THIS ARTICLE is based on our 2006 review and evaluation ofinsurance products designed to cover the unique risks ofe-commerce. Our focus is on coverage for organizations that offerproducts and services via the Internet, such as online retailersand Web-site content providers, rather than on those who create theinfrastructure for such commerce–e.g., Internet service providers,technology consultants and software developers.

This report contains information provided by 11 markets. Theyinclude seven carriers, some with multiple products: ACE, AIG,Chubb, CNA, Evanston Insurance Co., St. Paul Travelers and Zurich.We also heard from four wholesalers and managing generalunderwriters: Digital Risk Managers (representing Arch SpecialtyInsurance), Euclid Managers (representing Hudson Insurance Co.),Media/Professional (representing Axis and certain underwriters atLloyd's) and Safeonline (representing ACE's Lloyd's operation).Collectively, we believe these insurers and intermediariesrepresent the core of the “cyber risk” insurance market.

We have compared the information provided by these marketsagainst our own experience and knowledge. Where they conflict, wehave reviewed the inconsistencies with them. However, theevaluation and conclusions are our own. Of course, the insurancepolicies govern the coverage provided, and the carriers are notresponsible for our interpretation of their policies or surveyresponses.

In using this information, readers should understand that theinformation applies to the standard products of the carriers, andthat special arrangements of coverage, cost and other variables maybe available on a negotiated basis.

Introduction

Cyber risk insurance is a recently developed product. Like othernew forms of coverage, it presents insurance product managers withchallenges, as they learn what their insureds need and what thecarriers can prudently cover. Most carriers are convinced thattheir best opportunity to sell cyber-risk coverage is to mainstreamcompanies that have significant online exposures. Many of theseprospects already are purchasing other forms of coverage from thecarriers. Specific opportunities are recognized by Chubb, St. PaulTravelers and Zurich, which have created special cyber-riskproducts for financial institutions. More industry-focused productsare anticipated as this product line grows and competitionincreases.

Some carriers' approach to the cyber-risk exposure is to offercoverage as an enhancement to their property or general liabilitycoverages for mainstream insureds. For instance, Toby Levy, of TheHartford's Technology Group, calls the carrier's product analternative to stand-alone products that is designed for companiesthat use the Internet as a complement to their traditionalbrick-and-mortar operations (i.e. not “dot-coms”).

The Hartford, says Levy, “adds coverage to its standard generalliability and property forms for certain cyber risks. Forqualifying accounts, coverage is added to the general liability andproperty forms for certain cyber risks. For qualifying accounts,coverage is added to the general liability form for personal andadvertising injury offenses arising from the insured's Web siteactivities. Coverage applies to all Web site content, not justthose portions of the Web site that are deemed to be anadvertisement. In addition, electronic vandalism is added as acovered peril to the property form. This additional coverageapplies to damage to computer equipment, media and data arisingfrom hackers, viruses and other forms of malicious code. Coveragealso extends to business income losses, if purchased, arising fromthe electronic vandalism peril.”

Cyber-risk insurance comes in a variety of forms, but we find itmost helpful to divide coverage into property, theft or liability.Some carriers offer liability-only products, while others offer acombination of property, theft and liability coverage.

State of the market

Company sales data for cyber-risk insurance is hard to come by,but in reviewing the market, we have concluded that the annualgross written premium is $300 million to $350 million, up $50million from our estimate in last year's report. As oneknowledgeable product manager said, cyber-risk coverage is still anew product line and will take a few years to penetrate themarketplace.

It seems odd that with the growth of online commerce, therehasn't been more demand for these products. As e-commercebusinesses–and especially their agents and advisers–become moreknowledgeable about cyber-risk products, this market segment couldgrow dramatically. Carriers contacted for this report expressedincreasing interest in the product and report that reinsurers arefavorably inclined to it.

Rates for cyber-risk insurance, like most forms of commercialinsurance, are definitely softening. Most carriers say they plan tohold rates flat, or within a range of -10% to +10%. We've alsoheard, however, that some carriers may reduce rates to attract newinsureds into the cyber-risk market.

