Cyber insurance is currently a $2 billion market, according to Betterley Risk Consultants Inc., and most cyber insurers report consistent premium growth in the double digits. Even so, only one-fifth to one-third of companies has any sort of cyber coverage in place, according to the Ponemon Institute.
“The cyber risk insurance market is still a small market that gets more talk than action, but it is a significant growth opportunity for brokers,” said Ken A. Crerar, president and CEO of the Council of Insurance Agents & Brokers.
Capitalizing on that opportunity starts with education. “Businesses must truly realize that they have potential exposure in their own operations. Only after such awareness develops do insureds become interested in buying the coverage,” according to Patricia A. Borowski, senior vice president at the National Association of Professional Insurance Agents.
“The biggest challenge is getting small- and medium-sized businesses to understand that cyber risk is important to insure,” added Joe Coray, vice president of The Hartford’s Technology and Life Science Practice. “Large healthcare companies, financial services, educational institutions—they get it. But unfortunately we’re seeing many cyber events happen at small businesses that have limited, minimal, or no coverage.”
Evolving Coverage, Emerging Risk
Cyber coverage has evolved over the years. “Initially, businesses were more concerned about the cost of responding to a breach, and that’s what early cyber policies covered. We are seeing them now worried also about their own loss. Although a lot of insurance programs are still primarily third-party, more carriers are starting to add first-party coverages,” said Christine Marciano, president of Cyber Data Risk Managers, an independent insurance agency that specializes in data privacy, cyber liability risk, and intellectual property protection.
The challenge for producers is that no two insurers’ policies have evolved the same way. “Forms aren’t standardized, so there is a lot of confusion in the marketplace about what a policy might provide insurance for compared to what customers are trying to cover,” said Kirstin Simonson, second vice president, global technology underwriting at Travelers.
“It’s the producers’ job to do their homework. They need to go thorough the coverage forms, sit down with their clients, and do their own due diligence. If they don’t, it’s their own E&O issue,” added Marciano.
Not only do coverage forms keep evolving; so do the risks that companies face. Business interruption, new types of cyber crime, and intellectual property are all issues businesses are looking to cover.
“What we are seeing emerge within business interruption is a heightened demand for coverage and higher limits for companies that really need it. The interest is particularly acute in the energy sector, manufacturing, and other industries that are concerned with hackers or malware getting into their systems and interrupting their ability to supply their customers,” said John Coletti, a vice president at XL Group who leads the insurer’s cyber and technology underwriting team.
Many current cyber policies provide some coverage for business interruption; the issue is limits and capacity. “At-risk businesses are looking for millions of dollars of coverage, and the market right now can’t provide that,” Coletti said.
Contingent business interruption is also a growing concern as more companies turn to cloud computing vendors to host applications or provide infrastructure capacity. Coverage gaps exist because traditional business interruption forms require a covered loss at an insured location to trigger coverage, and even forms that offer contingent business interruption for unnamed locations typically insure loss from physical causes, such as a fire or windstorm, rather than a cyber attack.
Conversely, many cyber forms don’t provide contingent business interruption coverage. “You would have to be able to underwrite the cloud provider in order to do so,” Simonson said.
There are ways to cover that gap. “When underwritten on a property form, it may be possible to schedule a cloud location or broaden coverage for unnamed locations of your cyber account,” said Coray. “In either option, a sublimit may apply to direct damage to data or business income, depending on the claim scenario.”
Contractual risk transfer is another option. Depending on the service agreement between a business and its cloud provider, a cloud provider may extend its own coverage to a customer’s risk if the loss originated at the cloud provider’s location.
“Understanding the exposure and how coverage for a data event and related contingent business interruption applies is critical,” Coray said.
Emerging trends in cybercrime center around crypto-locking, ransomware, and other types of extortion where critical business or customer data is held hostage by hackers until money is paid.
“We are seeing more and more of this. There is also a lot more sophistication and organization among crime rings using botnets to breach networks and extort companies to regain control of their data,” Coray said. Depending upon the insurer, coverage for these attacks may be available under either cyber or crime forms, meaning that it is again incumbent on the agent to perform due diligence.
Interest is also increasing in coverage for intellectual property risk. “Intellectual property and infringement are the next big insurance trends, especially with technology companies that can be put out of business by either of those,” said Marciano.
Companies are seeking first-party coverage for the revenue impact of compromised intellectual property and liability coverage for copyright and trademark infringement made by others against the insured.
“If a hacker steals trade secrets, that could have a monumental impact on a business,” said Coletti. XL is currently doing R&D on how—and whether—to provide insurance for breach of a company’s trade secrets.“That coverage is largely unavailable on the market now, but I do see it as the next evolution of where cyber is going,” Coletti said. “However, we’re a long way from having standard coverage with filed rates and forms.”
If there’s one thing producers can be sure of in this continually evolving market, it’s that opportunity exists for those who take time to understand the market and to add cyber products to their arsenal of risk management solutions.
“There’s no doubt cyber will continue to grow—there are still many organizations that are just getting to the point where they are convinced that cyber is something they need,” said Coletti. “Objective estimates that have been made of market size tell us there is a lot of upside and a lot of growth for cyber products. I think there’s another 30-percent growth potential.”
Cyber coverages vary widely among insurers. Here are highlights of different programs and recent updates that carriers have made.
AIG enhanced its CyberEdge product in 2013 by adding several risk-management tools to its coverage. Organizations or individuals seeking real-time information on cyber risk can access the free AIG CyberEdge Mobile App for iPad, iPhone and Android. AIG also offers its customers complimentary access to cyber security training for employees and vendors, a device that blocks bad IP addresses from entering and exiting a network, 24/7 access to a hotline operated by IBM and an external vulnerability scan with a consultation from IBM.
Chubb’s CyberSecurity solutions have evolved to include coverage for business interruption and extra expense exposures that the insured sustains due to a cyber attack on a cloud provider it utilizes; privacy notification expenses coverage outside the limit of liability; and coverage for financial institutions, including the cost to replace debit and credit cards associated with an actual or potential privacy loss. Chubb also offers loss prevention reimbursement for insureds that undertake effective steps to secure data, such as investing in encryption technology.
Hiscox offers limits of up to $10 million in its Privacy and Data Breach Protection product. Recently, the company began offering excess capacity on first- and third-party privacy and data breach policies. In late 2013, Hiscox launched its Cyber Crime Protection endorsement to cover theft related to business bank accounts, which lack the regulatory protection of personal accounts. The company offers preventative services through BreachProtection, as well as incident response coaching and resources through the Hiscox eRisk Hub powered by NetDiligence.
The Hartford offers smaller businesses a data breach endorsement for its Spectrum Business Owner’s Policy, as well as its stand-alone Data Privacy and Network Security Liability Insurance Policy, which is designed for small- and mid-sized businesses. The company’s CyberChoice product for larger risks offers limits up to $10 million and has optional coverages available to address first-party business interruption, cyber extortion and professional liability exposures, and its Universal Excess Simplified form provides coverage over primary cyber policies.
Travelers offers CyberFirst for tech firms of all sizes and public entities, as well as CyberFirst Essentials for small businesses and CyberRisk for companies that don’t fit within the CyberFirst or CyberFirst Essentials platform. CyberFirst was revamped in 2012 and today provides an array of third- and first-party coverages, including extortion, business interruption, data restoration, computer fraud, funds transfer fraud, and telecommunications theft.
XL Group’s Eclipse product provides primary or excess liability coverage for technology services and products, media content, data breach, and data privacy. First-party coverage is available for business interruption and extortion demand, as well as for costs related to emergency response, reputational management, and forensics.