Contractual requirements drive demand as standardization remains elusive
By Joseph S. Harrington, CPCU
You might say that there are two kinds of businesses today: those that have cyber insurance and those that will, whether they want it or not.
It’s hard to imagine that any enterprise today is unaware of the dangers of data breaches, ransomware, and “deceptive funds transfer.” It’s equally hard to imagine an enterprise that is unaware that insurance is available to help manage such events and provide compensation for some of the losses.
So why aren’t sales of cyber insurance more robust? One might say it’s a case of seeing the glass half full or half empty.
“We estimate that 30% of U.S. businesses have a monoline cyber insurance policy, amounting to $6 billion in gross written premium,” says Patrick Costello, principal at Evolve MGA. “By 2025, we expect the U.S. market’s gross written premium to surpass $20 billion.”
According to Costello, “the demand for cyber insurance will remain high because of the increased frequency of ransomware and funds transfer fraud claims. Both types of attacks happen in every industry.”
Great American Insurance Group offers a more modest estimate of where the market now stands but is also bullish on its prospects for growth.
“The market is growing at a steady rate with potential for acceleration in growth,” says Betty Shepherd, divisional senior vice president overseeing Great American’s cyber risk sector. “Estimates of U.S. cyber premium were around $2 billion in 2018 and are expected to increase to upwards of $5 billion by 2021.”
“I’ve seen statistics that estimate a 20% year-over-year growth,” says Jeffrey Batt, cyber insurance practice leader for M&T Insurance Agency. “The amplified demand is a reflection of businesses’ increased reliance on data and technology.”
Steady or slowing?
While some observers claim that growth in cyber insurance is robust, others think the rate of growth is slowing.
“The cyber market is growing at a moderate rate,” says Colette Fearon, an assistant vice president and cyber underwriter for Munich Reinsurance America. “While uptake has traditionally been more significant for large businesses, we anticipate accelerated growth in the small and mid-sized business segment as a result of heightened cyber risk awareness, breach management needs, and compliance with contractual requirements of business partners.”
Josh Ladeau, global head of tech E&O and cyber for Aspen Insurance, finds that “internationally, the cyber market is growing at an accelerating rate, but domestically it is growing steadily or at a slowing rate due to market penetration in the last decade.
“We continue to see demand for increased limits on existing towers, particularly for larger clients, and there is still a flow of new buyers,” he adds. “For example, there are business segments such as manufacturing that haven’t purchased cyber insurance traditionally but are now coming in.”
Anthony Manna, an assistant vice president of the NIF Group, finds that “there has been a bit of a slowdown this past year, but I expect we will see steady growth over the next several years as knowledge of breaches becomes more widespread.”
“We are seeing a steady increase in the number of companies we work with that have obtained cyber liability insurance,” says Dustin Mooney, co-founder and principal consultant of Rigid Bits, a firm that provides cybersecurity services. “In many cases, the motivation for buying coverage is coming from third parties that are requiring our clients to have a cybersecurity program and cyber liability policy in place.”
Eric Cernak, head of cyber for The Hanover Insurance Group, agrees. “Demand is being driven by contractual obligations,” he says. “As companies have been required in the past to have general liability insurance, many are now being required to carry cyber insurance in order to conduct business with other entities. We are also seeing an increase in the size of the cyber insurance limits being required.”
Cernak also has observed new kinds of buyers coming into the cyber insurance market.
“Small to mid-sized manufacturers are showing increased interest in purchasing cyber insurance, as their understanding of the exposures and coverage grows,” he says. “They are recognizing that cyber insurance protects against much more than just breaches of personally identifiable information.”
Manna finds a steady increase in demand for cyber coverage among healthcare, professional and financial services, and retailers.
“These sectors have accounted for roughly 60% of all cyber claims over the last few years,” he says. “Lawyers, accountants, banks, investment advisors, and other kinds of professional and financial service firms are obvious targets because they have exactly what a hacker is looking for—money and personal information.”
