ABSTRACT
Almost early every CEO, CRO, or CFO is plagued with frustration that their cyber insurance broker cannot benchmark adequately the amount of cyber insurance limits that they need. Most brokers consider the use of historical purchasing data the only means for determining how much cyber insurance a company needs. Others use comparative metrics that result in a best guess at how much a company needs—the “Fred Rogers Method.” They look for “neighboring” companies, in similar geographies, with similar number of employees, with similar revenues and tell them they need the same amount of insurance.
Companies are not buying it—literally and figuratively. The issue with this approach is that it does not align to how a cyber insurance claim will be paid. Cyber is too dynamic and the use of historical data is not an indicator of how much is needed. Nor is simply having a one-size-fits-all methodology. Cyber insurance should be purchased based on how claims are paid.
Most companies when they start working with a firm are told that they need between US$1 and US$10 million of cyber insurance. Firms offer no plausible explanation as to how that amount was derived. Determining vendor insurance requirements is another poorly managed area. Not all vendors are the same. Vendors touch your digital assets, but in different ways. Service vendors are usually inside the firewall and have access to specific digital assets with specific exposures. Cloud service providers are sent sensitive data that they process and store in their cloud infrastructure. Technology and system providers must supply patches to mitigate vulnerabilities.
For concerns related to cloud computing, there is specific insurance called contingent business interruption insurance which provides protection against revenue-related losses by covering lost earnings that are the result of a third-party supplier or distributor shutdown.
Additionally, the carrier is a limiting factor. Carriers have gotten smarter about the difference in the value of data to the insured versus their clients. Carriers are not looking to cover the difference. They consider that a contractual element (limitation of liability).
In this chapter, we will examine how cyber insurance limits and sublimits can be calculated to provide limits adequacy.
