From news stories to webinars to presentations and discussions at trade shows, it's been nearly impossible over the past year to avoid the topic of cyber risk. The threat is not new, and insurance addressing the risk has been around for about 15 years now, but only recently has the issue become top-of-mind for so many. 

Before the 2014 RIMS Annual Conference and Exhibition, PC360 asked four risk managers that sit on National Underwriter's editorial board what the most significant emerging risk on their radar was. Three of the four mentioned cyber risk. And that was just a preview to the mood at the RIMS conference, where cyber was a popular topic among both buyers and sellers of insurance. 

For example, Chubb Corp. released its 2014 Multinational Risk Survey at RIMS, which questioned 300 U.S. and Canadian companies about their international global exposures, and data breach/cyber was the second-biggest threat cited by respondents after supply-chain failure. 

Kathleen Ellis, senior voice president, Chubb Multinational Solutions, said cyber has been of great interest to clients, and she added she would not be surprised to see cyber top the list of threats in a future survey.

Why has cyber become such a major issue? Tom Srail, senior vice president, Willis, says news over the years about high-profile breaches in conjunction with mounting data-privacy and notification regulations have pushed the conversation forward over time. "Every time one of those big industry events leaks into the day-to-day media, there's renewed interest in and discussion about cyber," he says. 

And the past year saw plenty of big cyber events. A report from Risk Based Security says four of the top ten breaches, with respect to the number of records exposed, occurred in 2013, including the highest of all time, which exposed 152 million records. The report says the number of incidents was down from 2012, but the number of exposed records shot up to 823 million compared to 264 million in 2012. 

Source: Risk Based Security

Toby Merrill, leader of ACE's cyber risk practice, also mentioned the recent news about large material breaches as a reason for the spike in interest, but he does not believe that is entirely what is driving it. 

"Probably the biggest contributing factor is just technology in general," Merrill says. "Look at how we use technology in business and our personal lives," he continues, pointing out technology has "transformed how we interact as human beings."

To be competitive today, Merrill says companies have to rely fairly heavily on technology to deliver a product or service, and those who take advantage of modern technology are in a better competitive position relative to their peers. But with the rapid technology evolution comes rapidly evolving risks. 

"In the risk-management community, we want to pause and take a breath," he says. "We're OK with the benefits, but before we jump into the pool, let's talk a little bit about if we need swimmies first."

Where insurance plays a role

Insurance protection and services have grown over the years to become, if not swimmies, at least a critical life preserver that can keep businesses afloat in the event they do suffer a breach.

Srail notes that in the early days of insurance for cyber risk, insurers would pay for notice and credit-monitoring expenses. buyers were generally limited to dot-coms and some retailers and banks. 

Coverage has since progressed and become relevant for a wider base of customers. "For a good chunk of the industries out there, cyber is very useful for them," Srail says, although he acknowledges that not every industry would find the coverages useful.  

"An easy one is manufacturing," he says, explaining a wholesale manufacturing company that is not selling to customers would only have its employee data, "which is sensitive, but there's a limited amount of it." He says a billion-dollar manufacturer potentially losing data on its 5,000 or 10,000 employees would not be a "meaningful enterprise risk" for that company.

Srail also mentions limitations for energy companies, stating the "off-the-shelf cyber we see in the news in the retail breaches isn't as directly impactful to some of those organizations." Although,"Even that's changing," he says, noting "one of the big carriers" released a new coverage targeted primarily toward power, energy oil and gas companies.

American International Group last month announced CyberEdge PC, an expansion of its cyber insurance offering to include property damage and bodily injury exposures. The company said it was "a response to growing incidents and threats of cyber attacks directed at commercial industries that can lead to equipment failure, physical damage to property, and physical harm to people."

And for most other sectors, the addition of coverages and services over the years has made the cyber-insurance market more attractive. For example, Srail says adding coverage for fines and penalties made a big difference in health care, among other sectors. "We've seen a third example over a short amount of time of an over $1 million health-care fine from either a federal or state regulator for a relatively small breach," Srail says, noting that this seems unique to the health-care industry. "We don't see a bank losing 20 credit-card numbers and getting a million-dollar fine," he says. "We do see that in the health-care world."

Source: NetDiligence® 2013 Cyber Liability & Data Breach Insurance Claims Study

Beyond the coverages, ACE's Merrill notes the insurance industry has developed expertise concerning cyber to the point where "even some levels of the federal government have recognized the insurance industry as a resource to help promote best practices around risk management."

For ACE's part, Merrill believes the insurer's expertise is what helps set it apart, offering insureds resources and experts to assist with recovery after a breach takes place. "We have a lot of experience," Merrill says. "We've seen good processes, but we've seen some pretty horrible mistakes. We try to do our best to get [insureds] access to the resources to avoid the mistakes."

Capacity and underwriting

Despite what Srail calls the "year of the mega breach" in 2013, carriers have mostly retained their appetite to write cyber-liability insurance. "We've seen a couple of carriers restrict or pull back," he says, "but most of the rest have been pretty calm."  

Srail says Willis' team does what it can to keep carriers calm in the face of large and public losses, explaining that more people than ever will be buying coverage now. 

In fact, he says the market "needed to see a $100 million limit-loss payout to get larger firms on the fence to buy and mid-size firms dipping their toe in the water" to purchase larger limits. 

Speaking to pricing, Srail says it "seems to make sense. It's still inexpensive, but I think there are good numbers behind it now."

Fears of a mega breach

Not all in the industry believe insurers are where they need to be when it comes to addressing and pricing cyber risks. Jonathan Hall, executive vice president, FM Global, believes carriers have work to do to stay ahead of the risks. "I think the industry is reacting to a client need," he says, "and trying to catch up. I think the industry is trying to react as quickly as it can," he adds, "but it's hard because every time you turn around, there's a new twist to it." 

The secret, he says, is finding the point at which insurers can provide the right coverage at the right price that meets client's need. The challenge is trying to discern exactly how big a serious loss can be for insurers. 

Hall says he is not concerned about one hit. Insurers, he said, can all take a $50 million to $200 million loss. "It's the aggregation," he says regarding his concern. "The balance-sheet issue here is you have to start looking at cyber kind of like flood, earthquake and wind," says Hall. "How many of my clients can be involved potentially in one event?"

Having a $100 million single-client event hit 100 or 500 clients becomes "a massive potential exposure to the balance sheet," he says. "And I think that's part of what the insurance companies are trying to understand: how big can this be?"

This potential exposure is considered against the backdrop of more companies storing their data in the cloud.  "It's a huge concern," Merrill says of the potential for a breach at a cloud provider that could affect the data of multiple companies. "It's very real and the perception is it can happen."