Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing.
James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter.
Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer’s commitment to a market can be tested, citing what he calls the “naive” capacity that exists.
The coverage has evolved quickly– Whetstone compares the product’s acceptance to that of employment practices liability (EPL) coverage– to where cyberinsurance is a “must-have” for most firms today.
The underwriting has also changed. “We used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”
In the following excerpts from a recent interview with Insurance Journal’s Andrew Simpson, Whetsone discusses the evolution of the coverage and the competition among insurers, the importance of a recovery plan, the product’s sales cycle for agents and brokers, and the challenge of underwriting and servicing the coverage in a technology, political and legal environment that keeps changing.
So you’re as concerned now about the notification piece as you are about the prevention?
Whetstone: Yes, because we’ve learned what can happen if they’re not prepared… I’ve seen some insureds get charged $1,000 an hour by a forensics firm. It’s paying the individual walking by your house burning down with a bucket of water. You don’t want to do that. So we want them to have talked to, and we have access to all these companies and can get them hooked up with them so that, if they don’t know a forensics firm, they can pick from our list. Or we can get the rates down to a reasonable number upfront so that they’re not getting taken advantage of. Again, so they can quickly respond to it, because the longer you delay it, you get criticized in the press for it, all those things. You just want to avoid all of that.
What would you expect in a customer’s incident response plan?
Whetstone: Well, kind of a decision tree of who needs to be involved at what point. Have you established a relationship with a forensics firm, for example, or one of these breach notification firms, or a credit monitoring company? So that, when the event occurs, you quickly can kind of go through that process and say, OK, here’s what we need to do, here’s who gets involved. Typically those plans have a team of people at the organization, corporate communications, IT security. All those people who come to the table and respond to the breach quickly and efficiently. So we like to see that they’ve given that some thought, they’re in the process of building up that plan.
Is that something you would help them with?
Whetstone: Absolutely. Those loss prevention services, for example, that’s part of that. They can get access to some guidance on how to set one of those plans up.
There was a recent survey that showed an amazing percentage of CEOs still believes their companies are safe. What do you say to them?
Whetstone: Well… if there’s an individual in there that’s saying, “Don’t worry about it, I’ve got everything protected,” I don’t know what to tell them… Basically, “Are you willing to bet your job on it?” is essentially what it comes down to. Whereas a lot of times you’ll walk in, and the IT security, you can spot them the minute you walk in the room. They’ll be the ones with their arms folded, like, OK. But I have a little bit of a benefit, when I go into those meetings, having a tech background myself, I’ve been very good over the years at being able to disarm the IT… I say, “Look, I’ve lived in your shoes. You know better than anybody in this room that you can’t protect the information 100 percent of the time. And that’s what we’re here for.” We’re the insurance policy that says, “OK, no matter how well Andrew does his job as the IT security manager, at the end of the day there’s still a residual exposure that he can’t protect.” And so all of a sudden, they loosen up and like, “OK, you’re not here to say I’m not doing my job. You’re on my side.”
Does the directive have to come from the top? One that says, “We need this. We need to be absolutely sure.”
Whetstone: Right. A lot of the larger companies that we saw over the last couple years that have purchased it, we’ll get this comment: “The CFO read an article, and so they asked us to look into this coverage.” Or somebody at the top is really driving it. You’ve got some sophisticated risk managers, also, that keep on top of that stuff. But, in their defense, they go to the IT security guys and they say everything’s fine, and they’re like, “Well, I’m not getting support from the rest of the organization, and that’s why…” You really need somebody to champion it from the top … Any organization that’s still sitting back and saying, “It’s just not an exposure for us. We think we’ve got all the right loss prevention tools in place, so we don’t have to worry about it” — that’s just naive.
How do you keep up in such a fast-changing area?
Whetstone: About a year ago, we released a modified version of our coverage, to keep up, if you will. … I was hoping maybe it’d be every couple of years. It seems like you just have to stay on top of it, by endorsement, or however you need to, risk selection, those types of things. Hiscox is an underwriting company. We’re in it for the long term. It’s difficult right now because you have a lot of naive capacity in the marketplace. I think somebody told me the other day there are 28 carriers now providing some form of this coverage.
What did you call it, “naïve” capacity?
Whetstone: Yes, I think there’s maybe a half a dozen of us that have really been doing this for a while and have had the claims experience and understand how this all plays out. I think that there are a lot of newer entrants, that they see the ability to write a bunch of new premium, but they don’t really have an appreciation for the volatility of this coverage and the marketplace and the legal environment and the regulatory environment.
Do you anticipate that even more will start getting in?
Whetstone: I think so, but then I think we’ll also see some leave. I think when they have the first one or two big events, they’ll step back and say, “Well, wait a minute. Is this really what we thought we were getting into? Do we think we can write enough of this to cover those types of losses?” I haven’t been in the insurance business that long, but I think it’s the typical insurance cycle. You’ll have a lot of capacity coming in this soft market, and then you’ll have plenty of it pull out when certain events start to occur and it’ll harden up.
Is this a coverage that during a recession corporations see as an add on, one they can drop when things get tight?
Whetstone: I haven’t really noticed that. I think we’re still seeing more and more companies buying it. I think people still say it’s a discretionary spend, but that’s becoming less and less of the commentary. Everybody always uses the analogy that it’s going to be like EPL [employment practices liability] coverage, that early on people thought they didn’t need it, and now a lot of entities purchase that coverage.
I can’t remember who told me this the other day, but they think that actually this is very similar. But it’s happening faster than EPL did. The take up rate now is accelerated more so than EPL did at the time. So I think more and more companies are saying this is less of a discretionary buy, and if we’re going to be in the health care industry, for example, this is almost a must have.
You mentioned that you think that it’s being picked up more compared to EPL growth. How do you describe the growth of sales?
Whetstone: Yeah, I mean I guess there’s a reason why there’s 28 markets selling it now. I mean, it’s exponentially growing and everybody sees it as a growth opportunity because more and more are buying it. I think the sales cycle has gone down, if you talk to the brokers about it. It used to be, back when I was a broker for this, you could be working with a client for 12, sometimes 24, months, just talking about the coverage, what the exposure is, what it would cost, getting them to budget for it. I think the sales cycle is shrinking.
You still have people that are often referred to as the tire kickers. They just want to see what it is, how much it is going to cost. But more and more of those are buying it now and not waiting until the next cycle with their budget, in some cases. I think we also have seen where the rest of the market being so soft, maybe they were saving money on their D&O. Now, they have more budget to spend on some of these other coverages.
So the sales cycle might be slower, but are there still too many agents and brokers who aren’t offering it?
Whetstone: I think there are plenty that still aren’t very sophisticated with this coverage, don’t know how to sell it, and don’t totally understand the exposures. But more and more, it’s rare for me to go to a region of the country, or a city, where there’s not at least one broker in that area that has said, “You know what? We are going to be the experts in this coverage in this area. We see this as a great opportunity.”
Obviously, you’ve got some areas and where multiple brokers are trying to do the same thing… [T]hey don’t want to allow one of their competing brokers the opportunity to use that as the foot in the door with their clients. If they’re not, then they’re just exposing their book of business to be targeted by brokers that really are selling this….[T]here’s been a period here where it just gives them an opportunity to go in and say, “Hey, if your broker’s not talking to you about this, we’d really like to come in and talk about it.” Whether they buy the coverage at the end of the day or not, it at least gives them a new exposure area to go on and just open a dialogue with a potential client.