With high-profile, high-cost data breaches continuing to make news on a regular basis, it's not surprising that there has been a spike in interest in Cyber Liability coverage. Yet that interest isn't always translating into increased sales, in part due to a lack of understanding of the exposures by, ironically, those who could be most at risk.
“It's still not an easy sale,” says Brian Thornton, president of ProWriters, a managing general underwriter specializing in Professional Liability coverage.“On the plus side, there has been more education from both a broker and underwriter standpoint, but there is still some resistance [among potential buyers].”
Indeed, not all companies have taken this risk seriously enough to ensure their coverage is adequate to cover a major loss. Despite reported double-digit growth among brokers and insurers offering coverage, Cyber remains a relatively small market: A.M. Best reports that 86% of carriers don't offer the coverage exclusively—bundling it into other types of cover, like General Liability—and, in a November 2014 survey conducted by Hanover Research for ISO, the majority of Cyber insurers write less than $10 million in premium.
In ISO's survey, 40% of respondents said the biggest challenge in selling the coverage is that companies think they don't need it. Another 29% say they face the misperception by buyers that Cyber is covered under existing policies.
A handful of key sectors accounts for the most common purchasers: healthcare, financial services, high tech, education and—particularly in the past few years—retail. Sectors outside of those key five are harder to break into.
“There are a lot of companies that view the breaches in the news and feel they are not a target because they don't process credit cards, medical information, or other consumer data,” says John Coletti, chief underwriting officer who leads XL's cyber and technology team. “However, they all have exposure.”
“Companies need to understand that even if they don't have personally identifiable information [on customers] to protect, they all have employee information. They may have third-party corporate confidential information. They also have first-party exposure if they rely on their network to make goods or provide services,” says David Hallstrom, practice leader, information risk, at CNA.
Agents and brokers also report challenges in convincing smaller accounts they need coverage. However, smaller companies may actually be more vulnerable to attacks and to damage caused by data breach. According to the National Cyber Security Alliance, one out of five small businesses falls victim to cybercrime each year. And of those, about 60% go out of business within six months of an attack.
“Throughout 2013 and 2014, breaches and regulatory changes have pushed Cyber to the forefront. More companies are doing their due diligence to really understand what their exposures are,” says Nadia N. Hoyte, senior vice president at Willis’ FINEX North America.
Where there are uninsured clients, there is opportunity for growth. “The big opportunity lives outside the financial and healthcare industries and on the commercial side—manufacturing, hospitality, entertainment,” says Ken Goldstein, vice president and worldwide cyber liability manager at Chubb. “The chance is there to round out other lines of coverage with Cyber.”
Expanding into other sectors starts with educating buyers. Brokers need to keep tabs on news regarding data breaches and claims paid, using third-party resources such as the Ponemon Institute and the National Cyber Security Alliance. They should also capitalize on information offered by carriers, many of which offer branded versions of NetDiligence's eRisk Hub.
“If something hits the news, even if it's outside the customer's industry segment, it is usually generic enough to be applicable,” says Goldstein. “Show them the cost per record and the exposures that can be transferred via insurance—first-party loss, forensics costs, credit monitoring, all the way through lawsuits impacting different industry segments.”
Brokers also need to combat common misperceptions, such as that businesses using third-party data processors are insulated from Cyber loss exposure. “Clients who resist purchasing coverage are ones who outsource,” Thornton says. “For instance, small businesses may accept credit cards but believe the risk lies with their credit-card processors. It takes education to show them that just because they’ve outsourced the service doesn't mean they’ve outsourced the risk.”
Tim Francis, enterprise lead for cyber insurance at Travelers, recommends that brokers include a quote for Cyber on every account. “That serves two purposes,” he says. “One, it combats the perception in the small and mid-sized markets that Cyber is too expensive to buy. Two, it demonstrates broker expertise. If you talk to customers about exposures they may not be aware of, such as Cyber, and make them aware of insurance options, that delivers value.”
In fact, “if brokers aren't having that conversation with their client, it's really an open exposure for the client and an E&O exposure for the broker,” says Christine Marciano, president of independent insurance agency Cyber Data-Risk Managers. “I’m constantly taking calls from prospects where their local broker had no clue about Cyber coverage.”
