Laptops, cell phones and cloud computing have made cyber liability a fast-emerging exposure and insurers are stepping up with coverages.
But most insureds don’t fully recognize the risk. A recent Towers Watson survey found that 72 percent of large U.S. companies do not have cyber liability insurance. Two-thirds believe they don’t have significant data exposure, since they believe their internal controls are adequate.
“I think that might be hubris,” said Jane Taylor, an actuary at Huggins Actuarial Services, said at a recent Casualty Actuarial Society meeting.
The coverage, which most insurers have only recently started offering, covers two distinct risks, according to Taylor.
Security liability covers a business in case of unauthorized access or use of its computer network whether internally or externally.
The second coverage, privacy liability, protects a business that violates privacy laws or regulations that protect data from “unauthorized eyes.”
Even though many companies still don’t recognize the risk, the cyber insurance business is growing, according to Michael L. McCarthy, a vice president of professional liability treaty reinsurance at Axis Capital. He estimated the market at about $500 million in premium per year, most of it in the U.S., and growing at 10 to 25 percent per year. More than 30 companies write the business.
Originally large companies were the main buyers, but that has shifted, McCarthy said, as smaller and mid-sized companies are buying now.
Underwriters look at amount of sensitive information a company has and what its records contain; how much regulatory exposure the company has; what IT security controls are in place; and how many outside vendors have access to the network since many breaches come from vendors.
They also like to see companies that use a “holistic approach” to data issues. If the underwriter asks a non-IT person about tech security, Merchant said, “the answer isn’t, ‘The tech guys take care of that.'” Underwriters generally prefer that a committee across all business disciplines monitor cyber security.
New insureds typically fill out a 15 to 20 page application. Underwriters also scrutinize public filings. The Securities and Exchange Commission encourages companies to disclose their cyber risk. They also look at loss runs and third-party security assessments.
Some companies base the rates on miscellaneous errors and omissions rates, McCarthy said. Others attempt more sophisticated analysis.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
GM Ends OnStar Driver Safety Program After Privacy Complaints 
South Carolina Ringleader Sentenced to 8 Years for Staged Accidents 
Allstate Reports $731M in Q1 Pretax Catastrophe Losses 
AIG General Insurance Chairman McElroy to Retire May 1 From This Issue
