In the brave new world of the age of the internet there is one threat that looms largest to businesses: cyber-attacks.
As of January 2020, virtually all of AIG’s commercial property and casualty insurance policies will begin affirmatively covering or excluding physical and non-physical cyber exposures.
The move seeks to address market concerns that traditional commercial insurance policies across the industry – from property to general liability – are often silent about cyber coverage.
Sebastian Hess, a cyber risk adviser who is part of AIG’s Cyber Risk Consulting team, said the move was important because almost every business, regardless of industry, now faced some level of cyber risk.
“We live in an increasingly connected world: 3.8 billion internet users and 6.4 billion connected devices in 2017 is expected to rise to 6 billion users and 200 billion devices in 2022,” Hess said.
“The Internet of Things – the connection of machines and devices to each other – creates new exposures and uncertainties for business. However, many insurance policies do not explicitly state whether those risks are covered. This can lead to issues and delays in the event of a cyber-related claim. It also prevents an insurer from having a clear understanding of its full exposure to cyber risk.”
Affirmative cyber coverage aimed to clearly identify the cyber-related risk scenarios, Hess said.
Using the example of a potential risk of a fire caused by a cyber-attack on the computers that control a chemical facility, Hess said affirmative cyber coverage would seek to make a clear statement whether such risks are covered by a given policy, or if additional coverage through a different insurance product should be sought.
“This ensures that both the insured and the insurer have the same understanding of exactly which risks are covered or not covered by a given insurance policy,” Hess said. “We believe that this will ultimately lead to a greater customer satisfaction as there will be no surprises or questions over coverage should a cyber-related event occur.”
Affirmative cyber coverage had clear benefits to an insurance company’s clients, Hess said, because it provided the insured with a clear understanding of how their insurance policy would respond to a cyber event.
“This allows them to effectively incorporate insurance into their cyber risk management plan to help protect them against evolving and significant cyber risks,” Hess said.
This was especially valuable for smaller businesses who might not have cyber risk expertise within their organisation, Hess said. “It also allows the insured to make a conscious decision regarding which cyber risks should be shared with an insurer and which will be borne by the business.”
For AIG, the affirmative cyber coverage initiative was significant because it provided a deeper understanding of the underwritten risks across the insured’s portfolio, Hess said. “It also helps ease the stress of a claim on both parties by ensuring that conversations about which situations and scenarios are covered happen ahead of the purchase of the policy, and not when an incident occurs.”
Affirmatively addressing physical and non-physical cyber risks also helped AIG manage the aggregation of cyber risk across the company’s portfolios, Hess said, so the insurer continued to provide sustainable solutions to the marketplace.
Affirmative coverage has in the past been overlooked for silent coverage, but Hess warned that the latter had disadvantages that must be taken into consideration.
“Silent cyber coverage can underestimate the cyber risks included within a given insurance product,” Hess said. “Affirming those risks allows for a proper assessment, providing a clear understanding of the impact, likelihood, and associated threats for cyber risks in general and in particular.”
Affirmative cyber coverage was desirable for businesses of all sizes, industry sectors, and geo-locations, Hess said, because it allowed them to make a clear and intentional decision which cyber risks to accept, which to mitigate, and which to share with/transfer to an insurer. “A silent risk is a risk that is not understood and therefore it bears the potential to be disastrous for the insured,” Hess said.
Affirmative cyber coverage also had clear benefits to the wider economy, said Hess.
“While the individual understanding over all risks associated with the cyber domain is essential for an enterprise, the wider implications are significant as well,” he said. “The affirmative cyber initiative creates transparency toward our society’s dependency on the cyber world, its services and its far reach into our business’ value chains and operating models.
“It drives the effort toward a more resilient cyber economy and society by highlighting and identifying potential high-risk areas and allowing risk mitigation to be undertaken well in advance of an adverse cyber event.”
When it comes to cyber security issues, response time from insurers is critical. So just how will AIG’s move to affirmative coverage address that?
“Uncertainty is one of the enemies of a quick and effective response,” said Bhairav Shah – head of financial lines and casualty, AIG New Zealand.
“Proper planning for both the insured and the insurer includes incident response capabilities,” Shah said.
“In the case of positive (or affirmed) cyber coverage, the insured knows of the additional response capabilities he can rely on from the insurer – such as forensic investigation, legal and PR support. In the case of affirmatively excluded cyber coverage, the insured is aware of the gap that needs to be bridged by his own resources and network. This knowledge allows the business to close the gap well in advance.”
Shah said he expected other insurers to follow AIG’s lead and offer affirmative cyber coverage.
“AIG strives to be the market leader when it comes to offering cyber insurance coverage,” Shah said.
“It is our view that transparency is key to offering effective and efficient insurance products. The affirmative cyber initiative addresses the current lack of transparency when it comes to cyber risk coverage in traditional insurance products. It also enables more precise risk modelling.
“As other insurers face the same challenges regarding ‘silent cyber’, we expect that many will follow our lead at some point.”
