Target data breach spikes interest in cyber insuranceReprints
Expanded coverage and a series of high-profile security breaches have helped spur buyer interest in cyber insurance, and insurers are more willing to customize that coverage to fit buyers' needs.
The massive data breach reported by Target Corp. in December substantially raised buyer awareness of the potential severity of cyber attacks, experts said.
“There really is now an awareness of the financial costs of breaches,” said Steve Bonnington, senior vice president in the global technology and privacy practice at Lockton Cos. L.L.P. in London.
Since the Target breach hit the headlines, “the phone has been ringing off the hook,” said Peter R. Taffae, managing director of specialty insurer Executive Perils Inc. in Los Angeles.
Buyers from all industry sectors now are exploring the coverage, Mr. Taffae said.
Risk managers are more aware of cyber risks and the insurance market is trying to educate buyers about their exposures and coverage needs, said Iain Ainslie, technology and cyber liability underwriter at Ace European Group in London, a unit of Ace Ltd.
Risk managers are examining first-party cyber risks their organizations face, and are asking themselves, “We know what would happen if a factory burned down. What would happen if our (computer) system failed?” Mr. Ainslie said.
The recent development of meaningful coverage for first-party cyber exposures has helped to boost takeup by buyers, said Karen Allen, a director at Howden Insurance Brokers Ltd. in London.
Risk managers also are getting “their heads around” potential third-party risks and how such risks would affect their business, Mr. Ainslie said.
“This is a product that is constantly evolving,” Ms. Allen said. “Every month or so, underwriters are broadening” their offerings.
“The cyber policy has matured and expanded coverage and available limits over the past few years,” said Chris Thorn, Dallas-based senior manager of payments and risk at Southwest Airlines Co.
“I am encouraged that I will be able to present my executives with viable options to consider,” Mr. Thorn said, adding that Southwest just moved to buy its first cyber insurance policy. “The recent credit card data breaches suffered by several retailers are causing some markets pause in expanding their book,'' but there's still plenty of coverage capacity from insurers.
“This is very similar to the way (directors and officers coverage) developed,” Ms. Allen said, explaining how buyers were tentative when D&O coverage was launched, then they adapted and most companies bought it.
The insurance market has reacted to demand from buyers and to risk managers saying, “Here are our real risks,” said Bob Parisi, managing director of the FINPRO division at Marsh Inc. in London.
Coverage now can be bought for the failure of any technology that affects a business, outsourcing risks, vicarious liability and contingent business interruption, Mr. Parisi said.
“We're at that point now where (the market) is beginning to align products much more closely with the exposures,” said Dan Trueman, head of the cyber division at Novae Group P.L.C. in London.
Risk managers and technology experts, such as chief information officers, should work as partners when examining potential exposures, he said. Also, there is greater understanding by senior executives that many of these risks are insurable, he said.
“We most certainly have seen an increase in the volume of inquiries and takeup rates” for cyber coverage, Lockton's Mr. Bonnington said.
“Buying tailored cyber coverage is absolutely necessary,” said Ethan Harrington, insurance and risk manager at H&R Block Inc. in Kansas City, Mo.
While coverage could not be described as “overly broad,” insurers are willing to work with buyers on “more broadly written coverage” to meet each client's needs, Mr. Harrington said.
Coverage tailored to a client's specific needs also is becoming more common, Ace's Mr. Ainslie said.
To understand the greatest exposures, “the risk manager should work with their broker to understand how to better benchmark against their peers,” Mr. Harrington said.
Risk managers also should work with chief information and/or chief security officers within their organizations to evaluate their greatest fears, he said.
As questions of network security and the consequences of a failure have become higher profile, representatives of legal, human resources, internal audit and other departments have become involved in the cyber risk management and insurance purchasing process, Mr. Bonnington said.
“That results in a better dialogue with the insurance market, and a higher level of engagement,” he said.
Mr. Thorn said he achieved the best results in securing the airline's cyber coverage by holding face-to-face meetings with underwriters and by inviting underwriters to talk directly to senior executives.
Brokers need to take the time and have the skills to truly understand the buyers' cyber exposures, while buyers must “appreciate and look to the policy as a financial instrument” and educate the broker and underwriters, Mr. Taffae said.
“This line of coverage is moving faster than a speeding bullet; and unless you are in the trenches every day, you cannot secure the best coverage” for the buyer, Mr. Taffae said.