Cyber insurance rates squeeze retailers, but market remains softReprints
Major retailers are getting pinched in the cost and availability of cyber insurance, but pricing generally remains soft despite some insurers limiting capacity or even exiting the category.
The cyber insurance market has been hit multiple times in the past year, including major data breaches affecting Target Corp., Home Depot Inc. and, earlier this month, by Anthem Inc.
“It's a market that's seeking to find its footing,” said Robert Parisi, managing director and national cyber risk practice leader at Marsh L.L.C. in New York. “You've got a market that's had a couple of shocks in terms of some high profile breaches over the past 18 months,” and some insurers are aggressively pushing forward while others are “stepping onto the sidelines and licking their wounds.''
Some insurers are exiting the market entirely, “not because of any real losses,” but based on their fear of potential losses, he said.
Insurers that covered large retailers have had “some big claims on their hands, and they didn't expect that,” said John Coletti, New York-based chief underwriting officer of cyber and technology at XL Group P.L.C.
Still, cyber coverage is one of the few areas of opportunity either because companies do not have it or rely on inadequate coverage, Mr. Parisi said.
Among retailers, financial institutions, hospital and health care facilities, “there are huge increases in demand right now,” while for the first time in 15 years there is the potential that capacity will decrease, said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions.
Most insurers are “not completely running away,” but are reducing capacity, he said. Insurers that had offered $20 million to $25 million capacity now may offer $10 million, and those that offered $10 million now may offer $5 million, he said.
“You've got more companies buying coverage and more kinds of companies buying coverage,” including a broader spectrum of small- and medium-size companies, said Timothy C. Francis, second vice president at Travelers Bond & Financial Products in Hartford, Connecticut.
Meanwhile, boards of directors are “engaged with their risk managers more than ever” in trying to understand cyber risks and the role insurance can play, which is driving demand, said Catherine Mulligan, New York-based senior vice president and national underwriting manager of specialty errors and omissions at Zurich North America Inc.
Part of the challenge is cyber coverage is not “homogenized” among the more than 30 insurers that do offer the coverage, said J. Andrew Moss, a partner at law firm Reed Smith L.L.P. in Chicago.
Cyber coverage “is a little bit all over the map because the nature of the risks does not lend itself to easy categorization,” he said.
Insurers “that were out on the edges already, and only played in the excess market, are starting to decide they don't want to deal with it,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C.
Insurers are paying more attention to the exposure of their overall book of business rather than individual accounts, Travelers' Mr. Francis said.
“We are closely watching aggregation exposures and price adequacy on national accounts,” Kurtis Suhs, Atlanta-based vice president of technology insurer Ironshore Insurance Services L.L.C. said in a statement.
Kristy Harris, Dallas-based manager of corporate insurance at Southwest Airlines Co., said she expects retailers that rely on credit-card machines for payment “are going to have a harder time getting the limits” they seek.
While the airline processes only a limited number of payments via credit-card machines, “it's a very unknown space now,” Ms. Harris said.
Experts say the large retail segment has had the most capacity withdrawn and what remains could see double-digit price increases.
Peter Foster, New York-based senior vice president, network security and privacy, media, tech professional and intellectual property at Willis North America Inc., said, “Large retailers are seeing some strong pushback from underwriters. A few underwriters will not write retail now,” especially retailers with multibillion-dollar annual revenue; other underwriters are reducing capacity, increasing their retentions and/or premiums.
“If you're buying, let's say, $100 million in coverage, it may take a couple more (insurers) to add that $100 million up,” Travelers' Mr. Francis said.
Mr. Foster said many financial institutions have gotten more capacity, such as moving from $200 million to $500 million in limits, in exchange for higher retentions, such as moving from $50 million or $100 million.
And while the Anthem data breach affecting 80 million people is massive, its effect on the cyber insurance market is not yet clear, said Marc S. Voses, a partner at Kaufman Dolowich Voluck L.L.P. in New York.
While it will increase health care company demand for the coverage, “there are too many variables” to determine its effect on rates, he said.