Cyber insurance maintained its double-digit premium-volume growth in 2012, with capacity high, pricing competitive and buyers increasingly willing to pull the trigger on both third- and first-party coverage. Thanks to a proliferation of data breaches, an ever-increasing number of regulations around the protection of private information, and the growing availability and awareness of Cyber insurance, business is booming in this marketplace.
“It is big, and it’s growing,” says Rick Betterley, president of Betterley Risk Consultants.
How big? Standalone Cyber insurance is now a $1 billion market, according to Betterley’s 2012 Cyber/Privacy Insurance Market Survey, up 25 percent from $800 million in 2011. That still makes Cyber a small fraction of the total U.S. P&C marketplace; however, it does put the coverage in line with the $1.4 billion Employment Practices Liability insurance (EPLI) market—even though Cyber has been around only half as long.
“There is definitely a heightened awareness of the coverage today,” says Florence Levy, national practice leader with Aon Risk Solutions’ Cyber risk practice. Aon’s Cyber business grew about 30 percent over the past year by number of policies. Thomas Herendeen, vice president of underwriting at Philadelphia Insurance Cos., reports a 20-percent growth in the company’s Cyber customer base.
“More clients are looking, and we are seeing greater seriousness to their research,” says Robert Parisi, network security and privacy practice leader for Marsh. “Most of the accounts we take into the process of quoting are buying the coverage. Our book is growing commensurate with that activity.”
Betterley’s survey found a wide range of total premium among Cyber writers. Two carriers reported more than $50 million in premium; others were in the $10-$25 million range; most markets were under $5 million.
Business spans the spectrum of exposure, from high-risk financial institutions and health-care businesses to retail and manufacturing. Chubb won’t talk about actual premium volumes in its CyberSecurity product line, but Vice President Ken Goldstein says that account classes have been “across the gamut,” with average policy limits of $1-$5 million.
CLAIMS COME TO LIGHT
Although many headlines have been written about data breaches, much less has been publicized about the claims that carriers have actually paid. Here’s what we do know.
Cyber-risk management specialist NetDiligence in October 2012 published its second annual study of actual payouts reported by major underwriters of Cyber insurance for data breaches based on claims made between 2009 and 2011.
The study found that personal identification information (PII) was the most typically exposed data type, followed by private health information (PHI). The average claim per breach was $3.7 million; however, large claims of up to $76 million skewed the average. The typical loss cost insurers about $200,000. Third-party damages represented the single largest component of claims.
These third-party damages can stem from the direct financial loss suffered by victims of a data breach. “We had a client where a hacker got access to prepaid debit cards and increased the value from a small amount to a significant amount, then sold access to those card [numbers]. That was a significant loss over a two-day period—a policy-limit loss,” explains Peter Foster, executive vice president of Willis Group’s FINEX North America division.
Besides liability for third-party financial loss, insurers are paying claims for fines and penalties imposed by regulatory bodies. In FINEX’s book, that has included a health-care client assessed with a $1 million fine for breach of health-care information. Interestingly, that “cyber” claim didn’t involve a high-tech breach or network hack.
“It was a [loss of a] data file that was actually a paper file. It wasn’t a high volume of information—it was the nature of that information” that caused the high fine, Foster says. “We’ve also seen some losses associated with data breaches that have occurred where laptops and portable media were not encrypted.”
DESPITE CLAIMS, CAPACITY STILL STRONG
Today, there is no shortage of capacity in the Cyber market. “We see more carriers bringing a product to the table,” says Jim Whetstone, senior vice president and U.S. technology and privacy manager at Hiscox.
“Capacity continues to increase—not to the extent seen three years ago, but we still see carriers coming out with products,” Whetstone notes.
The maximum limit available from a single insurer ranges from $10-$20 million. However, stacking coverage allows significant towers of coverage to be built in the current market. FINEX’s Foster reports being able to access capacity today of up to $350 million, up from $300 million last year.
“Not every client can access that,” he cautions. “For an investment bank, you are looking at [a maximum of] $200-$250 million—and about $150 million of that is Business Interruption coverage.”
