), or information about the firm’s security technologies, practices, and procedures (coded as “base rate with security questions”).
The relative distribution of categories from our dataset is shown in Figure 6. Overall, there were 15 flat rate policies with 4 more that also used hazard groups (for a total of 19 flat rate policies). Of the base rate policies, there were 11 standard base rate policies, and an additional 39 that incorporated questions related to the firm’s security posture (for a total of 50 base rate policies). 38
Rate schedule categories (n = 69)
