Some well-meaning Veterans Administration bureaucrat brings work home on his laptop, and in the blink of a nanosecond, millions of veterans face the potential risk of having their identities stolen. With each new societal fear, the insurance industry is not far behind in trying to quell at least the financial pain that lies behind it, and cyber threats are no exception.
Today, privacy issues have emerged as the top concern of companies seeking to shield themselves from a public grown increasingly concerned with each publicized potential threat.
For nearly a decade, some of the major commercial insurance writers have been looking to protect businesses from the new threats brought on by the Internet through a wide array of products nuanced enough to bewilder even the savviest risk manager. Peter Taffae, executive vice president of the Los Angeles-based Executive Perils wholesaler, warns of the innumerable "cyber policies floating around."
"Your representative must be in the market on a daily basis," he said, "and have relationships with all of the serious insurance carriers focusing on this market in order to know the best options for your clients."
Among the issues risk managers must grapple with are those that center on the breadth of the coverage. "Some companies try to address these perils by using a miscellaneous E&O policy endorsed with cyber-type definitions," Mr. Taffae said.
But no matter how exhaustive the list of perils, these still remain "named-peril" policies, he said.
Insurance buyers agree that the task has grown in complexity in recent years.
As risk manager for Cincinnati-based business support services giant Convergys Corporation, Carol Fox holds formal and informal meetings throughout the year with her underwriters and brokers to ensure they understand her needs and what it takes to service them.
"We've brought members of operations, network services, information security and legal teams as part of our presentations to answer underwriters' questions about our process and contract reviews," she said.
In addition, underwriters observe call center activity and look at screen shots to understand the kind of data handled. "With this transparency and rigor around the underwriting process, our brokers and underwriters understand our needs and challenges in relation to the market," she said.
"Technology errors and omissions" policies represent a portion of the cyber insurance market, according to Rick Betterley, publisher of the Betterley Report, although that does not exhaust the protection available for cyber risks.
(See related infographic, "Policy Sample," which describes a St. Paul Travelers policy and distinguishes technology E&O coverage from Internet liability coverage.)
Annual gross premium for technology E&O is in the $750-to-$800 million range, Mr. Betterley estimated in a February 2006 report. "It is likely that there is much more premium to be found in the more traditional markets, but it is not being reported as Tech E&O," he wrote.
This represents a sharp rise from the estimated $150-to-$200 million premium written in 2004, and will likely continue to rise as more potential insureds come to realize the need. "This is likely to be true for smaller service firms," Mr. Betterley said.
The past several years have seen a gradual shifting of cyber risk from general liability policies to specially tailored products offered only by carriers with the unique underwriting skills to create them on a profitable basis.
Brad Gow, Philadelphia-based vice president of business development of ACE Ltd., noted that standard ISO general property and liability forms have been rewritten to affirmatively exclude cyber exposures.
"Because they cannot accurately price the risks, traditional insurers that lack the expertise to fully assess a potential insured's risk management and loss protection measures for network security and data security management have not been eager to underwrite cyber exposures," Mr. Gow said.
Technology companies became the early adopters of purchasing separate cyber protection. "Technology companies have senior management [teams] that understand not only the technical issues, but also that the real threats to their balance sheets don't arise out of their, say, commercial fleet operations but rather intellectual property and capital," he said.
But today any company, even if it does not operate a Web site, is a technology company with its inherent risks by merely maintaining databases vulnerable to both third-party liability exposure and first-party loss exposure, he said.
The trend in recent years for states, particularly California, to require companies to report potential data breaches has made senior management ever more cognizant of the need to protect them from, among other things, the plaintiffs' bar, when its gets wind of such breaches, Mr. Gow noted.
So, while the personal lines industry may seek exemption from these data freeze measures for the risk they pose to credit scoring operations, their liability brethren benefit from the concerns they raise.
"The only reason you heard about the VA laptop is the new state regulations," he said.
Mr. Gow has seen the underwriting for cyber coverages improve tremendously over the past several years, as carriers figure out just how much security analysis is needed before a policy is underwritten and priced.
"The earlier carriers were insisting that the company engage IBM to do a network security assessment, and that became the cost to apply to the program and really restricted the level of interest," he said.
More accurate and economical underwriting has made the product more accessible to medium-sized businesses, which have come to recognize the need.
Shand Morahan & Company Inc., the Deerfield, Ill.-based underwriting subsidiary of Markel Corporation, now offers two technology coverage endorsements to its standalone E&O policy for small professional services businesses. One endorsement provides hacker liability coverage and coverage for hacker losses to the insured; the other provides Internet liability coverage.
Mary Saunders, who heads the Product Technology Team, said that small businesses were not served well by standalone cyber products.
"It is a matter of economics," she said. "For any policy, there is a certain amount of bulk built into the initial premium, and if you can add on to one policy it makes sense."
She added, "The evolution of this coverage in a sense resembles employment practices liability insurance in that many businesses thought their good practices would protect them," she said.
Security consultant Mark Rasch said that companies face a constant balancing act of figuring out which risks can be mitigated through cost-effective methods, and which cannot and therefore must be protected with insurance.
"It is important to find out if the policy covers both inside and outside attack. And does it cover lost profits along with reconstruction and response?" the Omaha-based Solutionary Inc.'s vice president said.
"Do newer policies exclude from coverage anything that is relevant to your business? And do you need more comprehensive insurance?" he continued.
While nontechnology companies may be getting on the cyber-insurance bandwagon as new threats emerge, technology companies are also increasing their coverage.
Jon Farber, chief underwriting officer for St. Paul Travelers Global Technology Unit, said that about 25 percent of his tech clients have chosen to supplement their traditional technology E&O coverage with Internet liability coverage. The policy protects against wrongful acts, such as plagiarism or privacy violations, and is third-party liability coverage.
Should a company face a theft of data similar to the VA situation, the technology Internet liability policy would cover it under its failure to protect private or confidential information clause, he said.
And once again, new state reporting requirements have served as chief motivators for insureds willing to up their premiums for some peace of mind, he said.