John Mullen clearly remembers the state of the Cyber insurance market 10 years ago. “As a relatively new coverage, very few companies were buying it,” says Mullen, managing partner in the Philadelphia regional office of Lewis Brisbois Brisgaad & Smith. “Underwriters couldn’t get brokers to understand and sell it or businesses to appreciate it.”
How times have changed. Today, Cyber insurance is a more than $2 billion business, and business is thriving in Lewis Brisbois’ privacy and network security practice — which has grown from a staff of one to a division with 15 full-time lawyers dedicated solely to data privacy law.
Mullen’s practice supports insurance carriers in the services they provide to their customers, which include post-breach tactical response: “We parachute in and help businesses respond when there’s been a data privacy event,” he explains. “We’ve gone from searching for breach headlines years ago to seeing them on a daily basis now, which keeps us very busy.”
Cyber loss activity is not only increasing, it is increasingly expensive. In late September, cyber risk assessment firm NetDiligence published its fifth annual Cyber Claims Study, a survey of actual losses for data breach events covered by various leading Cyber liability insurance carriers. The study found that the average cost per breached record increased from the prior year, as did the average cost for crisis response services. The average claim payout for a large-company data breach saw a whopping increase from $2.9 million in the 2014 study to $4.8 million today. Health care was the most frequently breached sector, followed closely by financial services and retail.
Insurers’ experience with data breach claims is changing the way coverage is underwritten for this ever-evolving risk. “We’re always trying to learn from our experience — and even better if we can learn from someone else’s experience,” says Tim Francis, enterprise lead for Cyber insurance at Travelers.
Francis explains that Travelers is focused on the differences among industries and different-size companies within those industries. “In the past, we asked the same sets of questions to all customers,” he says. “Now, in many cases we’re actually asking fewer questions but those questions are targeted to the exposure that class or size of business has.”
For instance, in the hacker-targeted retail sector, underwriters are looking more deeply at point-of-sale systems and other technologies that store customer data.
“Underwriters look at whether sensitive data is stored, how much data is stored, and how it is stored. They are looking into retailers’ systems to be sure they have state-of-the-art security in place,” says William Boeck, senior vice president and claims counsel at Lockton Cos.
Another difference between the underwriting environment of today and just a few years ago is that companies are employing specialists in technology. “Insurers that have not added staff with that specialization are using third parties to help them,” Boeck says.
“We’ve hired people who have an information security background and trained them on insurance, whereas in the past we’ve hired underwriters with a financial background and trained them on Cyber,” reports John Coletti, chief underwriting officer of XL Catlin's North America Cyber & Technology unit.
“We’ve improved as an industry at underwriting risk, not just from a pricing standpoint, but in understanding the key security and privacy questions to ask,” Coletti says. “That includes detailed technical questions into a company’s security architecture that were not being asked before. That is vital because if you can pinpoint where vulnerability exists, you can not only improve your loss ratio, but also provide a benefit to the customer.”
Evolution of Coverage
Although Cyber was originally designed as a liability coverage, first-party language has become the centerpiece of the product. Across the claims reported in NetDiligence’s study, 78% of loss costs were allocated to crisis services, including forensics, notification, and credit/ID monitoring. Of the remainder, 8% was spent on legal defense, 9% on legal settlements, 1% on regulatory defense, 1% on regulatory fines, and 3% on PCI fines.
“There’s no question that the coverages available today are broader than five years ago,” says Mullen. “Coverage for business interruption, contractual obligations, fines and penalties — these are things that were not available at all before or were available only on a limited basis. There’s no question that the market is more complete in its packaging of a solution, and that’s driven by awareness of breaches as well as brokers and carriers working to provide coverage for those breaches.”
Contractual coverage is a particularly important feature for companies that face assessments levied by card issuers. Boeck explains that when a retailer experiences a data breach, the card brands issue new cards to consumers, then seek to recover both fraud losses and reissuance costs. “In many cases that is done through contractual assessment, not a lawsuit,” he notes. “Early policies either excluded assessments or had a very low sublimit that was inadequate for them. That is changing, particularly in light of recent data breaches involving retailers.”
