With cyber insurance premiums expected to grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025, insurers and reinsurers are continuing to work out underwriting requirements, and the market can be characterized as “volatile,” according to industry observers with expertise in the area.
“Take up rates are growing astronomically for this line of business and really for good reason,” said Jim Rice, senior business development executive at Xuber, a software vendor focused on the MGA, insurance and reinsurance sector. The potential is high for a widespread cyber event, and underwriters are taking notice, he said.
“Underwriting requirements are rising and both insurers and reinsurers are increasing their retentions, as well,” added Rice. “In some cases, we’re seeing some capacity reduction in some players who saw an opportunity, and are leaving the market altogether and really focusing their attention on other lines of business.”
In addition to well publicized “hacktivist” incidents, the simple fact that nearly all businesses are vulnerable to attacks may be one reason for the increased interest in cyber coverage.
There’s “no question of whether a business will be a victim of a cyber attack, it’s really a question of when a business is going to be a victim,” said Ted Shaer, an attorney with Zarwing Baum DeVito Kaplan Shaer Toddy PC in Pennsylvania.
It’s a potential threat for which all businesses need to prepare, he added.
“Any business that stores data that has value, personal information or financial data is going to be a target,” Shaer said during an A.M. Best law webcast on cyber risks.
So far, the cyber line has been untested in terms of claims-paying ability, according to Rice, who’s based in Detroit. While there have been large losses, such as those at Sony, Target and Anthem, to date there has been no widespread, catastrophic occurrence to test insurers’ ability to pay claims on these losses. And there has been no indication that insurers are not paying the claims that have come in so far.
The insurance market as a whole is in a far better financial position that it was following the hurricane season of 2005, which included Hurricane Katrina and multiple other large-scale cat events, Rice noted. But, “cyber is a different animal, and … the nature of potential catastrophic cyber loss is likely far more reaching than the industry probably understands. Therefore, as cyber matures and loss and underwriting data become more available, I think we’re going to see a lot more specialization in the cyber market, as we’re seeing now,” Rice said.
There also haven’t been any high profile coverage disputes to help define what will and what will not be covered in cyber policies going forward, according to Lynda Bennett, a partner the law firm of Lowenstein Sandler in the New York/New Jersey area.
She said cyber insurance policies have “given new meaning to a complex and difficult to navigate insurance product.”
Over the last several years, traditional commercial general liability policies have begun to include cyber exclusions, “because the insurance industry is moving in a direction of developing products dedicated specifically to covering cyber risk. It just is becoming a more prominent issue and concern. They’re trying to isolate all of the different coverage grants that touch and concern data, privacy‑related issues, all in one product,” Bennett said.
The market today continues to be “volatile, because we still have a number or insurers that are entering and leaving the market of even providing this type of coverage. There are upwards of 40 different types of insurance policy forms out there,” she said.
Bennett compared the development of cyber coverage with the early days in the evolution of coverages such as environmental and employment practices liability (EPLI), where it took several years before claims and coverage disputes were litigated and policies began to be stabilized.
There are carriers that are emerging as leaders in the cyber area and they too are continuing to adjust the coverages, Bennett said.
“What I find interesting and a trend that’s developing with those leaders … is that they’ve developed policy forms, but they’re still tinkering one year over the next. On renewal, the terms and conditions are still very different. Some things are being taken back through exclusions. There are some enhancements that are being added to make the policies more attractive,” she said.
Some carriers are beginning to specialize in certain as to types of cyber risks, as well, according to Rice.
“For instance, there are cyber markets seeking just healthcare risks or markets seeking combinations of retail and other related industries. Naturally, each will come with their own policy forms and sets of exclusions including their own available capacities reflective of certain market segment experience,” he said.
Specialists brokers are an important part of the coverage equation when it comes to protection for cyber risks, according to Bennett.
“There are brokers that specialize in placing cyber insurance policies. That’s literally all that they do every day, all day long. They are on top of all of the different policy forms that are out there. They are negotiating with the underwriters at all of these insurance companies,” she said.
Bennett said she’s seen clients make big mistakes by using a typical broker to place this type of specialized policy.
“Even though I’m sure the broker approaches it using their best skill set possible, when you’re not living and breathing these policies day to day, as the terms are changing on a mere weekly basis, you’re not in a position to provide the best service and the best advice and the best placements for your clients,” Bennett said.
She advised agents and brokers without someone on their team dedicated to staying on top of developments in the cyber insurance market to affiliate with brokers that do specialize in placing cyber coverage.
Agents and brokers also need to understand no matter how large or small their clients may be, there’s a good chance that they need some sort of cyber liability coverage, Rice said.
“Any business that comes with data, whether transactional or any other, is susceptible to cyber risk, whether they know it or not,” he said.
Even so, he added that a stand-alone cyber-liability policy is not always required.
“Typically, businesses with say less than $10 million in annual revenues, which don’t store or process large amounts of sensitive data, may not need standalone cyber policy. Instead, they may be able to endorse the coverage onto their existing commercial business policy,” Rice said.
Because cyber insurance comes in all varieties, shapes and sizes, “when it comes to advising clients, agents and brokers shouldn’t just take into account afforded coverage limits, but the additional services and expertise that comes with the product,” Rice said.
“Having sufficient limits in place in tandem with coverage that’s really best suited for the insured’s needs in the event of a breach not only puts the insured in the best … position, but it places a high value on the agent or broker especially in their client’s hour of need,” he said.
- Cyber Insurance Underwriting Moves from ‘Toddler’ to ‘Teen’ As Insurers Learn from Claims
- Cyber Insurance Rates Up, Unlike Other Commercial Rates
- NAS’ Palotay: Point-of-Sale, not Stored Data, Riskiest for Retailers
- Just How Costly, Fast-Growing Is Cyber Risk?
- Agent, Cyber–Educate Yourself — and Your Clients
- Where Cyber Insurance Underwriting Stands Today
- Target’s Cyber Insurance Softens Blow of Massive Credit Breach