Cyber insurance is currently a $2 billion market, according toBetterley Risk Consultants Inc., and most cyber insurers reportconsistent premium growth in the double digits. Even so, onlyone-fifth to one-third of companies has any sort of cyber coveragein place, according to the Ponemon Institute. 

"The cyber risk insurance market is still a small market thatgets more talk than action, but it is a significant growthopportunity for brokers," said Ken A. Crerar, president and CEO ofthe Council of Insurance Agents & Brokers. 

Capitalizing on that opportunity starts with education."Businesses must truly realize that they have potential exposure intheir own operations. Only after such awareness develops doinsureds become interested in buying the coverage," according toPatricia A. Borowski, senior vice president at the NationalAssociation of Professional Insurance Agents. 

"The biggest challenge is getting small- and medium-sizedbusinesses to understand that cyber risk is important to insure,"added Joe Coray, vice president of The Hartford's Technology andLife Science Practice. "Large healthcare companies, financialservices, educational institutions—they get it. But unfortunatelywe're seeing many cyber events happen at small businesses that havelimited, minimal, or no coverage." 

Evolving Coverage, Emerging Risk

Cyber coverage has evolved over the years. "Initially,businesses were more concerned about the cost of responding to abreach, and that's what early cyber policies covered. We are seeingthem now worried also about their own loss. Although a lot ofinsurance programs are still primarily third-party, more carriersare starting to add first-party coverages," said ChristineMarciano, president of Cyber Data Risk Managers, an independentinsurance agency that specializes in data privacy, cyber liabilityrisk, and intellectual property protection. 

The challenge for producers is that no two insurers' policieshave evolved the same way. "Forms aren't standardized, so there isa lot of confusion in the marketplace about what a policy mightprovide insurance for compared to what customers are trying tocover," said Kirstin Simonson, second vice president, globaltechnology underwriting at Travelers.

"It's the producers' job to do their homework. They need to gothorough the coverage forms, sit down with their clients, and dotheir own due diligence. If they don't, it's their own E&Oissue," added Marciano. 

Not only do coverage forms keep evolving; so do the risks thatcompanies face. Business interruption, new types of cyber crime,and intellectual property are all issues businesses are looking tocover. 

"What we are seeing emerge within business interruption is aheightened demand for coverage and higher limits for companies thatreally need it. The interest is particularly acute in the energysector, manufacturing, and other industries that are concerned withhackers or malware getting into their systems and interruptingtheir ability to supply their customers," said John Coletti, a vicepresident at XL Group who leads the insurer's cyber and technologyunderwriting team.

Many current cyber policies provide some coverage for businessinterruption; the issue is limits and capacity. "At-risk businessesare looking for millions of dollars of coverage, and the marketright now can't provide that," Coletti said. 

Contingent business interruption is also a growing concern asmore companies turn to cloud computing vendors to host applicationsor provide infrastructure capacity. Coverage gaps exist becausetraditional business interruption forms require a covered loss atan insured location to trigger coverage, and even forms that offercontingent business interruption for unnamed locations typicallyinsure loss from physical causes, such as a fire or windstorm,rather than a cyber attack. 

Conversely, many cyber forms don't provide contingent businessinterruption coverage. "You would have to be able to underwrite thecloud provider in order to do so," Simonson said.

There are ways to cover that gap. "When underwritten on aproperty form, it may be possible to schedule a cloud location orbroaden coverage for unnamed locations of your cyber account," saidCoray. "In either option, a sublimit may apply to direct damage todata or business income, depending on the claimscenario." 

Contractual risk transfer is another option. Depending on theservice agreement between a business and its cloud provider, acloud provider may extend its own coverage to a customer's risk ifthe loss originated at the cloud provider's location.

"Understanding the exposure and how coverage for a data eventand related contingent business interruption applies is critical,"Coray said.

Emerging trends in cybercrime center around crypto-locking,ransomware, and other types of extortion where critical business orcustomer data is held hostage by hackers until money is paid.