Aon’s Levy reports that for primary coverage, premiums range from $15,000 to $35,000 per million of coverage with low retentions, and most businesses are purchasing limits of $5-$20 million. Chubb charges a premium of $25,000 or more per million for larger companies (more than $100 million in revenue) and $5,000 to $15,000 per million for small to midsize companies.
Parisi observes that pricing has also become more consistent over the past 12 months. “The delta of the pricing on an individual risk has gotten smaller. We used to see pricing differences that would range anywhere from 50-100 percent among competing carriers in prior years,” he says.
Competition remains high for most risks. “Pricing generally has gone down a little over the past three years,” Whetstone says. “We have seen some flat pricing or small increases on renewals, especially in the health-care industry where more claims are being made.”
Parisi agrees that accounts with claims have faced tougher renewals in recent months. “Lately, any accounts with hair on them are getting looked at hard. Pricing discussions are more contentious than they might have been before,” he says.
And the claims are definitely coming. While a headline-grabbing breach might happen every couple of months, plenty of lesser claims are showing up more regularly on carriers’ doorsteps.
“The guys that have been in the business the longest—for example, Ace, Beazley, Hiscox and AIG—their books are now so large that they handle several claims a week,” says Mark Greisiger, president of NetDiligence. Their claims-handling history presumably means these veteran players can now apply a lot of data intelligence to their risk selection and pricing.
EMERGING RISK, EVOLVING COVERAGE
Disclosure of private information—whether released accidentally, through criminal activity, or through unintentional action but in violation of law—exposes companies to potential liability for damages, breach-notification costs and remediation. State and federal regulations and guidance around disclosure are constantly changing as well, including new guidelines that apply even if no breach has occurred.
For instance, SEC guidance issued in October 2011 recommended that companies include in their financial reports their exposure to cyber attacks, the potential for disruption of their computer networks and how they will respond financially to these potential losses. This move by the SEC spurred significant interest in Cyber insurance.
And in February 2011, the California Supreme Court expanded the definition of what constitutes PII under the Song-Beverly Credit Card Act (a 1971 statute that outlines the rights and responsibilities of consumers and credit-card companies in the issuance and use of credit cards) to include not just account data but ZIP codes as well—putting a whole class of retailers at risk for damages.
“The allegation is that [retailers] are using that ZIP-code PII to do targeted marketing, then sending out mailers or phone calls to target that demographic, versus collecting that just for credit-card processing,” Aon’s Levy says.
Expansion of liability to include data collection—not just disclosure—has led to the creation of either additional coverage or new exclusions, depending on an insurer’s appetite.
“Historically, Cyber coverage was designed to cover wrongful dissemination, but when the coverage first came out, policies didn’t distinguish between the two [dissemination and collection]. Now, some carriers are affirmatively making that distinction and covering wrongful collection of information, but other carriers aren’t willing to open that Pandora’s box,” says Levy.
COVERAGES CONVERGING IN A COMPETITIVE MARKET
With about a decade of experience now under their belts, carriers seem to be establishing a comfort level with Cyber risk. And as the market matures, standardization is increasing around policy language and loss triggers.
“Although I wouldn’t describe forms as being homogeneous, I do see some convergence in the types of coverage being offered and, at its core, a general agreement as to what basic Cyber coverage is,” Parisi says. “We’re also seeing underwriting among various carriers being more homogeneous.They are asking the same types of questions and focusing on the same types of risks.”
“The carriers that have been at this for a while offer policies that are pretty good in terms of breadth. That’s not to say it doesn’t matter what policy you buy, but they [all] get to a place that’s pretty good,” says Betterley.
Essential Cyber coverage includes third-party liability for damages associated with a data or network security breach, typically bundled with related first-party crisis-management costs—forensics, notification, call-center staffing, credit monitoring and legal guidance. Greisiger points out that crisis-management services have accounted for a significant volume of claims activity because they come into play even if there are no legal damages.
“Almost every claim involves crisis management, whereas only 10-20 percent of claims typically involve paying out on damages due to a legal settlement—unless you’re a bigger insured with a million victims, in which case you’ll draw an army of plaintiff lawyers to your breach,” Greisiger observes.
