Login Register Subscribe
Current Issue

Cyber insurance comes of age


Cyber insurance is expanding and shifting its focus.

Where once the primary emphasis was on privacy protection, there is now increasing attention being paid to business interruption, contingent business interruption — for disruptions caused by vendors — internet-caused property damage and cyber crime policies, experts say.

Observers describe the market as competitive, with some 70 insurers offering the coverage. Policyholders are generally satisfied with the limits they are getting, albeit some say there is a risk-reward equation to be considered as higher limits become costlier (see related story).

Meanwhile, the Equifax Inc. data breach could have some long-time implications for the industry (see related story).

“It’s a good time to be a buyer of cyber insurance, between the broadening coverage in the policy form and the competitive pricing,” said Robert Horn, associate director at Crystal & Company in New York.

The cyber insurance market is “robust and growing, and it’s growing in a way that probably no one foresaw five, six years ago,” when “everyone was very much fixated on privacy breaches,” said Bob Parisi, New York-based cyber product leader at Marsh L.L.C.

“No one was paying attention” then to issues including operational risks, the disruptions cyber problems can cause in business, or the property issues cyber can create, he said.

While the market was responsive to the issue of privacy breaches, “there was a misconception among other sectors, such as manufacturing, that they did not have cyber risks. And even if they did, the cyber insurance market was not responsive to their needs,” Mr. Parisi said.

Observers say the now-broadened offerings include coverage for systems failures, which can be triggered not only by a breach but by any factor, including human error or a technical glitch.

The cyber insurance markets are starting to provide business interruption and contingent business interruption with limits in the “hundreds of millions of dollars,” Mr. Parisi said.

Insurers are “continuing to build out how cyber is interacting” with other policies, including kidnap and ransomware, general liability and product liability policies, said Joe DePaul, New York-based cyber/errors and omissions practice leader for Willis Towers Watson P.L.C.

They are starting to offer difference-in-conditions and difference-in-limits polices for cyber coverage that could fit as umbrella coverage over policies including property, kidnap and ransom and potentially even directors and officers liability, said Florence Levy, Denver-based senior vice president for cyber/E&O with JLT Specialty USA, a division of Jardine Lloyd Thompson Group P.L.C.

“What we’re seeing is coverage pushing out in every direction,” said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C.

American International Group Inc., for instance, is moving toward explicit coverage for both physical and nonphysical cyber-related risks in its policies. The premium charged will be based on the risk, the threat environment and the potential business impact, according to a market source.

“Essentially, this is still a young but maturing market,” said Tim Marlin, Alexandria, Virginia-based senior managing director and head of cyber and professional liability underwriting at Hartford Financial Services Group Inc. “Given the fluid nature of cyber risk and the fluid nature of the threats, the industry is staying close” to emerging trends, including the move toward property-related and business interruption coverages, as well as the addition of explicit cyber extortion wordings in policies, he said.

Adam Cottini, managing director of insurance and risk management in North America at Arthur J. Gallagher & Co. in New York, said policyholders must coordinate their policy portfolios to see what is covered, how coverage is triggered and what mechanisms are in place to respond to first-party property damage and loss of data.

Competition is strong, though. “At this very moment I would describe the market as still relatively soft,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C.

Insurers that have traditionally put sublimits on certain coverage are now offering full limits, he said, and many are offering full retroactive coverage instead of limiting the coverage date to when the policy was first purchased.

In the meantime, “organizations that can really demonstrate” they have cyber security controls and hygiene are experiencing slight decreases in rates, while most primary and excess polices are experiencing flat to single-digit increases, said Mr. DePaul.

Mr. Cottini said the market can be divided into segments based upon size.

The market is fairly competitive for businesses with less than $250 million in annual revenue. For those with more revenue, while the competition is still robust, it is “definitely not as competitive as that lower tranche of business” because larger companies, with their greater amount of data, have larger potential losses, he said.

However, Ms. Levy said that while the market is “relatively robust from a capacity standpoint,” the pool of markets “greatly shrinks” when it comes to insurers that write primary coverage for large, complex customers. She also said underwriters are “beginning to be a little more critical and scrutinizing the underwriting process.” They are “going to be very focused on managing their aggregation limits,” including cases where there may be aggregation from additional lines of business from a cyber event, she said, pointing to “silent cyber,” which are noncyber policies indirectly impacted by a cyber event.

Also, while rates have been “probably still flat” the past year or so, “if we have a couple more major breaches the pressure’s going to be on premiums going up a little bit,” said Steve Bridges, senior vice president of the cyber/E&O practice with JLT Specialty USA in Chicago.

Penetration into the market is growing, experts say.

“We’re seeing much more interest from organizations that fall outside” of what can be called the “information holder” industries, including health care, financial institutions, retail and hospitality, said Stephanie Snyder, Chicago-based senior vice president and national sales leader for cyber insurance with Aon P.L.C. These include the manufacturing, food/agriculture, life sciences and energy sectors.

The penetration rate among large, complex organizations is around the 80% mark, said Mr. DePaul, who estimated the overall penetration among all firms to be 25%. But among small and middle-market firms, “there’s still quite an opportunity there,” he said.

With recent incidents, though, “more organizations are exploring stand-alone cyber polices,” said Jennifer Rothstein, senior director at Kroll Associates Inc. in New York.

“One of the nuances and benefits of cyber liability coverage is not just as a financial reimbursement tool,” but in its ability to offer access to experts and risk management programs, she said.