Insuring your client’s reputation against cyber breach? Good luck with that.

Businesses wishing to insure their brand reputations against a cyber breach are going to find a hard time finding policies to cover that.

“This is a huge area of concern for insurance,” says Catherine Evans, vice president-FINPRO at Marsh Canada Ltd. “Typically, if you are talking about a retailer or a financial institution, they are very concerned about a lawsuit that stems from information being breached. They are less concerned about the lawsuit than they are about the future value of their brand if this happens.”

But coverage for reputational damage following a cyber breach “is still pretty limited,” she said. “There is some, but not many insurers pick that up. I do think that’s an area that we need to try to improve upon.”

Evans was a panelist at The CIP Symposium held by the Insurance Institute of Canada in Toronto last Tuesday.  Also on the panel, Miki Ho, cyber risk underwriter at Beazley, said the scarcity of coverage is based on the difficulties around quantifying loss.

“The challenge becomes, how to we underwrite it and how do we price it?” Ho said. “The underwriting information we typically receive in a cyber submission, obviously this is slightly different: we don’t necessarily look at seasonality of business, we don’t look at business trends, we are not taking a macro-economic view of certain industries. So, when we are writing the coverage, it very well could be a blank cheque.”

Evans said the clients themselves have a hard time quantifying their losses and showing how they are connected to the cyber breach.

“We’ve spoken to clients, and most of the time when we get to this part of the conversation, it sort of falls down,” she said. “Because although they can expect there is going to be a future loss of business as a result of that issue, they are not able concretely to point out how much that would be.”

For example, Evans added, if a bank suffered a loss of reputation from a cyber breach, it would have to prove “that clients left that bank because of the breach, versus the fact that another bank is offering you a free iPad when you visit them. It’s very difficult to quantify how much of that directly comes from the breach.”

Alex Cameron, partner at Fasken Martineau, noted that cyber policies do provide a means to limit reputational damage arising from a cyber breach, mainly through access to PR crisis communications firms. But even that kind of coverage is a tough sell, Cameron noted, because the PR firms will likely want to start preparing crisis communications plans and materials right away.

But the clients “often don’t see the value of it right away, and sometimes don’t make that call until it’s too late,” Cameron said. “But there is a lot of focus on ‘Let’s do the response in the right way to mitigate those types of impacts.’”