Cyber Insurance: What Are You Missing?

It’s been nearly two years since we addressed cyber insurance in the Cyber Tactics column, so I decided to get an update from Bob Parisi, Managing Director at Marsh. Parisi is a pioneer in the industry, having written some of the very first cyber insurance policies in the late 1990s.

Steven Chabinsky: The cyber insurance market seems to be growing by the day. Still, when clients come to you, do you think they have a good sense of all of the coverage options that are available?

Bob Parisi: I would like to think that, as an industry, we’ve made everyone aware of all the coverage options out there. That said, two areas of coverage tend to be lesser known. First, many companies don’t realize that there’s cyber insurance for direct or first party loss. This covers lost revenue due to an interruption of your own computer system, whether because of a data breach or because the underlying technology simply failed to work. Second, there’s coverage for contingent business interruption, known as CBI, and for service interruption. CBI is an interruption that results not because of a failure of your systems, but due to a vendor’s failure. Service interruption, well that’s a bit narrower, it covers failures of a utility or an internet service provider.

Steven Chabinsky: Are there any major privacy or technology risks that still are hard to insure or are outright not insurable?

Bob Parisi: Reputational harm remains very difficult to insure. Since it’s impossible to place a discrete value on reputation, it’s equally hard to calculate the value of a change in reputation. Also, insuring a lost trade secret remains a problem. Trade secrets are not treated the same way as other corporate assets and typically are not assigned a financial value. Added to that, insurance markets feel there’s an implicit moral hazard since insureds could be motivated to artificially inflate the value of their own trade secrets.

Steven Chabinsky: What do brokers do when it comes to helping clients with cyber insurance?

Bob Parisi: Well, in my experience the best brokers aren’t merely helping their clients place insurance, they’re helping their clients better understand their specific risks and their options for handling those risks. Although cyber risk can’t be solved simply by throwing money and technology at the problem, it’s equally true that it can’t be solved simply by transferring risk though insurance. The best brokers actually can help their clients conduct a cyber maturity assessment that relates to the spectrum of threats and the range of harms they face. They provide clients with a process, which empowers the client to make more informed decisions on how to handle that risk, be it through insurance or another approach. Brokers are available to help guide or, at a minimum contribute to, a company’s risk mitigation process.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.