Cyber insurance market shows maturity as corporate security concerns riseReprints
The market for cyber insurance is finding a receptive audience as corporate concerns about the effect of data breaches rise and policy options available in the market continue to evolve.
A Business Insurance survey of 327 risk management decision-makers and 995 insurers, brokers and consultants conducted in March 2015 reveals that among the buyers surveyed, 80% acknowledged that the risk of penetrating their systems for the purposes of account manipulation, obtaining company, customer or private information or data destruction was a top concern.
Additionally, 63% of risk managers acknowledged that they purchased a specific cyber policy for their company, while 35% said they obtained coverage for cyber risks through other policies such as general liability or errors and omissions.
The series of high-profile data breaches that has hit companies in sectors ranging from retail to health care has helped clarify the need for dedicated cyber insurance policies, experts say.
“It's finally on every organization's radar,” said Tracie Grella, New York-based global head of professional liability for American International Group Inc. “We have been offering cyber insurance for the last 16 years, and it has really only been this year that we feel that awareness has been reached in the U.S.”
Carolyn Snow, director of risk management at Louisville, Kentucky-based Humana Inc. and former president of the Risk & Insurance Management Society Inc., agreed that the perception of cyber insurance has shifted recently among risk managers.
“We have reached a tipping point in people knowing and understanding that they should have the coverage,” Ms. Snow said.
In addition to reinforcing the need for dedicated cyber coverage, recent breaches such as the massive attack on health insurer Anthem Inc. have caused underwriters to intensify their scrutiny of cyber risks.
“The big claims we have seen are adding a lot of caution into the market,” Ms. Snow said. “It has certainly tightened significantly, particularly in the health care market.”
Adam Cottini, New York-based managing director of the cyber liability practice and area senior vice president for Arthur J. Gallagher & Co., said the scale and potential costs of the Anthem attack, which has been estimated to affect almost 80 million former and current policyholders, is noteworthy.
“There's been a revelation that the cost of data breaches is extremely expensive when there are a lot of impacted lives involved,” he said, noting that a company could exhaust an entire insurance tower just in the cost of notification and credit monitoring, forensics and attorneys.
“Just determining how many individual lives are contained on a computer network is a significantly more difficult question than it appears on the surface,” he said. But since Anthem, he said, the question repeatedly asked by underwriters is “How many individual lives do you have in your system?”
Given these mounting costs, many companies are changing their insurance programs by increasing both limits and the percentage of limits dedicated to cover costs associated with dealing with the immediate aftermath of a data breach, said Rich DePiero, New York-based head of cyber and technology in North America for Swiss Re Corporate Solutions Ltd.
“Even a few years ago on a $10 million limit, maybe 20% of that went to cover data breach costs,” he said. “Now, instead of buying $50 million in limits just to get $8 million in breach costs, those breach costs are now full limits.”
According to the risk managers surveyed, the average coverage limit for cyber risk was $24 million, while 18.9% of respondents said they have more than $50 million in coverage.
Still, many feel the limits are insufficient for large companies.
“If you are a company with a $30 billion market cap, I'm not sure the market is there to buy what could be considered the proper amount of insurance,” Ms. Snow said. “If all the big companies in the market went out and bought what's considered a proper amount, I'm not sure that the capacity is there.”
Mr. DePiero said there's a divergence between the large market and middle market for cyber cover.
“In the middle market space, you have seen it move toward more a partnership or service model,” he said. “Less sophisticated clients can come to their insurer and obtain access to some of the best (forensic and technology) service companies in the world to help them mitigate losses or prepare them so that they don't have a loss.”
In addition to buying a greater amount of cyber insurance, companies are also increasing spending on other cyber risk mitigation measures such as tools that provide active monitoring and analysis of information security, the survey found, with 53% of risk managers indicating that their company would increase spending on cyber security in 2015.
“A few years ago, IT and security was seen as a cost of doing business,” Mr. DePiero said. “Now, we have heard some companies say that their security operation has an unlimited budget — if they believe a security measure is worthwhile, they have automatic approval for it.”