With cyber insurance premiums expected to grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025, insurers and reinsurers are continuing to refine underwriting requirements, according to industry observers with expertise in the area.

"Take up rates are growing astronomically for this line of business and really for good reason," said Jim Rice, senior business development executive at Xuber, a software vendor focused on the MGA, insurance and reinsurance sector. The potential is high for a widespread cyber event and underwriters are taking notice, he said.

Standalone cyber insurance purchases among U.S.-based Marsh clients increased 27 percent from 2014 to 2015, driven mainly by an increasing awareness and appreciation of cyber risk, according to Marsh's "Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases." The broker said this continues a pattern of strong growth in cyber insurance purchasing, which grew 32 percent increase in 2014 over 2013, and 21 percent increase in 2013 over 2012.

"This purchasing is supported by more than 50 carriers from around the world that potentially can provide more than $500 million in capacity," said Matthew P. McCabe, senior vice president, Marsh LLC in recent testimony before the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

"Underwriting requirements are rising and both insurers and reinsurers are increasing their retentions, as well," added Rice. "In some cases, we're seeing some capacity reduction in some players who saw an opportunity, and are leaving the market altogether and really focusing their attention on other lines of business."

In addition to well publicized "hacktivist" incidents, the simple fact that nearly all businesses are vulnerable to attacks may be one reason for the increased interest in cyber coverage.

There's "no question of whether a business will be a victim of a cyber attack, it's really a question of when a business is going to be a victim," said Ted Shaer, an attorney with Zarwing Baum DeVito Kaplan Shaer Toddy PC in Pennsylvania.

It's a potential threat for which all businesses need to prepare, he added.

"Any business that stores data that has value, personal information or financial data is going to be a target," Shaer said during an A.M. Best law webcast on cyber risks.

So far, the cyber line has been untested in terms of claims-paying ability, according to Rice, who's based in Detroit. While there have been large losses, such as those at Sony, Target and Anthem, to date there has been no widespread, catastrophic occurrence to test insurers' ability to pay claims on these losses. And there has been no indication that insurers are not paying the claims that have come in so far.

The insurance market as a whole is in a far better financial position than it was following the hurricane season of 2005, which included Hurricane Katrina and multiple other large-scale cat events, Rice noted. But, "cyber is a different animal, and ...the nature of potential catastrophic cyber loss is likely far more reaching than the industry probably understands. Therefore, as cyber matures and loss and underwriting data become more available, I think we're going to see a lot more specialization in the cyber market, as we're seeing now," Rice said.

Two Moving Pieces

Market immaturity and lack of standardization are two reasons why underwriting cyber products today make it an interesting place to be in the insurance world, says Timothy Zeilman, vice president of Hartford Steam Boiler, part of Munich Re. Zeilman recently developed a stand-alone insurance product, HSB Total Cyber, which offers mid-size companies direct coverage for data and cyber exposures.

"For one thing, cyber insurance is an immature marketplace, a fairly new marketplace, developed in the late '90s," Zeilman said. Zeilman added the market has yet to reach a point where it's standardized in any way, as well. "If you look at 10 different cyber liability policies, you're likely to find 10 different packages of coverage," he said. cyber-security It's like working with two moving pieces at the same time. "It's still very immature, the coverage itself is changing, and the market is trying to find a standard," he said. At the same time, the exposures are changing dramatically.

Exposures are technology based, but they're also human behavior based, Zeilman said. "Unlike most other kinds of insurance, you're not insuring against something that exists in nature. You're insuring primarily against criminal behavior by other human beings." And that can be risky.

"Not only do you have an insurance marketplace that's trying to reach a standard and accommodate the needs of today's insured, but you also, at the same time, have a rapidly developing exposure landscape."

Lynda Bennett, a partner the law firm of Lowenstein Sandler in the New York/New Jersey area, said cyber insurance policies have "given new meaning to a complex and difficult to navigate insurance product."

Over the last several years, traditional commercial general liability policies have begun to include cyber exclusions, "because the insurance industry is moving in a direction of developing products dedicated specifically to covering cyber risk. It just is becoming a more prominent issue and concern. They're trying to isolate all of the different coverage grants that touch and concern data, privacy-related issues, all in one product," Bennett said.

The market today continues to be "volatile, because we still have a number or insurers that are entering and leaving the market of even providing this type of coverage. There are upwards of 40 different types of insurance policy forms out there," she said.