"We are seeing more and more of this. There is also a lot moresophistication and organization among crime rings using botnets tobreach networks and extort companies to regain control of theirdata," Coray said. Depending upon the insurer, coverage for theseattacks may be available under either cyber or crime forms, meaningthat it is again incumbent on the agent to perform duediligence. 

Interest is also increasing in coverage for intellectualproperty risk. "Intellectual property and infringement are the nextbig insurance trends, especially with technology companies that canbe put out of business by either of those," said Marciano.

Companies are seeking first-party coverage for the revenueimpact of compromised intellectual property and liability coveragefor copyright and trademark infringement made by others against theinsured. 

"If a hacker steals trade secrets, that could have a monumentalimpact on a business," said Coletti. XL is currently doing R&Don how—and whether—to provide insurance for breach of a company'strade secrets."That coverage is largely unavailable on the marketnow, but I do see it as the next evolution of where cyber isgoing," Coletti said. "However, we're a long way from havingstandard coverage with filed rates and forms."

Seizing Opportunity

If there's one thing producers can be sure of in thiscontinually evolving market, it's that opportunity exists for thosewho take time to understand the market and to add cyber products totheir arsenal of risk management solutions.

"There's no doubt cyber will continue to grow—there are stillmany organizations that are just getting to the point where theyare convinced that cyber is something they need," said Coletti."Objective estimates that have been made of market size tell usthere is a lot of upside and a lot of growth for cyber products. Ithink there's another 30-percent growth potential."

Solution Snapshot

Cyber coverages vary widely among insurers. Here are highlightsof different programs and recent updates that carriers havemade. 

AIG enhanced its CyberEdge product in 2013 byadding several risk-management tools to its coverage. Organizationsor individuals seeking real-time information on cyber risk canaccess the free AIG CyberEdge Mobile App for iPad, iPhone andAndroid. AIG also offers its customers complimentary access tocyber security training for employees and vendors, a device thatblocks bad IP addresses from entering and exiting a network, 24/7access to a hotline operated by IBM and an external vulnerabilityscan with a consultation from IBM.

Chubb's CyberSecurity solutions have evolved toinclude coverage for business interruption and extra expenseexposures that the insured sustains due to a cyber attack on acloud provider it utilizes; privacy notification expenses coverageoutside the limit of liability; and coverage for financialinstitutions, including the cost to replace debit and credit cardsassociated with an actual or potential privacy loss. Chubb alsooffers loss prevention reimbursement for insureds that undertakeeffective steps to secure data, such as investing in encryptiontechnology.

Hiscox offers limits of up to $10 million inits Privacy and Data Breach Protection product. Recently, thecompany began offering excess capacity on first- and third-partyprivacy and data breach policies. In late 2013, Hiscox launched itsCyber Crime Protection endorsement to cover theft related tobusiness bank accounts, which lack the regulatory protection ofpersonal accounts. The company offers preventative services throughBreachProtection, as well as incident response coaching andresources through the Hiscox eRisk Hub powered by NetDiligence.

The Hartford offers smaller businesses a databreach endorsement for its Spectrum Business Owner's Policy, aswell as its stand-alone Data Privacy and Network Security LiabilityInsurance Policy, which is designed for small- and mid-sizedbusinesses. The company's CyberChoice product for larger risksoffers limits up to $10 million and has optional coveragesavailable to address first-party business interruption, cyberextortion and professional liability exposures, and its UniversalExcess Simplified form provides coverage over primary cyberpolicies.

Travelers offers CyberFirst for tech firms ofall sizes and public entities, as well as CyberFirst Essentials forsmall businesses and CyberRisk for companies that don't fit withinthe CyberFirst or CyberFirst Essentials platform. CyberFirst wasrevamped in 2012 and today provides an array of third- andfirst-party coverages, including extortion, business interruption,data restoration, computer fraud, funds transfer fraud, andtelecommunications theft.

XL Group's Eclipse product provides primary orexcess liability coverage for technology services and products,media content, data breach, and data privacy. First-party coverageis available for business interruption and extortion demand, aswell as for costs related to emergency response, reputationalmanagement, and forensics.