To say demand for cyber insurance is increasing would be an understatement. Existing buyers are looking for higher limits. New buyers—from industries that had never considered it—are purchasing coverage. And companies of all sizes and stripes are looking for ways to transfer risk through insurance products.

“I think it's fair to say interest in cyber has increased across the board,” says William Boeck, senior vice president and claims counsel at Lockton Cos. “All types of companies are focusing more on the cyber risks they have, and as part of that, more are considering cyber insurance.”

Anthony Dagostino, executive vice president/FINEX Cyber leader at Willis Towers Watson, notes that a few years ago demand came mostly from heavily regulated industries such as financial services and healthcare. Retailers were quick to follow after suffering high-profile breaches. In more recent years, additional industries have entered the space, from manufacturing to education and professional services companies such as law firms and real estate agencies.

“Today, I'd say it's everywhere,” says Dagostino. “Companies in every industry are looking to buy.”

David Derigiotis, corporate vice president and director of professional liability at Burns & Wilcox, says demand is up not just across industries, but among companies of all sizes. Previously, small to midsize companies (with revenues of less than $100 million) tended to be of a mind-set that a cyber breach would not happen to them, he says. Today, those companies are recognizing their risks and purchasing coverage.

Aside from the broader spread of companies interested in cyber coverage, Oliver Brew, executive vice president, global head of cyber risk and head of international professional indemnity for Aspen Insurance, says companies that have bought cyber insurance previously are now looking at securing more meaningful terms. “Companies that bought $10 million [in limits] are now looking at $30 million,” he notes. “Companies that bought $50 million now want $100 million. That is a very common theme we're seeing.”

News reports featuring large, high-profile breaches in recent years have certainly contributed to the rise in demand, but other factors play a role as well. Tracie Grella, global head of Cyber Risk Insurance at AIG, notes that regulators are asking more questions about companies' processes and procedures—“and as companies look in and evaluate risks, they realize the amount that is actually there” and then determine how much to retain and how much to transfer through insurance.

John Coletti, senior vice president at XL Catlin, points to the natural evolution of business and technology—how much companies today rely on technology that is potentially susceptible to a breach—as another reason for the spike in interest.

Bob Parisi, U.S. cyber product leader at Marsh, says there has been a steady drumbeat with respect to demand for cyber insurance, and whether or not there was one single reason or event that flipped the switch for many buyers, the market has reached a point where everyone in an organization, from the board to the C-suite, recognizes cyber threats as an operational risk.

Cyber Threats and Solutions

For buyers, the potential of suffering a data breach remains top-of-mind. If they manage a lot of data, and if they have a breach, “they're concerned it will be extremely expensive,” Boeck says. “Clients also look for cyber insurance to cover losses they're going to have as a result of those breaches.”

Beyond just response costs, companies want polices that will respond to lawsuits, regulatory inquiries, and enforcement actions, says Boeck. He notes that policies do “a pretty good job across the board” when it comes to breach response.

“The markets created viable risk-transfer solutions and risk management products for customers,” Coletti adds. “We wouldn't have a $2 billion market if there weren't viable products.”

Yet cyber threats present a rapidly evolving set of exposures, and the industry needs to adapt to keep pace. Coletti explains that cyber is not a product like property insurance, which can essentially remain static for 20 years; a cyber product may look different over a period of a few years due to the way technology evolves.

Source: Statista

“We go out with the mind-set of being as flexible as possible, knowing this is an evolving product,” says Coletti. “You need to listen to what clients want. I think what we're good at is not shoving what we view as a product at them and not offering alternatives. Some competitors create a product they think is wonderful and try to make it the solution across the board.”

Derigiotis likewise stresses flexibility, and adds that's where E&S insurers are particularly strong. “We have the freedom and flexibility to negotiate coverages to make sure we're tailoring them to specific industries,” he says. “The E&S space is great for quick changes, amending forms, removing exclusions—we're very careful with terms and conditions for clients.”

In many respects, the industry has been able to demonstrate this flexibility to address buyers' emerging and changing concerns. Parisi says that as buyers' awareness of the risk has improved, so too has insurers' abilities to offer broader products. For example, manufacturing clients are interested in business interruption coverage that responds to a cyber event. Parisi says insurance solutions in this area were “decidedly sub-standard” 10 years ago; policies only covered website-driven revenue back then. Now, he explains, “we're looking at a cyber market that will cover any revenue that's disrupted from any kind of technology outage as long as it's not a physical event.”

Coletti notes that business interruption has expanded to include not just an insured's network, but a disruption when a dependent provider goes down as well.

He adds that the industry likewise responded in the area of payment-card breaches after high-profile events in recent years; insurers created affirmative coverage for the payment card industry (PCI) and for the cost that the PCI is assessing on insureds—the fraud costs and other assessments “that were not otherwise in insurance programs are now regularly seen in cyber programs,” he notes.

