Specialty Lines Markets
The need is now standard. Can the product become so?
Cyber insurance may be poised for a transition never seen before in the development of property and liability insurance.
Twenty years ago, cyber insurance hardly existed, other than as an add-on to coverage for electronic data processing. From that point, cyber insurance developed initially within specialty lines markets and still bears the characteristics of a specialty line, such as:
- Coverage written on nonstandardized policy forms
- Coverage negotiated with highly knowledgeable buyers
- Rating based on market competition more than an actuarially derived cost of risk
If the design, use, and maintenance of computer networks had remained strictly the purview of IT specialists, the market for cyber coverage might have continued on its original track, providing specialized coverage for specialized exposures, much like professional liability coverage for accountants, lawyers, and physicians.
“Because of the nature of the line and uncertainty surrounding losses, carriers are not looking for a standardized solution. The cyber product line has to cater to the ever-evolving nature of cyber losses and risk.”
Things have changed in information technology, however. Networked information permeates our world and defines how we live and work. Virtually all organizations, and even households, are exposed to loss arising from online activity, and the scope of cyber exposure is substantial compared to other potential sources of loss.
A small business has a one in four chance of being victimized by some sort of cyber attack in a given year, according to a 2017 study by the Ponemon Institute, an organization devoted to promoting online privacy and data security. In contrast, a 2015 report by The Hartford concluded that only one in 10 businesses would experience a fire loss over a five-year period.
Even with that level of exposure, purchases of cyber insurance are increasing steadily but not dramatically, according to the latest survey on the topic by RIMS, the Risk & Insurance Management Society.
In its 2017 survey on cyber insurance, RIMS found that 72% of respondents had purchased it, up from 69% in 2016. Of those, 83% had purchased a standalone cyber policy (as opposed to coverage endorsed onto another policy), up from 80% the previous year.
“We might be seeing something resembling maturity from the cyber insurance market,” reads the RIMS report. “Those who want to buy cyber coverage have bought it, and specialty standalone cyber coverage is nearing saturation.”
“Saturation,” perhaps, of the market for large and/or specialized risks. But what about the vast number of small- to mid-sized businesses that have little or no cyber coverage beyond what may be provided in an endorsement covering expenses following a data breach?
In many cases, those businesses find themselves required by other parties to purchase cyber insurance as a condition for doing business.
With cyber losses representing a growing threat and cyber coverage a growing requirement, it follows that cyber coverage needs to be purchased by a growing number of clients with no specialized knowledge in information technology. In other words, the market for cyber insurance may be flooded with “unsophisticated” buyers, a condition that, in the past, has led to the development of standardized policy forms and rating information.
So it is that the Insurance Services Office (ISO), the nation’s largest advisory organization, announced in July 2017 the release of a revised and expanded cyber insurance program. ISO’s new Commercial Cyber Insurance Program replaces its former “e-commerce program” and introduces a Commercial Cyber Insurance Policy Form designed for enterprises that generate less than $250 million in annual revenue.
“It’s not the event of a cyberattack, but what happens afterward that matters so much.”
This standalone form provides coverage on a claims-made or loss discovery basis through six first- and third-party insuring agreements under a single aggregate limit. The manual base limit is $100,000, with options to increase and decrease it; sub-limits are available for business income, extra expenses, ransom payments, and public relations expenses following an event.
The enhanced ISO cyber program also includes three “information security protection” policies, one for general application to most enterprises, one designed for financial institutions, and another that includes media liability coverage.
Along with revised policy forms, the new ISO Commercial Cyber Insurance Program features a complete overhaul of its policy rating information, which entails 17 rating variables (12 of them new) drawn from cyber-specific data for each of its base forms.
To date, the ISO program has been filed in 48 jurisdictions and approved in 22.
Can it be standardized?
ISO had previously developed cyber coverage parts and rating information, but it has not been in a position to define how cyber coverage is structured and rated to the extent it has done for other types of insurance.
