Some insurers are scaling back offering coverage of retailers' cyber risk exposures as a result of Target Corp.'s massive data breach, while others are scrutinizing the risk more closely as retailer demand for coverage increases.
The data breach that exposed personal information of up to 70 million individuals has resulted in more than 80 lawsuits against the Minneapolis-based retailer, which revealed in December that malware on its checkout registers also led to the cyber theft of sensitive financial information from some 40 million credit and debit card accounts.
Businesses, before the Target breach, could obtain between $300 million and $350 million in cyber risk insurance capacity; however, sources say retailers now may be able only to secure a tower of up to about $250 million in cyber insurance, including up to $25 million in primary coverage. In addition, they may face higher retentions and premiums.
The Target incident, as well as data breaches involving other retailers, contributed to the insurance market reaction, experts say.
Individual insurers vary in how much capacity they will make available to build the coverage towers. Beazley P.L.C. offers $25 million in capacity per policy, said Tom Reagan, New York-based large-risk underwriter of breach response insurance.
The insurer “believes it's not if, but when” breaches are going to happen, Mr. Reagan said. While companies want to do everything possible to prevent them, “they are an inevitable fact of life for companies that deal with it,” he said. “From Beazley's perspective, we're fully committed to this space.”
Other insurers see it differently.
Ben Beeson, Washington-based partner at brokerage Lockton Cos. L.L.C.'s global technology and privacy practice, said some insurers are reacting in a knee-jerk fashion, saying, “We don't want to underwrite retailers any longer. Thanks very much. We're not open for business.”
“Some markets have been pulling back,” stating “they're not going to cover certain types of retailers, especially the larger retailers, but those markets are still interested in doing the small, mid-market retailers,” said Christopher Keegan, New York-based senior vice president of national resource errors and omissions and erisk at Willis North America Inc.
“It's hard to get more than $10 million from more than one market, but that's more reinsurance driven,” said Peter Taffae managing director of Los Angeles-based Executive Perils Insurance Services. Eight months ago, “they'd give you $25 (million) in a heartbeat,” he said.
Dena Magyar, Charlotte, N.C.-based national practice leader at Wells Fargo Insurance Services USA Inc.'s professional risk group, said some reinsurers will not take any attachment point less than $10 million in excess of $10 million, whereas before the Target breach they may have accepted $5 million in excess of $5 million.
Mr. Keegan of Willis said $15 million in capacity “might be the most we would get out of a single (insurer) at the moment,” although retailers with existing limits of $20 million to $25 million may be grandfathered.
“There's a lot of retailers looking for higher limits, so we're building towers'' for markets “that are comfortable” with the risk, Mr. Keegan said. Even so, “For the most part, rates are staying relatively stable.”
There may be up to $200 million of total capacity available for any one risk, and there certainly is at least $100 million “because we've just done a $100 million tower” with an unidentified client, Mr. Keegan said.
Mr. Keegan said some small insurers high in the excess coverage layer with limited cyber business premiums have pulled back.
“They're not pulling out of the market entirely, but looking for higher rates,” he said. Others, though, “are looking at it as an opportunity” to grow their market share.
Mr. Taffae said, “There's no one I could think of that has pulled out,” at least among significant cyber insurers, “but there are plenty of people that are cutting back on their limits.”
And insurers are implementing tighter underwriting controls, said Mr. Beeson of Lockton. Insurers “are going to be more stringent than they used to be” and are introducing higher retentions, some exclusions and increasing premiums, he said.
Then there are insurers that say, “This is when our clients really need the insurance industry and we're going to try to underwrite this thing,” Mr. Beeson said.
“What we've been seeing is definitely more scrutiny on medium to large-size retailers” because of the alarm the Target breach sent through the industry, said Mark Greisiger, president of Gladwynne, Pa.-based NetDiligence, which provides cyber risk management and information security services as the marketing arm of Network Standard Corp.
“We're seeing the underwriters are paying more attention to the actual technical exploits of how the bad guys” are entering into these networks, Mr. Greisiger said. A commonly asked question now is whether a retailer complies with the payment card industry data security standard of the Wakefield, Mass.-based PCI Security Standards Council. “Most of them are,” he said.
Ms. Magyar of Wells Fargo said underwriters are asking the same questions of policyholders as before, but “they're taking a harder line” on the answers. Previously, underwriters would accept a client that expects to be PCI-compliant in three months. Now they will still insure notification costs, but they will either exclude any legal liability or decline the business altogether.
Ms. Magyar said also she has seen cases in which new clients are being offered coverage on the condition that they accept a retention of $500,000, where she would have expected retentions of $100,000. In addition, retailers seeking cyber coverage are being charged higher rates — possibly as much as 50% higher, she said — than they would have been before the breach at Target, the nation's third-largest retailer.
However, “strong retailers with a consistent approach to their data management” are seeing relatively flat cyber insurance renewals, she said.