Bennett compared the development of cyber coverage with the early days in the evolution of coverages such as environmental and employment practices liability, where it took several years before claims and coverage disputes were litigated and policies began to be stabilized.

There are carriers that are emerging as leaders in the cyber area and they too are continuing to adjust the coverages, Bennett said.

"What I find interesting and a trend that's developing with those leaders ... is that they've developed policy forms, but they're still tinkering one year over the next. On renewal, the terms and conditions are still very different. Some things are being taken back through exclusions. There are some enhancements that are being added to make the policies more attractive," she said.

Part of the problem is simply a lack of claims data, Zeilman said. "When you're starting to develop or underwrite a new insurance product, obviously the best place to look is historical claims data. For most other kinds of insurance that sort of a data is available through industry institutions like ISO and others. That's simply not there for cyber insurance."

According to Zeilman, the market has been fragmented, so there's been no sharing of data. While ISO is now trying to gather cyber claims-related data, it's still in the early days.

"Even the people who've been doing this for a relatively long time have been doing it for 10 years or less, so even individual companies don't have a lot of their own loss data," Zeilman said. "It's an interesting place, and certainly some creativity and a sense of innovation is required in order to try to underwrite risks in this area."

It's true that relative to other coverages -- property, general liability, even employment practices -- it takes some time for coverage to solidify around claim precedent and that's still happening in the cyberspace, said Tim Francis, enterprise lead for cyber insurance at Travelers. But the industry has witnessed enough data breaches that "coverage has begun to be a little bit more standard than maybe it was two, three, four years ago."

There are still plenty of differences in one carrier's cyber coverage form versus another carrier's cyber coverage form to be cautious, Francis said. "But as we see more claims, we'll have a better body of case law to act upon," Francis said. Even so, there are enough cases and cyber related claims "out there that you're starting to see some commonality in language and approach."

Some carriers are beginning to specialize in certain as to types of cyber risks, as well, according to Rice.

"For instance, there are cyber markets seeking just healthcare risks or markets seeking combinations of retail and other related industries. Naturally, each will come with their own policy forms and sets of exclusions including their own available capacities reflective of certain market segment experience," he said.

Broker Specialization

Specialists brokers are an important part of the coverage equation when it comes to protection for cyber risks, according to Bennett.

"There are brokers that specialize in placing cyber insurance policies. That's literally all that they do every day, all day long. They are on top of all of the different policy forms that are out there. They are negotiating with the underwriters at all of these insurance companies," she said.

Bennett said she's seen clients make big mistakes by using a typical broker to place this type of specialized policy.

"Even though I'm sure the broker approaches it using their best skill set possible, when you're not living and breathing these policies day to day, as the terms are changing on a mere weekly basis, you're not in a position to provide the best service and the best advice and the best placements for your clients," Bennett said.

She advised agents and brokers without someone on their team dedicated to staying on top of developments in the cyber insurance market to affiliate with brokers that do specialize in placing cyber coverage.

Agents and brokers also need to understand no matter how large or small their clients may be, there's a good chance that they need some sort of cyber liability coverage, Rice said. "Any business that comes with data, whether transactional or any other, is susceptible to cyber risk, whether they know it or not," he said.

He added that a standalone cyber-liability policy is not always required.

"Typically, businesses with say less than $10 million in annual revenues, which don't store or process large amounts of sensitive data, may not need standalone cyber policy. Instead, they may be able to endorse the coverage onto their existing commercial business policy," Rice said.

Because cyber insurance comes in all varieties, shapes and sizes, "when it comes to advising clients, agents and brokers shouldn't just take into account afforded coverage limits, but the additional services and expertise that comes with the product," Rice said.

"Having sufficient limits in place in tandem with coverage that's really best suited for the insured's needs in the event of a breach not only puts the insured in the best ... position, but it places a high value on the agent or broker especially in their client's hour of need," Rice said.

Travelers' Francis advises agents who are trying to make a determination as to which carrier they want to purchase cyber insurance from, to not just look at the policy cover, but also examine what network of services come with that policy.

"If there is an event that happens, what does the claims response team with the carrier look like? What other companies might they partner with -- whether it be a breach coach, which is often used to be the legal liaison between the consumer and other breach constituents -- forensic vendors, notification vendors, call centers," Francis said. "Having that all set up and prepackaged ahead of time, and having a carrier that has those relationships, and knowing what those are, is critically important."

All of those services together are becoming, more often than not, part of the overall package of cyber insurance, Francis said.