Carriers no longer appear to be increasing retentions ordeductibles, as they were a few years ago. Even marginal insuredsshould be able to renew with the same retention or deductible as in2005. There are no reports of widespread decreases, althoughindividual insureds may experience them.

Significant liability-limits capacity continues to be available.Chubb (for the liability portion of its P&C product) willentertain limits up to $50 million, while ACE (for its DigitalTechnology product), AIG, Chubb (for its financial institutionsproducts), and St. Paul Travelers have $25 million capacity inhouse. In regard to first-party coverage, limits range from $1million to $15 million. Several carriers can secure limits abovethose indicated when necessary. For instance, AIG indicatedadditional liability-limits placement capability of $50 million(for a total of $75 million).

Carriers do not seem to require assessments of prospect'ssecurity procedures as much as they used to. Typically, but notalways, any required assessment is free to the applicant. Such anassessment can be useful to applicants, even if they do not buy thecoverage. If they do, a favorable assessment should help lower theinsured's premium. Security assessments are much more oftenrequired when purchasing first-party coverage than third-party.Also, requirements vary with the nature of an insured's business.Some assessments are as simple as a review of an applicant's Website, while others require an onsite review by third parties.

Coverage particulars

First-party coverage: First-party coverage protectionagainst denial of Web services (hacker attacks) is still a hottopic, due to continuing attacks on leading Internet sites. Mostproperty products cover this risk, although subject to negotiationand individual underwriting. Theft exposures are sometimes not wellunderstood. The potential for traditional theft of money or goodsvia the Internet is often recognized; but theft or destruction ofdata, extortion, and theft of computing resources sometimes arenot.

Terrorism coverage: Coverage mandated under the federalTerrorism Risk Insurance Act extends the base policy form byeliminating terrorism-related exclusions, but only forforeign-sourced, certified acts. This leaves domestic andnon-certified acts excluded from non-specialized policies.

Identity theft: Various forms of identity theft,especially “phishing” and “pharming” have become a great concernover the past two years. One anti-phishing working group offers thefollowing description of this exposure:

“Phishing attacks use both social engineering and technicalsubterfuge to steal consumers' personal identity data andfinancial-account credentials. Social-engineering schemes use'spoofed' e-mails to lead consumers to counterfeit Web sitesdesigned to trick recipients into divulging financial data, such ascredit-card numbers, account user names, passwords and SocialSecurity numbers. (By) hijacking brand names of banks, e-retailersand credit-card companies, phishers often convince recipients torespond. Technical subterfuge schemes plant crimeware into PCs tosteal credentials directly, often using Trojan keylogger spyware.Pharming crimeware misdirects users to fraudulent sites or proxyservers, typically through DNS hijacking or poisoning.”

Carriers don't generally address these exposures specifically(either in terms of affirmative coverage or exclusions) but willlook to the coverage terms relating to breach of security andunauthorized access to determine coverage. St. Paul Travelers has aspecific coverage for “identity fraud theft.” The carrier'sIdentity Fraud Expense Coverage Master Policy provides expensereimbursement for a covered individual's efforts to restorefinancial health and credit history following identity theft. Acompany purchases a master policy to extend benefits to aparticular group of individuals–e.g., customers, employees oraffinity program members. Euclid Manager's product offers coveragefor failure to prevent identity theft or credit/debit card fraud.Although these two products specifically address identity theftexposures, readers should not assume that others do not. Still, wethink the more affirmative coverage will be attractive toprospects.

We asked Anne DeVries, of Digital Risk Managers, about coveragefor ID theft and phishing under its “WebNet Policy.” She toldus:

“For ID theft and phishing, both are addressed in our form undernetwork liability, in that we would cover liability of the insuredentity if electronic information assets were accessed/stolen, etc.,from their system by an unauthorized individual or an authorizeduser who used the system in an unauthorized manner. Phishing is adifficult one to tackle, since the insured entity is as much avictim as their customer whose information was “phished.” However,if someone gains access to the insured system using a valid ID andpassword that were obtained via phishing, any third-party financialloss arising from that unauthorized access/use would be coveredunder WebNet.”