“There is still a lack of good competent brokers that understand Cyber and can provide the confidence [to prospects] that the product is needed,” adds Richard Betterley, president of Betterley Risk Consultants Inc. in Sterling, Mass.
Physician, Heal Thyself?
“The efforts of carriers as a whole are not focused as much on the agents and brokers as they should be,” says Francis. “There is more the industry can do to empower the agent to understand customer issues and what the insurance solutions to those are—not just providing access to policies, but access to services that will help brokers and customers have a better security posture.”
It may also be difficult for Cyber carriers to make the case for coverage when so many insurers themselves forgo coverage: A.M. Best revealed in its Fall 2014 Insurance Industry Survey that a startling 53% of insurer respondents do not purchase Cyber insurance for their own companies. What message does that send, when the seller doesn't even purchase the type of coverage product being offered?
“The decision not to purchase Cyber for your own company is naive,” says Coletti, who confirms that XL does in fact carry it. “Maybe those insurers feel that they don't have an exposure, or their IT controls are sufficient, or they don't face any potential impact because they have good continuity plans and backups.”
However, some offer the counterpoint that cyber risk, like other exposures insurers face, can be self-insured.
“That many insurers don't have Cyber insurance is a fun fact that means little, as they can easily self-assume that risk in most cases,” Betterley says.
“If you are predominantly a commercial insurer, you don't have a significant amount of personally identifiable information in your possession, so a self-insured retention could be cost-effective, says Hallstrom, adding that the commercial lines-focused CNA takes “a high retention” in its cyber risk management strategy. “If you do life or health, that changes.”
Rates & Capacity Outlook
Unsurprisingly, given the number of high-profile breaches, the retail sector has been slammed by rate increases. “The amount of premium being paid at higher levels of coverage in the retail sector is triple what it was early in 2014,” Goldstein says.
Brokers also report a noticeable pullback in capacity for retail clients. “There are some markets that have removed their virtual shingle for all things related to retail,” Hoyte says, adding that he's also seen an upward movement in the retentions that insurers demand from retail clients.
The picture is mixed on rates and capacity in the market for other classes. Willis reports a favorable rate environment outside of retail and healthcare, with flat renewals and a competitive climate for first-time buyers, although not to the extent seen in previous years.
“If you’re not in the retail space, there is still a fair amount of competition because Cyber insurers want to diversify their risk into other sectors,” adds Hoyte.
“Cyber is very competitive in the small market, which bodes well for the buyer and creates opportunity for agents. We have not had trouble placing the coverage of up to $100 million even for highly exposed accounts,” says Thornton. “Beyond that, it tends to get a little tougher.”
Other agents are seeing a different pricing picture. “Renewals are no longer flat—they are going up, and it's not just in retail,” Marciano says.
“Carriers are much more sensitive on capacity today than they were three years ago, when everyone was rushing in to the market,” she continues. “You can still obtain as much as $300 million for any one insured, but not every company will have access to that. Also, customers may be facing a higher retention to retain their current coverage limit without a premium increase at renewal.”
Bullish Outlook Persists
As Cyber insurers seek to diversify their books of business, expect more coverage innovations to target nontraditional classes.
“The market is developing more products—coverage for third-party trade secrets, expanded first-party business income coverage, the ability to insure intangible assets such as intellectual property and reputational harm. Those are all areas we’re evaluating right now,” says Coletti. He also expects to see more coverage standardization in what started as a specialty-lines coverage as standard-lines carriers continue to enter the market.
Interest in Cyber coverage among buyers will also continue to grow, driven by increased awareness of risk and demands from third parties, including lenders, trading partners, and regulators. ISO found in its study that 75% of Cyber carriers expect to sell more insurance next year, nearly a quarter expect growth of 25% or more, and, among carriers not writing Cyber currently, nearly half are considering offering it.
“With the increase in regulation, more and more digitization of information, and more and more devices storing data, the risks keep growing,” Coletti adds. “If you’re a broker considering what to focus your resources on, focus on Cyber.”