Cyber-Coverage Potential Boundless

Rick Betterley, president of Betterley Risk Consultants of Beverly, Mass., estimates annual premium for this relatively new line in the $250-to-$300 million range. While that represents more than a 50 percent jump from last year, there is plenty of room for growth, he says.

"It seems odd to us that with the proliferation of Web-channel commerce, there is not more of a rush toward these specially designed products," Mr. Betterley said.

American International Group Inc., Chubb, Hartford and St. Paul Travelers are among the major commercial writers of a variety of cyber-coverages, according to a market survey compiled by Mr. Betterley.

Cyber-insurance came into its own at the turn of the century with many of the technology companies for whom the products were targeted well aware of the unique risks they faced.

Underwriter Aaron Latto of St. Paul Travelers recalls his company's first product reaching beyond the technology companies, which came out in 2001. The prime risks covered dealt with failure to prevent virus transmission and failure to prevent unauthorized disclosure of personal information, Mr. Latto said.

Carriers face the challenge of motivating a generalist group of agents to make the effort to educate and motivate themselves about this new risk. "And more and more, the potential insureds play a key role here," Mr. Latto said. "Especially this year, you will have a handful of clients who are sophisticated and they will ask their brokers to help" them manage cyber-risk, he said.

He explained that widespread media coverage of major data disclosure failures will help spur awareness of the need.

Mike Dandini, vice president of The Hartford, said that proposed California state legislation requiring companies to report data-security breaches has prompted ChoicePoint to now disclose all such incidents throughout the country. "Other companies have followed suit," he said.

Last year, one or more identity thieves posed as customers for Atlanta-based data broker ChoicePoint, and as a result left about 145,000 personal-information records vulnerable for theft.

Just as HIPPA and Gramm-Leach-Bliley have set new privacy standards in the health care and financial services industry, new legislation will likely affect the technology sector, Mr. Dandini said.

How profitable is the line of insurance?

"For St. Paul Travelers, it has been profitable, and I attribute that to us being cautious and prudent as we entered the market," Mr. Latto said. "We have gradually increased our scope of coverage and appetite. We want to learn and be in this for the long term."

Any line of insurance will make a profit with good underwriting, and cyber-risk presents some unique challenges, not the least of which is its youth.

"The legal landscape–about who is liable for what–is changing, and in many areas unsettled," he said. "So it is more difficult to have benchmarks of liability that you can underwrite against," Mr. Latto said.

Since cyber-insurance products are new, a lack of actuarial data on losses will always make coming to a bottom-line figure more difficult.

"And it is very hard to get that actuarial grade data from other sources," he said. For example, the FBI and other surveys of cyber-losses are hampered by the difficulty in quantifying such losses along with reluctance of companies to report them "unless they are in a very anonymous context."

"After all, if you are a bank, you wouldn't want people to know you are getting hacked all the time," Mr. Latto said.

Mr. Dandini said the changing roles of companies require constant attention to the type of cyber-coverage provided.

"Just look at the telecommunications companies," he said. "They are no longer just phone companies. They have hardware, software, Internet and voice-over Internet Protocol. All of these risks have to be considered."

As for insurance market pricing conditions, Mr. Latto said that cyber-coverage hasn't softened over the past couple of years like other lines. "I think it comes from the fact the market is smaller and the carriers are very cautious," he said.

Since 1999, St. Paul has committed to offer this coverage in the admitted market, as opposed to other big carriers which go the opposite route. "It gives policyholders and agents a much greater degree of stability and predictability," Mr. Latto said. "Frankly, it is scarier for us as a carrier because we then become regulated and a lot less flexible."

Mark Hutchins, senior vice president for Kansas City-based Euclid Managers, has been in the insurance business for 30 years, which has given him a solid background for his last few years coping with the challenges of cyber-risk.

"I think the biggest challenge in marketing this product is getting the buyer to recognize the challenges that they may be exposed to," Mr. Hutchins said.

As an underwriter, Mr. Hutchins said the main challenge is to determine from data that potential insureds provide just what they are doing, and how they do it. "Also, what kind of controls and management they apply to their operations," he said, adding that relationships and contract terms with third-party vendors and customers will also play key roles in calculating the risk.

Mr. Hutchins said his ultimate clients are, for the most part, those businesses that have developed Internet-based services. "And more and more brick-and-mortar companies are doing this"–providing Internet services, even though that is not the only business for these non-tech companies.

As for the most common claims, Mr. Dandini said they are class action suits related to privacy, even if no definitive damage has resulted. "Much of this is speculative at best," he said.

Adequate IT infrastructure, incident disclosure processes and proper security controls will thus become critical loss control items in the future.

"Companies have always understood the traditional risks, such as bodily injury and property damage, but not the pure financial risk associated with professional liability," Mr. Dandini said. "It is a gradual process that is starting to speed up lately."

Standard lines companies today are shying away from cyber-risks, at least in the admitted market, according to market participants.

Euclid's cyber-risk policy is written on a non-admitted basis through Hudson Specialty Insurance Company. "It was the quickest way for us to get into the market in 2003," Mr. Hutchins said. "To go admitted you have to file your forms and rates in all the states, and that is a very tedious process."

In addition, the added flexibility of the non-admitted market "allows us to provide a better product and better service, because we can build more flexibility into our underwriting process."

As for liability limits, Mr. Betterley said that significant capacity remains. "Chubb will entertain limits up to $50 million for the liability portion of one of its property-casualty product, while ACE Digital technology products, AIG and Chubb (for two other products) have a $25 million capacity in house," he wrote in his most recent cyber-risk market survey.

Carriers seldom demand assessments of a prospective insured's security policies before writing coverage–a requirement that was more common in past years. "Typically, but now always, any required assessment is free," Mr. Betterley said.

While some assessments are simple such as a review of a Website, others require an on-site review by third-party firms. "Of course, the scale and intensity of the assessment is dependent not only on the carrier's underwriting philosophy but also on the nature and role of the applicant's business being considered," Mr. Betterley wrote in his report.

"Companies have always understood the traditional risks, such as bodily injury and property damage, but not the pure financial risk associated with professional liability."

Mike Dandini, V.P., The Hartford

"The legal landscape–about who is liable for what–is changing, and in many areas unsettled…So it is more difficult to have benchmarks of liability that you can underwrite against."

Aaron Latto, Underwriter, St. Paul Travelers