It seems like there is rarely a day that goes by in which news of a new or enhanced cyber insurance product isn’t announced.
Capacity in this marketplace has increased tremendously in the last five years, as has demand, but it is not keeping pace with what the insurance marketplace has produced, say experts. Instead, all that capacity is pushing rates down in a segment that has tremendous opportunity for – and evidence of – loss.
According to the Ponemon Institute’s “2012 Cost of Cyber Crime Study,” which looked at cyber crimes in the U.S. for 56 organizations, the average yearly cost of a cyber crime was $8.9 million, with a range of $1.4 million to $46 million – a 6 percent increase from the 2011 study.
Attacks have also increased, with the companies in the study experiencing 102 successful attacks per week or 1.8 successful attacks per company per week.
These sobering statistics – along with headlines from the massive Target breach, Nieman Marcus, and other high profile incidents –are helping to push demand for cyber coverage, particularly among larger companies, say insurance experts.
“[The buy rate] among larger companies was probably around 20 percent five years ago and is now in the 50-percent range, with at least 70 percent of the market considering cyber coverage,” says John Kerns, executive managing director for Beecher Carlson in the New York office. “And a lot more companies are going through the process of looking at the coverage but still haven’t made the decision to buy.”
Kerns says cyber insurance products have been around long enough now, and there has been enough support from within organizations’ own IT department, for companies to justify at least finding out more information about the coverage.
“IT used to hesitate, saying the chance of having a breach was low and if one did occur, it was hard to imagine the company would incur significant losses,” says Kerns. “Now what’s making companies lean towards buying the product is the IT people realizing it is a continual game and while they do their jobs well, it is good to have a backstop and not a bad idea to have some insurance.”
Industries like retail, financial services and healthcare are particular targets right now because of the large amounts of personal data they collect and store. Beecher Carlson created a new cyber liability and data breach response coverage for these sectors, as well as the energy sector, which offers limits of $50 million. Coverage includes business interruption and extra expense and full policy limits and extends coverage for contingent business interruption and extra expense to the insured as a result of act of third-party vendors.
Where the demand is not increasing as rapidly as the industry would like is among small to medium-size organizations. Information from research firm Advisen found that only 5 percent of companies with revenues under $5 million buy coverage.
Underwriters say small businesses have the perception that they are not targets. Also, when a breach does occur to a smaller organization, it typically doesn’t receive the attention that comes with a large company like a Target, so the shock factor isn’t there either. But claims for this segment are increasing.
“Hackers are not prejudiced to small businesses,” says Matt Donovan, national underwriting leader for technology & privacy at Hiscox. “If you are a small business in the right industry sector you are going to have a lot of valuable info so you can be a target.”
Donovan says smaller businesses may also be more prone to incidents arising from situations other than a hack, such as user error, rogue employees or portable devices being lost or stolen. They also don’t typically have dedicated legal teams keeping up on changes in privacy regulations that can leave a small business open to a lawsuit.
Lisa Doherty, president of Business Risk Partners (BRP) in Windsor, Conn., says one of the ways they have tried to encourage small and mid-market clients to purchase coverage is by emphasizing the add on services that comes with it, such as risk management to protect data and crisis management if a breach occurs. BRP began offering standalone data breach/privacy coverage through Liberty International Underwriters in January because it saw a real need and opportunity in this marketplace.
Doherty says while the coverage is important, the pre- and post-breach services can be the selling point for small business clients, who often have no clue what to do if a breach were to occur.
“You don’t want to be negotiating rates with any of these [breach response firms] when you have the problem. With the coverage, you can have the panel already there for you and you know they can bring vetted resources to the table right away,” she says.
Hiscox has also enhanced its coverage for small- to mid-size organizations with a cyber crime endorsement launched last fall. The coverage option provides protection against cyber crime connected to business bank accounts.
Another important feature of Hiscox’s data breach coverage, says Donovan, is that it does not exclude contractual liability exposures. This coverage responds to obligations bestowed upon a retailer through their merchant services agreement – the terms and services that can place the retailer or merchant directly liable for costs of card reissuance and potentially fraud that has ensued after they were breached.
Hiscox is also working on streamlining the quoting process for smaller businesses because there is a higher volume and the transaction needs to be easier. However, Donovan says underwriters still must be selective with which accounts they will work.
“The industry is recognizing that the volume of information stored by an insured is a critical component of the underwriting process,” he says. “These companies and the level of security and encryption have to be looked at closer in order to deploy the insurance.”