Less well known, Manna says, is the fact that medical records are more valuable to cyber-thieves than financial records because the former “are significantly more valuable on the black market, as they contain exploitable information.”
Retail accounts for the fewest claims of the three main target areas, according to Manna, but are much more costly—averaging roughly twice the average cost of breaches in other sectors—because of the huge number of records affected.
As the number of cyber policies grows, so do the coverage innovations they feature.
“In recent years, we’ve seen cyber insurance grow from a focus almost entirely on data breaches to providing robust coverage for lost income,” says Batt. “Initially, policies didn’t cover IT outages or system failures without a threat actor or unauthorized access. Now offerings are much broader, and that’s a testament to the improved understanding of the variety of risks.”
A line first developed to address data breaches now responds to an ever-growing range of threats, says Costello. “Quality cyber policies are proactively covering risks like dependent business interruption, ‘cryptojacking,’ bodily injury, and funds transfer fraud,” he says.(“Crypto-jacking” refers to a kind of cyber-attack that uses a target’s computing power to carry out unauthorized transactions involving cryptocurrencies.)
According to Manna, most cyber policies include coverage for business interruption, reputational harm, and various cybercrimes, including fraudulent transfer of funds. Also, current cyber policies commonly include coverage for prior acts (losses that occurred before the policy period but were discovered during the policy period) and provide coverage for breach response costs outside the policy limit.
“Cyber carriers are constantly improving forms and adding enhancements to become more competitive,” he says. “The newest enhancements include invoice manipulation and bricking, along with generally higher limits for cybercrime losses.” (“Bricking” refers to hacking that essentially paralyzes a device and renders it inert and unusable, like a brick.)
According to Shepherd, cyber insurance is increasingly responding to losses caused by cyber-thieves who use methods designed to manipulate victims into helping to defraud themselves.
“We are seeing losses of funds emanating from social engineering, phishing schemes, or business email compromises,” she says. “In this way, money can be rerouted, invoices manipulated, and credentials copied—all enabling a fraudulent transfer of funds.”
As for the state of cyber insurance underwriting and pricing, Manna says the coverage “is still relatively inexpensive and will likely stay that way for another few quarters, if not years. I imagine that will change once the market begins to see cyber loss ratios increase.”
“Cyber insurance is in a buyers’ market at the moment, and pricing has generally remained flat,” says Batt. “Nonetheless, underwriting is becoming stronger and more robust as experience increases. Underwriters are asking better questions to understand the scope of the risk, and we are seeing less of that knee-jerk reaction to drastically increase rates. This is partially a result of a maturing industry, and also because the increased capacity and interest in the offering have intensified competition among carriers.”
It remains challenging to underwrite a line with fluctuating values and an ever-increasing range of threats. Mooney states: “In cybersecurity we make decisions based on risk. That includes determining needs for cyber liability coverage and what coverage amounts may look like. Insurance companies must trust their clients to practice due diligence in protecting their sensitive and non-public information from hackers. However, calculating risk and understanding those risks take specialized knowledge and skill sets that many businesses do not have in house.”
Given this situation, Mooney suggests that “businesses will need to start demonstrating a culture of security, implement cybersecurity best practices aligning with cybersecurity frameworks, and put additional cybersecurity controls in place to become more secure, resilient, and insurable.”
To that end, Fearon finds cyber carriers increasing their use of third-party vendors to perform “inside-out” or “outside-in” IT security assessments. “These assessments are used to support underwriting, risk selection, and pricing,” she says. “These more thorough assessments also allow insurers to customize coverage and services for the insured.”
One new product is intended to transform the underwriting of cyber insurance to make it a “continuous” process of identifying and pricing exposures.
Cowbell Cyber, a Silicon Valley startup, has released what it calls the insurance industry’s first automated platform designed to identify internal and external cyber risks around the clock and to respond immediately to mitigate losses in the aftermath of a cyberattack.
