Over the last several years, the small business community has accelerated its adoption rate of cyber liability insurance. A nearly constant stream of breaches in the news has certainly raised the public’s general awareness of the threat cyber attacks pose.
But the vast majority of small businesses, which we define as those with less than $25 million in annual revenue, still have not purchased cyber coverage.
Agents trying to sell cyber policies to small firms find it difficult to come by benchmarking data for a variety of reasons, including the limited (but growing) number of small companies buying, lack of data sharing among carriers, and short history of products in the marketplace.
We analyzed nearly 1,800 INSUREtrust cyber liability policies with effective dates within the first ten months of both 2014 and 2015, and hope to shed some light on small business trends.
Despite broadening coverage and a huge number of public breaches, our data shows that rates for insureds with revenues of less than $25 million only minimally increased 2.76 percent from 2014 to 2015.
There were some notable exceptions to this trend, though: insureds in the non-technology professional services sector (attorneys, architects, consultants, etc., but not including technology companies) had a year-over-year rate increase of 24 percent, while technology companies had a nearly 15 percent increase. Note that most of these cyber policies included coverage for miscellaneous professional liability.
In many cases, contracts are forcing small businesses to buy high limits, which explains why the average overall policy limit in 2015 was the most in the non-tech professional services at $2.01 million. The maximum overall policy limit for this group was also high, at $10 million.
Tech companies (software publishers, data processing and hosting, system design services, etc.) followed close behind with an average limit of $1.86 million and a maximum of $10 million.
Information and media companies (advertising agencies, public relations agencies, internet publishers and broadcasters, etc.) had an average limit of $1.52 million and a maximum of $5 million.
Non-profits (religious organizations, civic and social organizations, business associations, etc.) had the lowest limits of the sectors analyzed with an average of $1.46 million and a maximum of $5 million.
Cyber Needs of Small Businesses
So why are cyber liability products growing more attractive to firms with revenues under $25 million? It appears that small business insurance purchasers are realizing they are in as much jeopardy for a breach as their larger counterparts. Although not targeted as often as bigger ones, smaller companies have fewer breach prevention resources in place, and hackers have a higher success rate at breaching them.
Smaller businesses are least able to afford robust IT security systems and personnel to run them, so cyber liability policies also provide essential coverage that might prevent a cyber incident from threatening a small company’s very existence.
The days when a small business owner can credibly argue that “We don’t have any valuable data. We don’t need this insurance,” are quickly vanishing. Even if a small firm can legitimately argue that it has limited sensitive data (and very few actually can), cyber criminals can infiltrate its network to gain access to its larger vendor partners. This was how Home Depot and Target were breached, and the smaller businesses that acted as the hackers’ conduits in these attacks are liable.
Additionally, there are a lot of reasons to consider cyber beyond breach protection. Most companies are in the business of publishing if they create their own website content. We regularly see content disputes, as well as intellectual property and domain name lawsuits. Just because you buy a domain name does not mean you have the rights to it. As companies expand their content into social networking they are taking increased content liability risk.
Another reason for increasing adoption is small companies have found that cyber insurance is a bargain. Prices have generally come down from where they were five years ago and coverage has become cutting edge. In fact, most insureds don’t realize how broad policies are, and as a result might fail to report a potentially covered claim.
What’s Next for the Small Business Cyber Market
Looking ahead to 2016, we expect the soft cyber liability market to continue for most sectors, as we know of at least six small business cyber products coming online in the next few months. Tech companies, however, are unlikely to benefit from this as their rates have been firming up. As a side note, healthcare and retail sectors are also hardening as they are frequent attack targets.
Carriers are also ramping up the security practices required of insureds. For example, we predict requirements that mobile data be encrypted will become the standard for all industries, not just for those that transmit highly-sensitive personal identifiable information (PII) or personal health information (PHI). The alternative is that carriers would only offer small sublimits for unencrypted mobile devices.
One outcome of the continuing overall soft market is that some insurers are broadening policies to include reputational damage and cyber crime coverage. Even while the market is still in the buyer’s favor, experienced carriers are not taking losses passively. Some of the bigger players will get off a risk after one claim. Others will drastically change the premium. With new capacity growing, though, competitive pressures should keep rates relatively soft.
The risk is still proving to be profitable, even with soft rates. Because of the heightened adoption of cyber coverage, some of our carriers are achieving growth rates of more than 70 percent year over year.
Small businesses increasingly understand they face real cyber threats. But they still need to be educated about the corresponding coverages that can protect them. We recommend that cyber insurance be a part of your annual renewal discussion with clients. Small businesses need the protection these policies afford, and are more willing than ever to purchase them.
About the Author
Steven Haase is CEO and founder of Atlanta-based INSUREtrust.com, LLC, an agency focused on covering emerging risks. Haase has over 35 years of experience in risk management and insurance. He began his insurance career with FM Global where he managed the international insurance programs for a number of Fortune 1000 companies including Coca Cola, Ford Motor Co., Chrysler Inc, and Genuine Parts. Haase was one of the first insurance professionals to specialize in providing risk management expertise to emerging technology companies. In April 1997, he launched the first insurance product that offered protection for internet exposures including liability and first party protection for network security breaches.
Comments
Add Comment