Coletti says that cyber policies will continue to evolve. “Just as the product we have today is not what it was 10 years go, in five years it will look different again,” he states. “It’s going to be incumbent on cyber insurance underwriters to create products that customers demand and that reflect changing exposures, such as the continued integration of technology into everyday life.”
For instance, automobiles include an increasing amount of “smart” technology. While providing important navigational support, collision-avoidance, and other safety functionality, those systems are also potentially the targets of hacking attempts.
“If a car is hacked into and taken over and a collision occurs, will that type of bodily injury or property damage exposure be covered by a standalone Cyber product or standard-lines policy?” Coletti ponders. “Those questions need to be resolved.”
Additionally, breach response services have become an increasingly important part of the service package that Cyber insurers offer.
“If a customer is looking to buy Cyber insurance, they are looking for more than coverage. They are looking for access to risk management advice and services,” says Francis. “They are concerned that if an incident happens there is help available. Agents need to understand that dynamic and partner with a carrier that can help.”
Like many Cyber insurers, Travelers offers clients its own branded version of NetDiligence’s eRisk Hub, which provides breach coaching, crisis communication, and forensic experts. NetDiligence says that leveraging legal counsel early in the claims process minimizes mistakes on the part of the affected organization and reduces follow-on regulatory fines, legal defense and settlement costs. The firm estimates that data-breach response costs for an insured company that uses response services are up to 30% lower than for uninsured organizations.
Although the overall market for Cyber remains well-capitalized and competitive for most sectors and business sizes, hard-hit industries — such as retail and healthcare, and individual accounts that have experienced Cyber claims —have seen dramatic price spikes.
“If you’re in a class that has breaches you are going to be impacted, no question,” Coletti says. “You’re seeing accounts experience large increases at renewal, even going from premiums of $20,000 per million of coverage to $70,000 per million. Seeing triple increases in premium is not abnormal, and deductibles are increasing as well.”
Breach activity has also spurred quote activity. “A couple of years ago, agents spent a lot of time tying to convince customers. There wasn’t as much conversation about the merits of one coverage versus another; it was about the need in general,” says Francis. “Now, because of news headlines, more people realize that they should buy coverage or make sure their coverage is adequate.”
However, those quotes don’t always turn into issued policies. Estimates are that less than 20% of businesses actually carry cyber coverage. “Although the sensitivity of the average risk manager has gone up on the issue and they are researching coverage, it doesn’t mean they’ve secured the coverage,” says Mullen.
The percentage of companies carrying coverage is even lower among smaller organizations. “Small organizations may feel that they’re immune from cyber exposure, but the truth is that most incidents involve smaller companies,” says Mark Greisiger, president of NetDiligence. Indeed, businesses with less than $50 million in revenue experienced the most incidents (29%) in NetDiligence’s study, followed closely by organizations with less than $2 billion in revenue (25%).
“Fundamentally, there are simply more targets—more small organizations than large ones,” Greisiger says. “Also, smaller organizations have been less aware of their exposure and have fewer resources to apply to data protection and security training for employees compared to their larger counterparts.”
Nevertheless, Cyber is expected to grow. PricewaterhouseCoopers estimates that the global market for Cyber could expand to $5 billion by 2018 and $7.5 billion by the end of the decade, and there is plenty of capacity to take up the demand. Turning window-shoppers into buyers will simply take time.
“The last two years have seen increased awareness on the part of buyers and potential buyers, and the next two years are going to see that increase further,” says Boeck. “We will eventually cross the line between Cyber insurance being a ‘nice-to-have’ line of insurance to a ‘must-have.’”
“You just can’t avoid reading about breaches when you pick up a newspaper or read a blog, and that has a cumulative impact on the way risk managers think,” adds Coletti. “Over time, the market will grow to where the majority of businesses carry coverage. It’s not going to happen overnight, but the road map has been laid out.”
How can you transform your risk management preparedness and response strategy into a competitive advantage?
Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.