The need for cyber coverage is growing. More companies are growing their revenue through online sales. As a result, they are becoming more exposed.
Beginning a New Year provides an opportunity to reflect on challenges and threats in the insurance industry, and there is one trend that will undoubtedly continue to develop in 2007. Businesses will continue to make use of technology and the Internet. This growing reliance on technology also increases the potential for data security and privacy breaches.
This year marks the 10th anniversary of the creation of cyber liability insurance products. The market has changed since its inception. Regulatory and contractual requirements have dramatically increased the need for cyber coverages. The product itself – initially a network liability coverage only – has been expanded to include first party coverages, privacy liability, regulatory liability, and various expenses surrounding a security breach event. Two of the most significant challenges in procuring a cyber insurance policy have been addressed: the successful modification of the underwriting requirements and a plentiful supply of claims events that have played out in the media.
While privacy breaches have always provided the possibility for loss, the rise in recent state notification statutes has forever changed the landscape. According to the Privacy Rights Clearinghouse, there were 107 reported data breaches in 2005. In 2006 this more than tripled to 329. A majority of these reported events are more likely to have been the result of state security breach notification laws. Prior to 2005, California had enacted the sole effective security breach notification law. Today, another 33 states have enacted similar laws. Now that it is mandatory for organizations and companies to report breaches to its customers, there is no escaping the exposure. Expect more reported events in 2007.
Coverage options: an operational necessity
The need for cyber coverage is growing. More companies are growing their revenue through online sales. As a result, they are becoming more exposed. Further, they are relying on outsourced service providers for web hosting, credit card processing, call centers, document storage, and data warehousing. Subsequently, they are spending more time validating and reviewing the data security standards and risk management practices of these providers. In addition, many customers are now requiring proof of insurance that will address privacy breach events.
Most cyber insurance policies start with coverages limited to network liability events, such as unauthorized access or use of a computer system. These can include theft or destruction of data, hacker attacks against third parties, denial of service attacks and malicious code. Over the past year, expanded coverage options including privacy liability arising from a network security breach became available. Some carriers have even expanded this coverage to include enterprise risks such as security breaches of personal information in any format, including non-electronic. In some cases, the coverage can include regulatory violations of state and federal privacy regulations, such as The Health Insurance Portability and Accountability Act of 1996 (HIPPA), and the Gramm-Leach-Bliley Act (GLBA) of 1999, and the various state security breach notification laws.
Reimbursement for crisis management expenses is also being offered as an option by some carriers. This coverage covers legal, public relations and compensatory expenses necessary to comply with privacy regulations.
When these products were first introduced many carriers required independent third party assessment for all risks. These assessments were costly and time consuming. Today, many carriers have tailored them to the level of risk.
Privacy liability, regulatory liability, and notification costs have materially changed the scope of coverage. Today, most companies have exposure to loss and should be considering risk transfer options.
Cyber liability insurance market
The cyber liability insurance market was estimated to be between $250 million to $300 million in written premium for 2005. It is now approximately $500 million and the growth in 2007 is expected to outpace prior years.
While the number of insurers participating in the cyber liability insurance arena has increased, there is still little uniformity in coverage terms and conditions. Some of the features agents should be looking for include: regulatory defense, notification expenses, public relations expenses, or privacy liability that is not limited to a network event. Look to see if there is a limited period of time where notification expenses will be covered or if the carrier requires prior written consent. Some carriers require that there be intent to use the personal identifiable information for financial gain to trigger notification expense coverage. The waiting period for business interruption should be reasonable, less than 24 hours. Be sure that the policy covers personal information for both customers and employees.
The cyber liability insurance market has undergone many changes. The coverage has been expanded, the underwriting process has been streamlined, and clients are provided with real loss examples every day by the media. If some carriers and brokers are not offering cyber insurance to their existing insureds, it’s a good bet their competition is.
Toby Merrill is assistant vice president of ACE Professional Risk, responsible for technology product development as well as overseeing technology E&O underwriting. He has more than seven years experience in the insurance arena, specifically in underwriting professional liability, management liability and cyber risk exposures.