Standardise cyber insurance policy language to build trust in those products, says EU cyber agency

Out-Law News | 22 Nov 2017 | 11:27 am | 2 min. read

Insurers across Europe should standardise the language they use in cyber insurance policies to build trust in those products, an EU cybersecurity agency has said.

The European Union Agency for Network and Information Security (ENISA) said standardising policy language and underwriting questionnaires can help both insurers and customers "understand what they are selling and buying while avoiding the potential for coverage disputes and costly litigation".

Among the specific recommendations ENISA made was a call for industry to "develop common questions to assess cyber risks based on industry best practices". It further urged the development of industry standards "to define terminology, use cases, coverage, incident types, [and] policy trigger parameters".

ENISA said that insurers, insurance brokers and other industry stakeholders admit that growth of the cyber insurance market in Europe is inhibited by a "lack of commonality in risk assessment language".

"This lack of harmonisation, evident in various aspects of insurance – from coverage to underwriting questionnaires – reduces consumer trust and understanding of these products (especially for SMEs), creates difficulties for insurance carriers seeking to enter the market and limits the growth rate of cyber insurance adoption overall," ENISA said. "The broad consensus in the industry is that steps towards harmonisation / standardisation will have significant benefits for all stakeholders involved and for the insurance market as a whole."

Cyber risk and insurance expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "Whilst any attempt to standardise language in cyber insurance policies and proposal forms is laudable, the practical reality is that a myriad of factors will drive the need for different approaches to be taken by insurers on a case-by-case basis. To illustrate, revenues, sector, scale and scope of data controlled or processed and the organisation's global footprint will need to be taken into account by underwriters."

In its report, ENISA urged more data sharing within industry to "support accurate risk assessment" in respect of cyber insurance, and called on policy makers to look into how data on data breaches or cybersecurity incidents reported to regulators under the forthcoming General Data Protection Regulation and Network and Information Security Directive could be anonymised and shared with providers of cyber insurance products.

Last month, the UK's digital minister Matt Hancock said that details of data breaches reported to the ICO under the GDPR could be shared with insurers to help them "accurately price cyber risk".

In its report, ENISA also urged policy makers to "create minimum coverage requirements per type of coverage on top of which insurers can build extra coverage".

"These requirements should define what should at least be included for each type of coverage to provide a common, comparable point of reference," it said. "For instance, providing a minimum definition of what should be covered under a data breach cover policy would increase consumer trust in products offering this coverage via clarity and transparency and it will not be limiting to carriers developing offerings on top of that."

Birdsey said: "Greater harmonisation may assist insurance brokers and potential buyers of cyber insurance, and may accelerate the uptake in cyber insurance cover being taken out. It is often the case that the aggravating and mitigating factors considered by regulators, for example the Information Commissioner's Office (ICO) in the UK, are not necessarily factors which could have been identified at the underwriting stage, which could call into question the value of detailed proposal forms."