With high-profile, high-cost data breaches continuing to makenews on a regular basis, it's not surprising that there has been aspike in interest in Cyber Liability coverage. Yet that interestisn't always translating into increased sales, in part due to alack of understanding of the exposures by, ironically, those whocould be most at risk.

"It's still not an easy sale," says Brian Thornton, president ofProWriters, a managing general underwriter specializing inProfessional Liability coverage."On the plus side, there has beenmore education from both a broker and underwriter standpoint, butthere is still some resistance [among potential buyers]."

Indeed, not all companies have taken this risk seriously enoughto ensure their coverage is adequate to cover a major loss. Despitereported double-digit growth among brokers and insurers offeringcoverage, Cyber remains a relatively small market: A.M. Bestreports that 86% of carriers don't offer the coverageexclusively—bundling it into other types of cover, like GeneralLiability—and, in a November 2014 survey conducted by HanoverResearch for ISO, the majority of Cyber insurers write less than$10 million in premium.

In ISO's survey, 40% of respondents said the biggest challengein selling the coverage is that companies think they don't need it.Another 29% say they face the misperception by buyers that Cyber iscovered under existing policies.

A handful of key sectors accounts for the most commonpurchasers: healthcare, financial services, high tech, educationand—particularly in the past few years—retail. Sectors outside ofthose key five are harder to break into.

"There are a lot of companies that view the breaches in the newsand feel they are not a target because they don't process creditcards, medical information, or other consumer data," says JohnColetti, chief underwriting officer who leads XL's cyber andtechnology team. "However, they all have exposure."

"Companies need to understand that even if they don't havepersonally identifiable information [on customers] to protect, theyall have employee information. They may have third-party corporateconfidential information. They also have first-party exposure ifthey rely on their network to make goods or provide services," saysDavid Hallstrom, practice leader, information risk, at CNA.

Agents and brokers also report challenges in convincing smalleraccounts they need coverage. However, smaller companies mayactually be more vulnerable to attacks and to damage caused by databreach. According to the National Cyber Security Alliance, one outof five small businesses falls victim to cybercrime each year. Andof those, about 60% go out of business within six months of anattack.

"Throughout 2013 and 2014, breaches and regulatory changes havepushed Cyber to the forefront. More companies are doing their duediligence to really understand what their exposures are," saysNadia N. Hoyte, senior vice president at Willis' FINEX NorthAmerica.

Where there are uninsured clients, there is opportunity forgrowth. "The big opportunity lives outside the financial andhealthcare industries and on the commercial side—manufacturing,hospitality, entertainment," says Ken Goldstein, vice president andworldwide cyber liability manager at Chubb. "The chance is there toround out other lines of coverage with Cyber."

Educational Opportunity

Expanding into other sectors starts with educating buyers.Brokers need to keep tabs on news regarding data breaches andclaims paid, using third-party resources such as the PonemonInstitute and the National Cyber Security Alliance. They shouldalso capitalize on information offered by carriers, many of whichoffer branded versions of NetDiligence's eRisk Hub.

"If something hits the news, even if it's outside the customer'sindustry segment, it is usually generic enough to be applicable,"says Goldstein. "Show them the cost per record and the exposuresthat can be transferred via insurance—first-party loss, forensicscosts, credit monitoring, all the way through lawsuits impactingdifferent industry segments."

Brokers also need to combat common misperceptions, such as thatbusinesses using third-party data processors are insulated fromCyber loss exposure. "Clients who resist purchasing coverage areones who outsource," Thornton says. "For instance, small businessesmay accept credit cards but believe the risk lies with theircredit-card processors. It takes education to show them that justbecause they've outsourced the service doesn't mean they'veoutsourced the risk."

Tim Francis, enterprise lead for cyber insurance at Travelers,recommends that brokers include a quote for Cyber on every account."That serves two purposes," he says. "One, it combats theperception in the small and mid-sized markets that Cyber is tooexpensive to buy. Two, it demonstrates broker expertise. If youtalk to customers about exposures they may not be aware of, such asCyber, and make them aware of insurance options, that deliversvalue."

In fact, "if brokers aren't having that conversation with theirclient, it's really an open exposure for the client and an E&Oexposure for the broker," says Christine Marciano, president ofindependent insurance agency Cyber Data-Risk Managers. "I'mconstantly taking calls from prospects where their local broker hadno clue about Cyber coverage."

