Friday, November 21, 2014

The National Association of Insurance Commissioners (NAIC) on November 19 announced the formation of a task force to gather information on how cyber-related risks are currently insured.  he task force will also coordinate NAIC initiatives regarding the protection of public information maintained by the various state departments of insurance and information collected and maintained by insurers. According to the NAIC news release, “[t]he creation of the task force is a reflection of the NAIC's growing commitment to addressing cyber security in the insurance sector.”

Earlier this year, the NAIC hosted a forum on existing and emerging cybersecurity risks, federal initiatives related to managing cyber-related risks, and the challenges facing insurers in quantifying those risks and establishing appropriate premium rates.  The forum highlighted the critical role that insurance plays in managing information technology risks.

According to the NAIC, these risks are not typically insured under broad-form policies, but require the purchase of a special cyber liability or cyber indemnity policy. Even then, the coverage may not meet the unique needs of a particular company because security risks are difficult to assess due to the lack of actuarial data, and traditional forms of benchmarking are insufficient. Insuring cybersecurity risks is costly and policies currently offered in the marketplace may contain lower limits of insurance, stringent reporting requirements, and limited coverage for business interruption and restoration costs.

The task force will focus both on how cyber-related risks are currently insured and how businesses are managing their security risks internally. The committee may ultimately make recommendations to federal regulators for the development of industry-wide standards for managing cybersecurity risks, which may then be used by insurers to establish appropriate premium rates.