Risks and capacity are abundant, but demand still lags
For any independent agency that has been reluctant to embrace and promote cyber insurance, it seems that there’s no longer any choice.
Cyber insurance, which entails first- and third-party coverages for disruption of computer systems and loss to data, is perhaps the fastest growing line of commercial insurance, and a product that reaches into every sector of the economy.
U.S. insurers reported $998 million in cyber premium to regulators in 2015, according to a recent report by Fitch Ratings drawn from information filed with the National Association of Insurance Commissioners (NAIC). PartnerRe, sponsor of an annual cyber insurance survey of producers and underwriters, estimates global premium for the line at $2.5 billion to $3 billion, with most of the total derived from U.S. business. (Not all U.S. cyber premiums are subject to regulatory reporting requirements.)
Experts in information networking say cyber insurance and its attendant loss mitigation services are becoming imperative for organizations of all sizes, as online criminals troll the Internet for vulnerabilities, no matter what the size of a target.
A 2016 survey by Lloyd’s of London found that 92% of the respondents, all in the European Union, had experienced a data breach within the past five years.
The Dutch firm Gemalto, which maintains a global database on the frequency and severity of data breaches, recorded 974 data breaches worldwide in the first half of 2016, resulting in more than 554 million records compromised, up from 844 breaches and 424 million records in the second half of 2015.
Gemalto’s report was released just as news was breaking of the Yahoo! data breach that may have affected approximately 500 million records.
In light of such reports, growing numbers of organizations are requiring that business partners with whom they share data purchase cyber coverage. A bill in Congress proposes a tax credit toward the purchase of cyber insurance; its sponsor says he prefers an “incentive approach” to the prospect of legal requirements to purchase the coverage.
The most compelling reason for agents to learn the intricacies of cyber insurance, however, is right at home. Agencies themselves have substantial exposure to cyber attacks, data breaches, and the disclosure and reporting requirements that come in their wake, not to mention business interruption or liability for third-party losses.
Cyber insurance has grown to encompass up to seven types of coverage, now available from some carriers as separate insuring agreements within a single policy.
According to Evan Fenaroli, cyber product manager at Philadelphia Insurance Companies, five distinct types of first-party cyber coverage are now standard or are becoming so.
One category, which Fenaroli calls “security event costs,” entails coverage for the costs of a “breach coach” (typically an experienced data privacy attorney) to advise the insured on the steps needed to comply with regulatory requirements for notifying persons affected by a breach and providing them credit monitoring and counseling services.
Security events coverage often extends to the costs of forensic experts to investigate the cause of a computer loss event and correct it, and to additional public relations expenses incurred to reassure consumers and business partners in the wake of the event.
Other common categories of first-party cyber coverage are:
Business interruption coverage for lost income and extra expenses arising from what Fenaroli describes as a “non-physical” cause of loss occurring at an insured site or dependent location, including “cloud” service providers
“Loss of digital assets” coverage for the cost of recovering or recreating data that has been corrupted, destroyed, or deleted as the result of a virus or unauthorized intrusion into a computer system
Crime coverage for thefts perpetrated by cyber means. These include a growing number of sophisticated “social engineering” schemes where criminals impersonate the email style of company staff members to trick unsuspecting colleagues into transferring money or providing protected data.
In addition to crime coverage, growing numbers of carriers are offering cyber coverage for extortion and “ransomware.” Ransomware is a malicious coding that encrypts files or systems, preventing the victim from using or accessing data until the coding is removed or neutralized, usually after a sum of money has been paid.
Perhaps the biggest first-party coverage gap, in Fenaroli’s estimation, is for loss of intellectual property through Internet theft of products or designs. He says companies can have their competitive positions undermined when foreign competitors steal protected design specs and produce essentially counterfeit goods at lower cost.
At least three established third- party coverages are integral to most cyber policies. These are:
Liability for losses suffered by individuals whose financial, medical, or other personal information is breached or stolen and used to commit fraud
“Electronic media liability” coverage for personal injury (libel and slander) and violation of intellectual property rights by producers of computer-based content
“Regulatory coverage” for the costs of investigations, fines, and other penalties in the wake of a system security event.
Coverage for bodily injury and property damage arising from cyber events is an “emerging gray area,” Fenaroli adds.
