Tips on Understanding Cyber Risk Losses

By Denise Johnson | January 28, 2015

Cyber risk can be technically hard to understand, according Marty Frappolli, senior director of Knowledge Resources for The Institutes. The damage to consumer data, complicated analysis on specific technologies involved in data breaches, and keeping up with court case rulings across the country are three areas that can cause confusion.

In a podcast interview with Claims Journal, Frappolli explains what adjusters need to know about cyber risk.

Approaching a cyber loss like any other claim is the first step. This entails knowing coverage, exclusions and exceptions.

Because it is an evolving risk – there is no typical cyber risk policy, Frappolli said.

Subrogation of this type of loss can be complicated, especially where a network breach is related to a vendor’s system.

“There are not yet many cyber expert claim handlers,” added Frappolli.

The Institutes senior director recommended having a cyber forensics expert on speed dial. In addition, adjusters should be aware of local, state and federal breach notification laws.

And even though it will always involve IT and legal staff, he said everyone in an organization should understand cyber risk.

“If we look at cyber risk as a tech only issue we miss the larger point,” he said.

Breaches are not always due to a technical flaw in IT security, Frappolli said, citing an example where USB memory sticks were left in a company’s restroom and labeled “confidential salary information”.

“As you might guess, employees picked them up, inserted the USB drives into their own PCs. That allowed the launch of hidden programs that captured and transmitted secured data back to the criminal organization,” Frappolli said.

Sometimes, hackers will pretend they are high level company executives calling to request a forgotten password.

Frappolli explained some differences between first and third party cyber losses.

First party losses include:

  • Damage to hardware, software and computer networks;
  • Cyber extortion;
  • Compromised or stolen data;
  • Lost revenue and extra expenses due to business interruption;
  • Breach investigation costs;
  • Post-breach repair costs;
  • Costs to notify customers or other stakeholders;
  • Reputational damage.

Third party cyber risk exposure includes liability to other parties that suffered damage due to a breach. These include:

  • Loss of privacy;
  • Damages to network security of trading partner;
  • Liability for libel or slander;
  • D & O liability for failing to defend against cyber attack;
  • E & O liability for when a producer fails to secure adequate cyber coverage for an insured.

Just this week, The Institutes announced a new course offering on cyber risk. The course, Managing Cyber Risk (Cyber 301), content focuses on how to mitigate cyber risk exposures and respond to cyber threats. Insurance professionals will learn how to:

  • Effectively respond to cyber risk exposures from an enterprise risk management perspective;
  • Make better underwriting, claims and pricing decisions by accurately analyzing cyber risk coverages for various insurance policies;
  • Confidently manage cyber threats with an enhanced understanding of how cyber risk affects different operating units of insurance organizations.

A certificate of completion will be given to those who successfully complete the course. Course exams begin in the April to June 2015 testing window.

Learn more about The Institutes’ Managing Cyber Risk certification by visiting

Was this article valuable?

Here are more articles you may enjoy.