The past year hasn’t seen much creativity in new coverage offerings; instead, carriers are distinguishing their programs based on ancillary services, such as loss prevention and breach coaching—or they’re trying to stand apart by the number of coverages automatically included and the limits offered.
“The growth in sublimits for notification costs, credit monitoring and forensic costs has been significant. Some underwriters have been willing to offer up to policy limits for those, and excess underwriters are willing to offer drop-down limits,” Willis’ Foster reports. “That’s been a significant expansion because when the coverage first came out, the most the market was offering [for first-party costs] was about $250,000. Now we can find up to $10 million in primary and excess cover that is willing to drop down.”
INTEREST IN BUSINESS INTERRUPTION GROWS
Most carriers offering Cyber-related Business Interruption do so as an option. Yet despite the huge potential for first-party loss, buyers had not shown strong interest in the coverage prior to this year.
“Only about 10 percent of the companies that bought Cyber had a Business Interruption component to it,” says Greisiger. “They realize how important it is only after they have an event—and learn their lesson.”
However, that may be changing. In 2008, Lloyds’ of London underwriting group Kiln launched its Cyber product, which includes both Liability and Non-Physical Business Interruption. “Roughly 10 percent of Cyber policies Kiln quoted in 2009-10 had Non-Physical Business Income coverage. However, within the last six months of this year, the number is probably closer to 25 percent,” reports Kiln underwriter Malcolm Randles.
Randles attributes that increase to a growing awareness of the risk combined with a more educated buyer and broker population. “The low-hanging fruit for specialist Cyber brokers was to start by selling Liability,” he says. “Historically, Non-Physical Business Interruption wasn’t really understood—businesses didn’t see the impact that it had, and there was limited interaction between the risk officer and chief information officer. Now, the IT department understands its role in risk management, and business interruption related to Cyber has become a boardroom discussion.”
Most carriers offering Business Income coverage limit the loss trigger to a system breach or network attack. However, some have been willing to expand coverage to include system outage.
“Some of my clients have called this their own ‘tech E&O’ insurance. It’s caused by negligence on [their] part,” says Foster.
However, this cyber-triggered Business Interruption coverage is volatile and subject to being rescinded. “I’ve lost two or three risks over the past six months because of claims,” Foster says, noting that once-insured clients that had claims were not renewed by their carriers—and the brokerage lost the business as a result. “I do have one client that has $135 million in coverage, but some underwriters are pulling back, especially if they are starting to see some losses across their book.”
HEALTHY APPETITE FOR RISK—EXCEPTING SCHOOLS
Despite a competitive market and significant capacity, underwriting appetite for high-risk classes varies widely. For instance, schools have significant PII exposure and are frequent targets of attacks, such as the October 2012 “ProjectWestWind” action by “hacktivist” group Anonymous to release personal records from more than 100 top universities.
So schools can be hard risks to place. While some U.S. carriers—such as Ace, Chartis and CNA—report being a market for this business class, Kiln currently has no appetite for educational institutions, with Randles citing factors such as schools’ lack of technology controls across multiple campuses, lack of IT budgets and extensive population of users who regularly access data.
In contrast, the majority of carriers list health care as an eligible class, despite the high risk of legal damages associated with disclosure of PHI.
“Regulations have given newfound powers to attorneys general in various states in enforcing HIPAA [Health Insurance Portability and Accountability Act] and HiTech [Health Information Technology for Economic and Clinical Health],” Greisiger says. He points to the June 2012 agreement of Accretive Health Inc. to pay Minnesota’s attorney general $2.5 million related to the breach of medical records.
“For the health-care sector, I believe that attorneys general are funding their departments through those actions, and that’s a trend,” adds Greisiger.
NetDiligence reports that records exposed in the health-care sector increased 1,282 percent in one year—from 500,000 in its 2011 study to 6.4 million in 2012. That includes events such as notices from a health-care firm sent out to customers with the wrong member names on the envelopes to a rogue employee who stole the personal health information of several patients in order to use it to fill forged narcotics prescriptions.
“There is tremendous value to medical information,” says Greisiger. “People will buy your identity and get treatment in your name.”