Remaining Cyber Insurance Gaps

Insurers also are working to address capacity issues for the largest companies, particularly the largest retailers. Matt Prevost, vice president and cyber product line manager for Chubb, says, “Although there is capacity for up to and over $500 million on a per-risk basis, the typical complaint is there isn't enough capacity for very large risks.”

He says companies are beginning to offer bigger blocks of coverage to address the need. In 2015, Chubb introduced a $100 million primary block of committed capacity, he adds, allowing brokers to build coverage from that primary block rather than from smaller blocks.

Work remains to be done in this area. “The market is looking to put together a $1 billion insurance solution that's not quite there yet for the largest organizations that exist today,” says Derigiotis, who notes that for companies below the Fortune 500 to Fortune 1000, there's still plenty of capacity.

The issue of covering physical damage and bodily injury resulting from a cyber attack is also high on the industry's radar. Boeck points to events over the last few years—such as the December 2015 cyber attack on a Ukrainian power plant and the December 2014 cyber attack on a German steel mill that resulted in massive damage to a blast furnace—as potential canaries in the coal mine for the “growing concern we will have a cyber event that causes massive property damage or bodily injury.”

He notes that cyber insurance policies typically do not cover property damage or bodily injury, and property policies—while they may provide silent coverage for property—do not provide affirmative coverage.

AIG is one company that has addressed this need. For energy, manufacturing, and transportation companies, Grella says that cyber attacks causing physical damage or bodily injury are a major exposure. “They want affirmative coverage, not just silent coverage,” she says. “We wanted to come out with a product that says, 'If you want affirmative coverage, you buy this policy and you will have affirmative coverage.' That's when we developed CyberEdge PC.”

Boeck says industry solutions for the risk of physical damage and bodily injury are “still in the formative stage,” and adds that many companies may not realize coverage exists. But he says the industry understands the need and he is confident that more solutions will be forthcoming.

Ransomware and Social Engineering

Parisi notes this issue is part of a convergence of the cyber realm and the real world that the industry has its eye on. Ransomware and, increasingly, social engineering attacks are on the rise—and represent another significant concern among buyers and the industry. Multiple experts mentioned the $17,000 payment in the form of bitcoins at the Los Angeles-based Hollywood Presbyterian Medical Center made earlier this year after a hacker seized control of its systems.

Boeck notes ransomware attacks are hitting everyone from individuals to large businesses, and while this threat may not be new, it is “something that is certainly on everyone's radar.”

Derigiotis says there is coverage and adequate limits for ransomware attacks, but coverage for social engineering losses, while available, is tougher to secure. These events result when employees are tricked into giving money away, rather than when someone hacks into the system. For example, employees may get an email from someone they think is their CEO or CFO asking for payroll information, Derigiotis says, or for a wire transfer of funds.

If an employee willfully gives money away, Derigiotis notes, it is not typically covered by a crime policy; a social engineering component must be built in to the insurance solution.

Experts note a particular rise in claims stemming from hackers: Dagostino says carriers are responding with more stringent underwriting standards when crafting these highly bespoke policies. There is a sharper focus on making sure sensitive information is encrypted, he says, adding that carriers also are looking at the culture around organizations. Is there a culture around privacy? Do employees understand their responsibility?

Dagostino says hackers are not necessarily getting smarter, but they are getting faster. He says zero-day-exploit kits, for example, allow hackers to launch attacks more rapidly and win the race between perpetrators trying to exploit holes and developers trying to patch them.

Pricing habits are also changing. “There's no more reckless abandon,” Parisi says. “That ship has sailed.” He says carriers have reacted to being on the hook for big claims in recent years, and insurers are demonstrating a maturity in the marketplace that's been long overdue.

Still, as with other evolving cyber risks, the industry is working on solutions. Damian Caracciolo, vice president, Executive Protection Practice, CBIZ Inc., says of social engineering, “Three years ago, that was not even contemplated in terms of coverage.” If insureds had a claim, they would have to work through the policy to determine whether coverage existed somewhere. Now, he adds, carriers are proactive in providing endorsements or building the coverage into new polices.

“It's not revolutionary, but it is evolving at a speed much quicker than [what] we have seen in other liability policies,” Caracciolo says of insurers' efforts to deliver meaningful cyber products and stay ahead of the risks. With the high level of demand, cyber can be an attractive area of focus for insurers, particularly as the commercial and specialty markets remain competitive. “I think cyber liability is an area a lot of carriers and wholesale and retail brokers want to be in because it's an area that's going to carry them through this soft market we're in right now,” Derigiotis says.

“If you're not involved in it, you're going to be left behind,” he adds. “If you're not talking to your client about cyber liability, it's guaranteed someone else is speaking to your client.”

Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.

Your access to unlimited Treasury & Risk content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
  • Informative weekly newsletter featuring news, analysis, real-world case studies, and other critical content
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.