In March, I started working for RiskGenius. As a company, we store files for different groups within the insurance community and provide layers of analytics on top of that to improve the operations of these groups. The type of analytics we provide range from a red line feature, which allows people to compare language from two policies against each other, to a clause score, which leverages multiple types of machine learning to gain an understanding of how similar one clause is to other clauses within a specific line of business.
Since I started, I’ve spent a considerable amount of time thinking about how to better understand the cyber liability insurance marketplace, with specific attention to how language is used in cyber policies. Along with a team of policy analysts, I have looked at the language of 4600+ cyber liability clauses, from 45+ cyber liability insurance policies, from 25+ carriers, from 5+ countries around the world. We reduced the agreements into forms and clauses, broke the clauses down by type, and quantitatively scored them against one another to see what the market for cyber liability actually looks like. What follows in this blog is an introductory analysis of the language within our cyber liability index.
I. Cyber risk evolves in parallel to the internet
As we enter further into the era of big data, the importance of effectively managing cyber risk continues to grow. Unfortunately, however, the policies that are meant to insure that specific type of risk are quite lacking in terms of their consistency with one another.
This sort of inconsistency is problematic on a number of levels. For consumers, inconsitency is problematic because it is unclear what types of risk are covered under different insurance policies. For the drafters of these policies, inconsistency is problematic because the task is to write coverage for threats that are unknown. To better understand what future threats are, it is helpful to have an understanding of what a cyber liability policy is and how it differs from other types of policies.
In general, cyber coverage is some combination of four components: errors and omissions, media liability, network security and privacy. These four components, however, are different. Each protects a different subset of cyber liability risk, and a strong protection of one subset of risk does not offset a weak protection of another subset of risk. In Zurich v. Sony, for example, a lower court held that Zurich did not have to pay out under the privacy coverage of its’ commercial and general liability policy, after hackers exposed the personal details of 77 million users in a 2011 hack of the Playstation Network.
And while the market for cyber liability products has improved in the past few years, such uncertainty is still going to be expensive and inefficient. Case in point, Equifax’s cyber policy may not fully cover the liabilities created by that breach.
As we go further down the rabbit hole, in order to protect for new types of cyber risk as technology continues to move forward, there needs to be a better way to rapidly digest and understand evolving areas of the cyber liability insurance marketplace because the threats are continuously evolving and our identities are becoming increasingly digital.
II. Using data to understand cyber policy language
Throughout this process of collecting and processing cyber liability policies into data, we have been able to unearth some valuable insights about the composition of the cyberliability marketplace. For instance, the following graph shows the average similarity of each different type of clause from our index of cyber liability data. You are looking at 1100 different types of clauses. The vertical axis indicates the frequency of the different clauses we identified — how often that clause type appears in cyber policies. The horizontal axis indicates what the average similarity of that clause is, with similarities that range from 0–100.
For example, the data point for the definition of "Service Provider" is circled in red. This clause category appears only 9 times in the index with an average similarity score of 82%. This means that although the clause is relatively frequent, the definition has an average level of variance, compared to other clauses in the industry.
We were also able to get an understanding for which of the 27 carriers in our index use the most similar language. The next graph shows the total number of clauses we processed from a carrier in the vertical axis, and the average similarity for that carrier on the horizontal axis.
For example, the carrier Chubb is circled in red. Chubb has 285 clauses from cyber liability insurance polices in our index. And these clauses, in total, received a similarity score of 88%. Out of 27 carriers, it had the 3rd most clauses in our index with a similarity score that was about the same as the rest of the carriers in the industry.
III. Why data matters
Breaking down these clauses into different data points is helpful because it can provide concrete evidence of how different clauses, policies, and carriers match up with one another. This approach can also be used to help map out the specific types of risk within the cyber liability marketplace to specific clauses and carriers.However, this is just the beginning.
In the world that continues to develop around the internet, this sort of tool can be used to help underwriters quickly understand where policy language is divergent from industry norms and adopt to emerging threats, it can be used to improve the matching between carriers and individuals, and it can help ensure a greater degree of version control within the offices of state insurance commissioners.
This type of insurance data can even be leveraged on a more broad level, to improve delivery of insurance services and improve outcomes in other data-centric use cases. For example, Lemonade recently introduced a live insurance policy that continually updates based on a stream of data; Allianz and Flock have partnered together to offer, by the hour drone insurance based on factors like location, weather, and user data; and HealthyHealth is working to improve the accuracy of medical risk profiling by aggregating data about physical activity, diet, and mindfulness.
This type of macro level analysis does have its limitations. Without further context or investigation it can only be so helpful. What follows after this blog will be a more thorough, quantitative analysis of cyber liability policy language.
For now, happy #CyberPolicyWednesday ! If you're interested in seeing how your cyber policies impact the index, please feel free to submit your cyber policies to email@example.com and we'll send you a weekly update that includes the graph of the week and a brief summary of changes to the marketplace of cyber liability policies.