According to Jack Kudale, founder and chief executive officer of Cowbell Cyber, the platform aligns underwriting, which is typically done once a year, with the dynamic nature of cyber risk, which changes daily. As a result, insurers can develop “enterprise-specific” coverage for individual accounts based on their unique cyber profiles.
“The cyber insurance market has to be aligned with customer cyber risks, which change every day,” he says.
Despite growth in the line, observers display some frustration with the take-up rate of cyber insurance, which some believe is not keeping pace with the frequency and severity of cyber losses.
Part of the problem is a reluctance on the part of many business owners to accept that they are a prospective target of a cyberattack, no matter how small their operation, and a corresponding lack of confidence among brokers about recommending cyber insurance products.
“Educating the buyer remains the biggest impediment to selling cyber insurance,” says Shepherd. “Let’s face it: What organization is thrilled to realize it needs to spend additional money on insurance? This can be especially challenging for insureds with unique coverage needs, in addition to navigating an increasingly complex cyber risk environment.”
“Two of the biggest impediments to the sales of cyber insurance are budget and demonstrating the need for or value of the product,” says Batt. “Small and medium-sized companies are often working within budget constraints. Even if they’ve identified the need, they might not have the funds.”
“The biggest impediments to cyber insurance sales are an inability to identify exposures and a lack of education about cyber insurance products,” says Costello.
Manna concurs, pointing out that many fail to understand the true exposure and how beneficial the coverage is. “A retail broker likely will not present cyber coverage to an insured if he or she is not confident enough to explain the intricacies of the coverage and the risk management benefits,” he says. “It’s important for both parties to understand everything that comes with a cyber policy.”
Another part of the problem lies with the providers of cyber insurance, who don’t always make it easy to shop for the coverage.
“There is not much standardization in policy language,” says Fearon. “This is a line where carriers try to showcase their expertise, either through inventive policy provisions or expansive coverage.
“However, the intent of most coverages is quite standard, making comparisons among forms manageable,” she adds. “The development of cyber policy forms by ISO could introduce more standardization across the board.”
“The cyber insurance market is incredibly confusing,” says Costello. “Almost every major carrier now has a cyber product, but we have yet to see any consistency in names or labels for coverage.
“Most basic cyber products have third-party liability coverage plus three- to five-year first-party sub-limits,” he adds. “The comprehensive cyber markets have a minimum of five kinds of liability coverage and more than twenty different kinds of first-party coverage.
“With convoluted coverage names and inconsistencies across the board,” Costello says, “our cyber specialist underwriters work with brokers everyday to point out major differences between our product and the competition’s.”
“Comparing policies across carriers can be confusing and intimidating for customers, and much of the confusion arises from nuances in the language,” says Batt. “One carrier might use the term ‘network interruption’ while another might say ‘business interruption.’ While this might be easy for a broker or carrier to decipher, it can be a hurdle for potential customers.”
Costello adds that “most cyber markets have three- to five-page applications that ask detailed questions about cybersecurity and resiliency.” A few markets use two-page applications with “half a dozen” questions, but Evolve MGA believes it can underwrite cyber coverage effectively by asking applicants for only three things: their name, annual revenue, and cyber loss history.
“We understand that proactive cybersecurity is never 100% effective,” Costello says. “We’ve seen large companies that invest significant amounts of money in cybersecurity services experience some of the largest losses. Given that, we base our rates on industry experience for loss frequency and cost of claims.”
In a line where coverage evolves rapidly, producers must beware of sharing outdated information, says Cernak.
“Historical perceptions of cyber products can impede sales if agents and brokers aren’t fully aware of changes in products and the market for coverage,” he says. “Both cyber products and the cyber market are constantly evolving, making it more important than ever for agents to stay aware of newer products that may more effectively address their insureds’ needs.
“By partnering with a carrier that can offer various levels of cyber coverage, agents can ensure that their client’s cyber risk is effectively addressed as the customer grows from a sole proprietor to a 100-plus employee enterprise,” Cernak explains.
For more information:
Great American Insurance Group
The Hanover Insurance Group
M&T Insurance Agency
Munich Reinsurance America
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.