Cyber insurance is now a hot topic and is increasingly being purchased by businesses of all sizes. Gone are the days when company executives could claim ignorance of cyber threats. On the flip side, agents can no longer avoid having a conversation with their insureds about cyber threats either. Unless, of course, their agency E&O policy has high limits.
Still, the adoption rate for cyber liability insurance among small businesses, which we define here as those with $25 million or less in revenue, has been historically low.
Numerous studies conducted over the last couple of years offer varying figures on the percentage of small businesses that have purchased cyber coverage, but we think the number of small businesses that purchase the coverage is around 15 percent to 20 percent.
The good news is that we have experienced a tremendous uptick in the buying of cyber insurance by small companies. Though some agents are becoming more adept at discussing cyber coverage, they face limited resources such as the availability of benchmarking data. Additionally, carriers are not sharing this information.
We have analyzed nearly 3,200 policies containing cyber coverage sold to small businesses over a two-year period, with effective dates from July 1, 2015, to June 30, 2017, and the findings of this analysis shed some light on cyber liability trends in the small business market.
Despite the high volume of breaches occurring, there is an unusually competitive environment right now.
Even though there seems to be a continuous flow of bad news about data breaches, ransomware attacks and cyber vulnerabilities, rates from the first 12 months (July 1, 2015 to June 30, 2016) to the second 12 months (July 1, 2016 to June 30, 2017) of the period studied dropped by 4 percent.
Even high-risk industries holding large quantities of sensitive and confidential data have gotten in on the trend. Healthcare and social services companies saw one of the largest decreases in average rates, down 21 percent. Finance and insurance companies' rates also markedly declined, down 15 percent. Retailers, which have the additional risk of Payment Card Industry (PCI) fines and penalties, were down 5 percent.
While this might seem counter intuitive, these statistics validate what's been observed daily: the cyber market is intensely soft as many carriers are fighting for market share. Thus, despite the high volume of breaches occurring, there is an unusually competitive environment right now.
There were some exceptions in the data, however. For instance, information companies (media outlets, data processors, software publishers, etc.) saw rates jump 21 percent, and for the arts, entertainment and recreation sector, rates increased 14 percent.
When examining specific types of technology-related companies, those described as "ERP (enterprise resource planning), CRM (customer relationship management), supply chain or similar software and related services" had a 16 percent spike, and "IT systems analysis/design/integration/data migration and related consulting services" had a 14 percent increase.
Looking at limits, it was not surprising to find that the two industry sectors with the highest were information (media outlets, data processors, software publishers, etc.), with an average limit per policy of $2.11 million, and "professional, scientific, and technical services," at $2.04 million.
At the lower end of average limits, transportation and warehousing companies came in at $1.28 million, while accommodation and food services were at $1.12 million.
Among subsets of tech-related companies, higher limits were purchased by data processing service firms and data mining firms, at $2.52 million and $2.51 million, respectively.
Why Buy Cyber?
As an insurance professional, you should encourage all your clients to buy cyber coverage. There is no shortage of compelling reasons to do so.
First, small companies do fall prey to attacks. A whopping 42 percent of businesses reported being a victim of a cyber attack in 2015, according to the National Small Business Association (NSBA).
This is partially because they have fewer resources to put toward IT personnel and IT security systems than their larger counterparts, so they are relatively easy targets.
Small firms also generally fail to make cyber security a significant part of company culture. Only 15 percent offer employees cyber training, according to a 2016 Better Business Bureau report. Because a sizeable number of claims result from human error, educating employees across the organization should be a key risk management goal.
Smaller businesses have less ability to weather the financial storm in the aftermath of a cyber event. The NSBA study found that for small companies that had their banking accounts hacked, the average loss was $32,021.
There are many other sources of potential financial damage, such as costs for lawsuits from damaged customers, forensics experts to clean and repair an infected network, notification costs, and PCI and/or government fines and penalties, just to name a few.
There is virtually no business that is immune to cyber risk. For example, even a manufacturer that handles little data still has sensitive information on its network regarding employees, such as Social Security numbers, addresses, dates of birth, etc.
Let's assume there is a small business with no valuable or sensitive data just for argument's sake. This is a bad assumption, but even if it was true, the firm still has the risk of an incident resulting from "island hopping." Most small businesses are connected digitally to their vendor partners, which are often larger entities. The bad guys exploit this arrangement, penetrating the network of the smaller companies that are easier prey, and then jumping via vendor connections into the systems of the larger, more valuable companies. Island hopping caused the infamous Target breach in 2013, for example.
Selling cyber coverage to a small firm is easier than ever, but can still present challenges. However, with the extensive benchmarking data available today, forward-thinking agents can present a client with an accurate picture of what other small businesses in that client's sector and revenue range are buying. Data risk modeling using real-life claims to demonstrate what costs a client would likely incur from a cyber incident can also help encourage clients to buy needed coverage.
Now is an opportune time to purchase cyber: the potential loss can be substantial for a small business, the coverage is overly broad, rates are remarkably low for state-of-the-art coverage and the market is expected to remain extremely soft for at least the next year. This presents a win-win opportunity for both insurance agents and their insureds.