Carriers are broadening their offerings to protect insuredsagainst liabilities arising out of lawsuits alleging breach ofprivacy and release of information. This exposure has been much inthe headlines lately, and it creates serious risk of loss to theparties held responsible. A number of the carriers surveyed forthis report offer specific coverage related to improper release ortheft of confidential information.

Other policy particulars

Definitions: The definition of an insured differs onmany policies. Many carriers do not automatically includesubcontractors as insureds, although insureds usually can add themvia endorsement. The definition of a claim also variessignificantly, with some carriers going to great lengths to definea claim, and others using wording such as “a demand seekingdamages.”

Claims reporting, ERP options, and counsel: Eachliability policy reviewed for this report is a claims-made form(Chubb's product for financial institutions is a loss-reportedform), so extended reporting period options are important. Severalmarkets contacted for this report offer free, automatic 60-dayextended reporting periods; longer periods, generally up to threeyears–and in at least one case, unlimited–are available foradditional premium.

Selection of counsel continues to be a delicate issue withinsureds; but as we frequently see in other new lines of coverage,carriers typically reserve the right to select, or at leastapprove, counsel. AIG offers an optional “Choice of Counsel” form(insured chooses counsel). Several other markets allow the insuredto select counsel, subject to carrier's approval, which will not beunreasonably withheld. As with all questions of counsel choice, werecommend that insureds reach agreement with their carriers inadvance of any claims.

Generally, cyber-risk policies contain a “hammer clause.” Suchclauses require an insured who refuses to settle a claim for anamount acceptable to his or her insurer to absorb any ultimatecosts exceeding the proposed settlement figure. “Soft” hammerclauses, which call for an insured and insurer to share costsexceeding a proposed settlement (and which one sometimes sees inemployment practices and management liability products), so farhave not shown up in cyber-risk polices.

Prior-acts coverage: All carriers surveyed for thisreport offer prior-acts coverage, with previous coverage sometimesrequired.

Territory: E-commerce is conducted worldwide, and oneof the associated liability problems is that the legal standards ofmany countries differ from those of the United States. A widelyreported case against a U.S. e-commerce portal was brought inGermany and was based on German legal standards. True worldwidecoverage is important! It's available from all markets surveyed forthis report, although in a few cases it must be added byendorsement.

Definition of covered services: All carriers define theservices they cover, whether in “boilerplate” or on thedeclarations page. It's important that the definition match theinsured's operations. Most carriers can adapt the language to meetthe needs of a particular insured, but it is important to carefullycraft that language. This is a part of the policy where we thinkomnibus wording is much needed, since the range of e-commerceactivities can be vast and ever-changing. Optional endorsements areavailable, including manuscripted coverages for specialrequirements of insureds.

We have identified coverage for 11 specific exposures that maybe, but are not always, included in a cyber-risk policy. Theseare:

oErrors & omissions.

oViruses.

oUnauthorized access.

oSecurity breach.

oPersonal injury.

oAdvertising injury.

oLoss of use.

oResulting business interruption.

oCopyright infringement.

oTrade or service mark infringement.

oPatent infringement.

Insureds should review their exposures to such losses and selectcarriers that are willing to cover them. Coverage for patentinfringement, for example, is rarely offered in basic cyber-riskforms, but can be purchased from several carriers as a separateintellectual property policy.

Risk management services: Carriers continue to augmentthe exposure identification and loss prevention services theyoffer. The task must be challenging, because the range ofe-commerce activity is extensive, not lending itself to a“one-size-fits-all” approach. Among the risks management servicesoffered by the markets surveyed for this report are networksecurity reviews, handbooks on risk management for commercial Websites, property assessments, disaster recovery services, emergencyloss containment, forensic services in response to securitybreaches, the services of legal experts in e-commerce andintellectual property matters, and various online resources. Suchservices may or may not require an additional fee.

This article was derived from the June 2006 issue of TheBetterley Report, which is published six times a year by BetterleyRisk Consultants. The complete report, which contains chartsshowing the responses of individual insurers, can be purchased for$65. Annual subscriptions are available for $347. For moreinformation, contact Richard Betterley, CMC, at (877) 422-3366 orat [email protected].