CYBER CORNER

The National Association of Insurance Commissioners (“NAIC”) recently issued its annual report on the state of the cyber insurance market. The report could best be described as, “one small step, one giant leap.”  

The small step is with respect to the slight improvement in the insurance carrier loss ratios from the prior year. Underwriters measure the profitability of their book of business as the ratio of losses they have paid out relative to the premium they have taken in. Because of overhead and other expenses, insurers typically try to keep this ratio below 60%, or at most 65%. In 2021, the loss ratio for the top 20 cyber insurers decreased from 66.9% to 66.4%. While this may not seem like much of a change, some pundits have been sounding the death knell for cyber insurance, so any improvement is welcome. 

Drilling down into the loss ratios of individual carriers is even more revealing. According to the NAIC report, four of the top ten insurers, and ten of the top twenty, were able to keep their loss ratios below that 60% threshold, indicating that they have found a way to continue offering this important product to policyholders, and to do so profitably. Ironically, the two markets with the highest loss ratios both saw their rankings drop year over year, as measured by premium volume. Thus, shrinking their book of business proved unfruitful.

For those markets that have chosen to grow their book rather than pull back, most have been rewarded with healthy loss ratios. This is because the underwriters have become astute in offering this coverage.  And the NAIC report acknowledges this, noting that, “Because of the increasing cybersecurity risks, businesses are facing a more demanding underwriting process. Insurers are more thoroughly examining a company’s security controls, internal processes, and procedures concerning cyber risk. Additionally, underwriters are more cautious in examining an insureds’ risk presented by the third parties working or contracting with the insured.”

The giant leap has been in the growth of premiums. The NAIC report indicates that direct written premiums increased by 75.3% in 2021 from the year prior. Undoubtedly, some of that is attributable to adjustments in pricing. But the number of policies issues also increased by 31.8% year over year. This paints a picture of a vibrant market for coverage that businesses recognize they need, and that insurers have become savvier about underwriting. The market for cyber insurance now stands at $4.8 billion in premium and is not going away anytime soon.

A three-judge appellate panel in Washington state held that a mobile phone company’s 2015 data breach is covered under its cyber policy without any reduction by the insurer for funds the insured was able to recover from its vendor.

The case stems from a $17.3 million loss the wireless provider sustained following a breach at its vendor, a credit bureau. The wireless provider filed a claim under its cyber policy, which provided $15 million in limits excess of a $10 million retention. Because the wireless provider was able to recover $10.75 million from the credit bureau, the insurer took the position that the remaining loss fell within the retention, arguing that it should be allowed to offset its insured’s recovery from the vendor against the total loss.

The appellate court disagreed, finding nothing in the policy that would absolve the insurer of its obligations to reimburse its insured for the losses. In so holding, the court discredited the insurer’s argument that the policy excluded from its definition of loss “any amount for which the insureds are absolved of payment,” concluding that the wireless provider “remained directly liable for those obligations and paid them in full.”

A Federal court ruled in favor of a software company following a data breach in which a bad actor gained access to its computer system. The underlying facts of the data breach were not at issue; rather, the debate centered on whether there was coverage under the cyber policy’s Cyber Business Interruption and Extra Expense Clause. The clause stated an insured is required to demonstrate: (1) an actual loss of “business income;” (2) which occurred during the “period of restoration;” (3) directly resulting from a “data breach;” (4) that is discovered during the “policy period;” and (5) which resulted in an actual impairment or denial of service of “business operations” during the “policy period.”

The insurer argued there was no loss of “business income” since business operations only referred to income-generating activities, and not invoicing. However, the policy defined “business operations” as “an insured’s ‘usual and regular business activities.’” Despite the broad definition, the court held the phrase was not ambiguous and a reasonable person in the insured’s position would have understood it to mean all business activities performed with frequency. 

The insurer asserted the loss in question did not “directly” result from the conduct of the bad actor, but rather from an intervening agency or determining influence, such as the negligence of the insured’s client. Due to the lack of evidence presented by the insurer, the court held that the insured’s loss would not have occurred without the bad actor accessing the system, thus, the loss directly resulted from the data breach. 

When a bad actor gains access to a computer system, it will create rules. The rules imposed in this instance impaired the insured’s email system. The insurer argued there was no impairment or interruption of the insured’s business operations because the insured was able to continue using its system despite the bad actor maintaining access. The court, however, found that the use of the word “impairment” rather than “interruption” in the clause, demonstrated that the policy specifically granted coverage when a business suffered something less than a total suspension of operations.