Among other things, “cyber threats and exposures are not static and the past may not be [as] indicative of the future” as in other lines, says Nick Irwin, ISO’s lead cyber actuary. In light of that, he says that ISO utilizes trending and forecasting to address the dynamic nature of cyber risk, which consists primarily of cyber criminals acting strategically to evade efforts to thwart them.
Stephen Whelan, ISO’s director of management and professional liability, adds that he hopes the new program’s standardized language and advisory application form will “facilitate take-up” of cyber insurance, especially among small and mid-sized businesses.
Other observers question whether cyber insurance can ever be truly standardized.
“We anticipate zero impact” from the ISO release, says Ellie Feldman, managing partner of Wingman Insurance, an agency specializing in coverage for technology. “Because of the nature of the line and uncertainty surrounding losses, carriers are not looking for a standardized solution. The cyber product line has to cater to the ever-evolving nature of cyber losses and risk.”
“This release [by ISO] will have about the same impact as the original release, which is to say, not much,” says John Immordino, a vice president with Arlington/Roe, an MGA and wholesale broker. “I don’t see [cyber insurance] becoming standardized anytime in the near future, because it must continue to change in order to protect against new and evolving nefarious schemes.”
ISO and others are in agreement, however, that cyber insurance is increasingly being purchased through standalone cyber policies, as opposed to endorsements on other types of policies.
“We are seeing a very distinct move from cyber-related coverage bundled into property and liability policies to standalone cyber coverage,” says Dr. Andries Willemse, vice president of the specialty loss group and executive general adjuster for Engle Martin & Associates, the well-known claims adjusting firm. Citing a June 2017 report from A.M. Best, Willemse noted that more than two-thirds of cyber premium in the United States are now written on standalone policies.
“It is generally believed that this trend will allow insurers to better understand commercial risks and demand for coverage,” he adds. “This, in turn, will lead to improvements in modelling and, hopefully, reduced premiums.”
As for what’s in those increasingly standalone policies, Willemse says that “the most common third-party coverages include network security liability for data breaches and denial of access, network privacy liability for failure to protect sensitive data, and electronic media liability for libel and defamation.
“First-party coverages insure against property and crime losses, plus certain associated costs such as crisis management and public relations costs,” he adds. “First-party coverage also typically includes coverage for loss of income, extra expenses, cyber extortion, reputational damage, and costs associated with required notification of affected parties.”
Feldman observes buyers of cyber insurance shifting their focus from third-party to first-party coverages. She says it is now common to include in policies for small to mid-sized accounts coverage for business interruption and dependent business interruption, along with coverage for data breaches and their consequent expenses.
“Business leaders understand it’s not just a matter of recouping your notification expenses,” Feldman adds. “They are thinking about the lost income due to system downtime, potential loss of future business, and the PR needed to repair one’s reputation.
“Some of the largest drivers of demand we’ve seen have been business owners’ fears about internal and social engineering risk,” she continues. “Whether it’s being tricked into giving away information or having employees part with assets fraudulently, that’s what’s keeping managers up at night.”
Immordino also pointed to broadening of first-party coverage for cyber extortion, typically executed through paralyzing “ransomware,” and the resulting demands for payments through bitcoin, as well as coverage for reputational harm, as leading trends in cyber product developments.
Education still key
As much as cyber insurance has advanced and expanded in recent years, Immordino finds a lack of education about the loss exposures and available coverages to be a leading obstacle to cyber insurance sales. Even widely publicized events like the Dyn denial-of-service attack in the fall of 2016 and the “Wannacry” attack in May 2017 have had surprisingly little impact on awareness.
“These events caused concern among larger accounts, but many smaller businesses, which are very vulnerable, don’t even know about them,” Immordino says. “Nobody wants to buy more insurance, but it’s the agent’s job to educate their customers about the need.
“It’s not the event of a cyberattack, but what happens afterward that matters so much,” he says. “Here’s where the agent’s primary role is so vital—to educate the customer about how to prevent the loss, and how to understand the characteristics of a potential loss so they know what’s important in the policy.”
For more information:
Engle Martin & Associates
Insurance Services Office
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.