VIEW 31
Capping risk
Companies buy insurance policies to limit their risks. On the other side of the fence, insurance underwriters want to manage the risks that they are accepting. This can sometimes lead to misunderstanding as to what is or is not covered in a policy. Through no fault on either side, the client could believe they have cover for a particular incident when a closer reading of the policy wording would show they do not.
In the interests of reducing this type of confusion, the diagram to the right shows the three main ways that underwriters cap the risks that they take on when writing a policy:
Value A policy will often limit the total amount of money that will be paid out in the event of a claim. This can be is done through aggregate limits which cap the total or sub limits which cap a particular part. Most policies also have an excess or retention clause specifying that initial losses below a certain amount will be borne by the insured.
Time Just as with value, there can be time retentions too. This means a claim will only be paid out if the service outage is longer than a certain number of hours. This eliminates minor IT glitches and puts the focus on serious cyber incidents. A second consideration is how the timing of the incident relates to the coverage period. Policies can either be worded to cover losses occurring during that period or claims made. In the former case, the potential liability could extend for years beyond the policy expiry date as was the case with the asbestos settlements. Cyber coverage is typically written on a ‘claims made’ basis meaning any claim needs to be made before the policy expires. However, a short, extended reporting window post expiry is often included.
Consequence A cyber incident in the upstream part of an industrial supply chain can have knock on effects running all the way downstream. A parts supplier taken down by a cyber-attack might fail to deliver a key component on time, ultimately delaying a major project several steps downstream and causing substantial losses. One way that underwriters seek to mitigate this type of exposure is through the careful wording of the business interruption part of the policy. This will define both the type and extent of the third parties that are covered, both upstream and downstream. See View #34 for a more detailed discussion of this.
Aside from these three axes, the final backstop that underwriters employ to limit their exposure is re-insurance where some part of their risk book is ceded to another insurer. This can either be on a facultative basis with a separate negotiation for each policy or on a treaty basis specifying a particular subset of the whole book.