"There is still a lack of good competent brokers that understandCyber and can provide the confidence [to prospects] that theproduct is needed," adds Richard Betterley, president of BetterleyRisk Consultants Inc. in Sterling, Mass.

Physician, Heal Thyself?

"The efforts of carriers as a whole are not focused as much onthe agents and brokers as they should be," says Francis. "There ismore the industry can do to empower the agent to understandcustomer issues and what the insurance solutions to those are—notjust providing access to policies, but access to services that willhelp brokers and customers have a better security posture."

It may also be difficult for Cyber carriers to make the case forcoverage when so many insurers themselves forgo coverage: A.M. Bestrevealed in its Fall 2014 Insurance Industry Survey that astartling 53% of insurer respondents do not purchase Cyberinsurance for their own companies. What message does that send,when the seller doesn't even purchase the type of coverage productbeing offered?

"The decision not to purchase Cyber for your own company isnaive," says Coletti, who confirms that XL does in fact carry it."Maybe those insurers feel that they don't have an exposure, ortheir IT controls are sufficient, or they don't face any potentialimpact because they have good continuity plans and backups."

However, some offer the counterpoint that cyber risk, like otherexposures insurers face, can be self-insured.

"That many insurers don't have Cyber insurance is a fun factthat means little, as they can easily self-assume that risk in mostcases," Betterley says.

"If you are predominantly a commercial insurer, you don't have asignificant amount of personally identifiable information in yourpossession, so a self-insured retention could be cost-effective,says Hallstrom, adding that the commercial lines-focused CNA takes"a high retention" in its cyber risk management strategy. "If youdo life or health, that changes."

Rates & Capacity Outlook

Unsurprisingly, given the number of high-profile breaches, theretail sector has been slammed by rate increases. "The amount ofpremium being paid at higher levels of coverage in the retailsector is triple what it was early in 2014," Goldstein says.

Brokers also report a noticeable pullback in capacity for retailclients. "There are some markets that have removed their virtualshingle for all things related to retail," Hoyte says, adding thathe's also seen an upward movement in the retentions that insurersdemand from retail clients.

The picture is mixed on rates and capacity in the market forother classes. Willis reports a favorable rate environment outsideof retail and healthcare, with flat renewals and a competitiveclimate for first-time buyers, although not to the extent seen inprevious years.

"If you're not in the retail space, there is still a fair amountof competition because Cyber insurers want to diversify their riskinto other sectors," adds Hoyte.

"Cyber is very competitive in the small market, which bodes wellfor the buyer and creates opportunity for agents. We have not hadtrouble placing the coverage of up to $100 million even for highlyexposed accounts," says Thornton. "Beyond that, it tends to get alittle tougher."

Other agents are seeing a different pricing picture. "Renewalsare no longer flat—they are going up, and it's not just in retail,"Marciano says.

"Carriers are much more sensitive on capacity today than theywere three years ago, when everyone was rushing in to the market,"she continues. "You can still obtain as much as $300 million forany one insured, but not every company will have access to that.Also, customers may be facing a higher retention to retain theircurrent coverage limit without a premium increase at renewal."

Bullish Outlook Persists

As Cyber insurers seek to diversify their books of business,expect more coverage innovations to target nontraditionalclasses.

"The market is developing more products—coverage for third-partytrade secrets, expanded first-party business income coverage, theability to insure intangible assets such as intellectual propertyand reputational harm. Those are all areas we're evaluating rightnow," says Coletti. He also expects to see more coveragestandardization in what started as a specialty-lines coverage asstandard-lines carriers continue to enter the market.

Interest in Cyber coverage among buyers will also continue togrow, driven by increased awareness of risk and demands from thirdparties, including lenders, trading partners, and regulators. ISOfound in its study that 75% of Cyber carriers expect to sell moreinsurance next year, nearly a quarter expect growth of 25% or more,and, among carriers not writing Cyber currently, nearly half areconsidering offering it.

"With the increase in regulation, more and more digitization ofinformation, and more and more devices storing data, the risks keepgrowing," Coletti adds. "If you're a broker considering what tofocus your resources on, focus on Cyber."