It is also easier for plaintiffs’ attorneys to argue for damages associated with a PHI breach than with PII disclosures. “We have clients who have had STD or HIV information breached, and that can be damaging to an individual. That creates the ‘mental anguish and emotional distress’ that attorneys are looking for to generate a class-action lawsuit,” Foster says.
MOVING TOWARD THE MAINSTREAM?
Betterley believes that Cyber insurance is destined for mainstream adoption. “It used to be that companies thought they didn’t have the risk, but with headlines about breaches and with the many state notification requirements, more are considering buying it,” he says.
“There has been a sea change in the way of thinking” about Cyber exposures on the part of risk managers, says Scott Godes, counsel at the law firm Dickstein Shapiro LLP. “Several years ago if they thought about it, some discounted it in terms of the level of risk. Today they’re revisiting it with a fresh set of eyes and thinking about how they can be protected. The worst-case scenario is to have a loss and then start looking to your insurance to see if you can find coverage.”
“Agents and brokers recognize Cyber as a great opportunity to help clients think about a type of risk they hadn’t thought about in the past,” Betterley says. “There also seems to be growing interest on the part of standard-policy insurers to offer the coverage.”
Most Cyber insurance is still being sold as standalone policies. “We are seeing traditional markets getting into it, but not by endorsement,” Parisi reports.
However, some carriers offer options to bundle the coverage. Chubb, for example, writes CyberSecurity either standalone, as an endorsement to other lines or as a component of its ForeFront portfolio.
“It’s a mix,” says Chubb’s Goldstein. “Some [policyholders]—such as financial institutions, health-care or private companies that have a significant risk—want to have it standalone. But we also have customers that choose to integrate it with Management Liability or E&O lines.”
And a few companies are offering Cyber geared toward smaller companies—and at a much smaller price tag.
The Hartford initially offered a standalone Data Privacy and Network Security Liability Policy for small and midsize businesses as well as its CyberChoice product for larger risks, offering limits up to $10 million. In late 2011, it introduced a data-breach endorsement for its Spectrum BOP policy, providing first-party expense limits up to $100,000 and third-party liability limits from $50,000 to $500,000, with an average endorsement cost of just $250.
In October 2012, Farmers began providing Cyber automatically on all Texas BOP policies with premiums under $50,000.
Digital Risk Resources, a St. Johnsbury, Vt.-based company that develops programs for insurers looking to write Cyber, provides a white-labeled “Internet Security and Privacy” policy that insurers can bundle with small E&O or business owners’ programs or write on a standalone basis. The company offers limits of $25,000 to $1 million and premiums ranging anywhere from less than $100 to more than $2,000, depending on the class of business. Digital Risk Managing Member Sandy Hauserman reports that while business has been “very slow” on the Main Street retail side, the company is seeing up to 30-percent growth in “small professional” lines, such as physicians, lawyers and real estate agents.
Gradual movement toward mainstream adoption is also signaled by the fact that buyers have moved beyond the “tire-kicking” phase. “It’s a lot different than five years ago, when people were getting quotes and not pulling the trigger,” Parisi says. But he adds that the sales cycle still tends to straddle at least one budget cycle.
“When the SEC came down with its guidance, it played a role with the ‘fence sitters,’” says Foster. “Coming out of a tough economic time, [companies] were hoping to push back the purchase, but [the guidance] pushed a lot of risk managers to take another look. They saw that the breadth of coverage had expanded, and costs were down from a few years ago, so it made sense to do this financially.”
Hiscox won’t reveal specific growth in new business, but Whetstone says that the number of buyers has gone up “significantly” in the last 12-18 months.
“More and more of the entities that in the past would not have considered the exposure great enough for them to seek risk transfer are now buying the coverage,” he explains. “I attribute this to their increased understanding of the exposure, the increased affordability of the coverage in many instances and the added services they receive with the insurance product.”
Betterley believes both the Main Street and high-risk markets are poised for continued expansion.
“I don’t hear the ‘it can’t happen here’ stories from IT anymore,” he says, adding only one caveat to his prediction of continued growth: “When the insurance becomes pervasive, there will be a lot of claims. Lack of profit is the only thing that could potentially derail the growth of the marketplace.”