In March, I started working for RiskGenius. As a company, we store files for different groups within the insurance community and provide layers of analytics on top of that to improve the operations of these groups. The type of analytics we provide range from a red line feature, which allows people to compare language from two policies against each other, to a clause score, which leverages multiple types of machine learning to gain an understanding of how similar one clause is to other clauses within a specific line of business.
Since I started, I’ve spent a considerable amount of time thinking about how to better understand the cyber liability insurance marketplace, with specific attention to how language is used in cyber policies. Along with a team of policy analysts, I have looked at the language of 4600+ cyber liability clauses, from 45+ cyber liability insurance policies, from 25+ carriers, from 5+ countries around the world. We reduced the agreements into forms and clauses, broke the clauses down by type, and quantitatively scored them against one another to see what the market for cyber liability actually looks like. What follows in this blog is an introductory analysis of the language within our cyber liability index.
I. Cyber risk evolves in parallel to the internet
As we enter further into the era of big data, the importance of effectively managing cyber risk continues to grow. Unfortunately, however, the policies that are meant to insure that specific type of risk are quite lacking in terms of their consistency with one another.
This sort of inconsistency is problematic on a number of levels. For consumers, inconsitency is problematic because it is unclear what types of risk are covered under different insurance policies. For the drafters of these policies, inconsistency is problematic because the task is to write coverage for threats that are unknown. To better understand what future threats are, it is helpful to have an understanding of what a cyber liability policy is and how it differs from other types of policies.
In general, cyber coverage is some combination of four components: errors and omissions, media liability, network security and privacy. These four components, however, are different. Each protects a different subset of cyber liability risk, and a strong protection of one subset of risk does not offset a weak protection of another subset of risk. In Zurich v. Sony, for example, a lower court held that Zurich did not have to pay out under the privacy coverage of its’ commercial and general liability policy, after hackers exposed the personal details of 77 million users in a 2011 hack of the Playstation Network.
And while the market for cyber liability products has improved in the past few years, such uncertainty is still going to be expensive and inefficient. Case in point, Equifax’s cyber policy may not fully cover the liabilities created by that breach.
As we go further down the rabbit hole, in order to protect for new types of cyber risk as technology continues to move forward, there needs to be a better way to rapidly digest and understand evolving areas of the cyber liability insurance marketplace because the threats are continuously evolving and our identities are becoming increasingly digital.
II. Using data to understand cyber policy language
Throughout this process of collecting and processing cyber liability policies into data, we have been able to unearth some valuable insights about the composition of the cyberliability marketplace. For instance, the following graph shows the average similarity of each different type of clause from our index of cyber liability data. You are looking at 1100 different types of clauses. The vertical axis indicates the frequency of the different clauses we identified — how often that clause type appears in cyber policies. The horizontal axis indicates what the average similarity of that clause is, with similarities that range from 0–100.
For example, the data point for the definition of "Service Provider" is circled in red. This clause category appears only 9 times in the index with an average similarity score of 82%. This means that although the clause is relatively frequent, the definition has an average level of variance, compared to other clauses in the industry.
What would you do if you could go to Google.com and search for insurance clauses and policies?
I can't stop thinking about algorithms. I am obsessed and I want to tell you why.
[et_pb_section][et_pb_row][et_pb_column type="4_4"][et_pb_text admin_label="Text" background_layout="light" text_orientation="left" use_border_color="off" border_color="#ffffff" border_style="solid"]