Insurers told a congressional hearing Thursday that they need the flexibility to determine what they will and won’t cover under cyber policies, saying they are still trying to understand the risks associated with cyberattacks.
The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection held the hearing to explore how cyber insurance is being used by critical-infrastructure operators, amid warnings of hacking efforts from China and Russia.
Insurers have tightened underwriting standards and raised premiums for cyber policies in recent years, spooked by an increase in losses starting in 2019 as cyberattacks spiked during the coronavirus pandemic. Many now require a raft of cybersecurity controls for organizations to qualify for coverage, such as multifactor authentication and network monitoring, and carriers have restricted what they will cover.
This means many insurers have become more selective in the clients that they take on, said Kimberly Denbow, vice president for security and operations at the American Gas Association, which represents natural gas companies.
“In the gas utility sector’s experience, the number of insurance providers willing to write cyber insurance policies has been limited,” Denbow said at the hearing. Terms can differ so wildly between insurers that it is often hard for operators to understand what a policy actually covers, she said.
Companies with an insurance policy sometimes misunderstand their obligations, which leads to disagreements about coverage after a hack, said Brian Boetig, senior managing director at FTI Consulting, in an interview.
“It really aggravates the cyber crisis twice as much. You go into it thinking, OK, we’re covered, we’ve got help, and then you’re spending time trying to deal with the incident while you’re simultaneously trying to fight the insurance company to get the coverage,” he said.
Jack Kudale, chief executive of Pleasanton, Calif.-based insurer Cowbell Cyber, said during the hearing that cyber is still an emerging risk, and as such, requires a degree of flexibility in underwriting to properly serve the needs of policyholders.
“Over the last 10 years, the terminology in coverage has been evolving, and we’re still not there. Putting limitations and standardization might hurt how nimble we are,” he said. The evolution of cyber threats also means that insurers must have the flexibility to customize their policies accordingly, he added.
Matthew McCabe, managing director of the cyber center of excellence at Marsh McLennan’s reinsurance unit Guy Carpenter, said that although language between contracts might differ, a significant amount of overlap exists in terms of what they cover and exclude. Allowing flexibility in contractual terms lets insurers better manage risks that might not be fully understood, he said.
“[Insurers are] thinking through what their aggregation risks are, and sometimes that’s going to be reflected in how they write the policy, and you would hate to see some kind of regulatory effort to stymie that,” he said.
The government is involving itself in the cyber insurance industry through efforts to create a federal backstop, which would make the taxpayer a reinsurer of last resort in the event a cyberattack proves too catastrophic for insurers to cover. However, lawmakers expressed skepticism about regulating elements of cyber policies such as contract language, citing state governments’ traditional oversight of insurance companies.
“I’m a huge proponent of states doing insurance. I do not want the federal government taking over,” said Rep. Andrew Garbarino (R., N.Y.), the subcommittee’s chair.