“Cyber policies usually exclude coverage for BI/PD,” he says, “and coverage may already exist on general liability (GL) policies. However, many GL carriers may not have intended to cover claims arising out of cyber events. Therefore, I think we will eventually see carriers affirmatively covering or excluding coverage for cyber BI/PD claims, on either the GL or cyber policy.”
Limits and sub-limits
It’s daunting to keep up with the evolution and variety of cyber insurance forms, says Reza Khan, executive vice president of the ThinkRisk Underwriting Agency, a subsidiary of Ryan Specialty Group. “It’s challenging even for the most knowledgeable brokers to keep up with all of the changes that are taking place in the cyber marketplace,” he says.
According to Khan, there are often material differences in the structure and terms of various cyber forms. Among the complexities he cites is the relationship between sub-limits for individual coverages and the aggregate policy limit, which commonly encompasses both first- and third-party payments.
Khan says insureds are sometimes surprised to learn how sub-limits can restrict what they recover under the overall policy limit. “The policy limit can be a bit deceiving if there are material caps on important coverage grants,” he says.
He emphasizes one feature of cyber policies he considers to be critical but often overlooked: whether the policy pays losses on behalf of the insured or reimburses the insured after it has paid a claimant and/or incurred expenses.
The former approach is more common for third-party cyber coverage, he notes, the latter more common for first-party claims. In all cases, he says, paying on behalf is better for insureds, especially for small to mid-sized businesses.
“A reimbursement trigger requires a proof of loss and involves [carrier] review of remittances,” he says. “That could take six months to a year, and the insured could be fronting that expense out of pocket. For a small to middle market firm, that could negatively impact the business.”
“Cyber insurance is almost universally viewed as a new growth segment for many specialty markets,” Khan says. As a result, the market remains soft with buyers generally holding the upper hand. According to Khan, it’s not unusual to have a broker “shop” a cyber deal to more than 10 markets for an account that yields a premium of perhaps $10,000.
Khan characterizes the fierce competition for accounts—especially accounts that already purchase cyber insurance—as “hand-to-hand combat.” The key to winning in that combat may lie in the support services provided to insureds before and after an incident.
“People buy cyber insurance for the response,” says Jonathan Reiner, an executive vice president and cyber insurance specialist at Chicago-based RT Specialty. He emphasizes that the purchase decision should not be based solely on a policy’s price or breadth of coverage, but also should include consideration of how the carrier or its partners will respond to a cyber incident.
“Agents and brokers should be focusing on the quality of breach vendors and consultants offered, including legal, network security, forensic, and first-party notification services,” says Jason Glasgow, who recently joined Allied World as lead for its technology, privacy, and network security professional liability practice. Previously Glasgow was vice president and cyber risk product manager for Travelers.
“Agents should guide clients to select an insurer that understands the exposures and offers robust risk management services to help proactively prepare for and defend against a cyber breach,” Glasgow says. “These services are especially important for clients that don’t have large IT and network security functions.”
According to Glasgow, agents and brokers should probe carriers for details on the scope and quality of their cyber risk management services. “Is it merely a portal of information that can be found on the Internet?” he asks. “Or will the insurer truly provide tailored and hands-on support to help protect an organization?
“The key question to ask cyber insurers is: ‘What is the rate of engagement of clients actually using the risk management tools?’ That will give you a sense of how valuable the tools might be to a client.”
As a line of business, cyber insurance is beginning to see some moves toward standardization of policy language and simplification of an application process that is widely perceived to be stiflingly complex and demanding.
Yet, despite recent reports of spectacular data breaches—Ashley Madison, the Panama Papers, the Democratic National Committee emails, and most recently the breach of more than 500 million records of Yahoo! users—most businesses still do not see a compelling need to purchase cyber insurance.
Also, “Despite all of the attention on cyber and cyber insurance, there are still companies that believe these exposures are covered in existing traditional policies,” Glasgow says. “Many insureds are still hesitant to look at cyber coverage due to lack of awareness and understanding of the exposures, coupled with a false sense of security.”
Khan concurs. “Despite the daily barrage of cyber breach headlines,” he says, “cyber insurance is still not a compulsory coverage, and most U.S. businesses are not buying it.
“However, the adoption rate is certainly trending in the right direction, which presents a great opportunity for growth.”
For more information:
Allied World Assurance Company
Philadelphia Insurance Companies
ThinkRisk Underwriting Agency
Joseph S. Harrington, CPCU, is an independent business writer who specializes in property and casualty insurance coverages and operations. For 21, years Joe was communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.