Cyber Insurance: An Evolutionary Coverage

Cyber insurance may seem all the rage now but professionals with track records in the area say the product has been around since the late 1990s and has been evolving ever since.

Now, it’s one of the few commercial property/casualty insurance products bucking the trend toward stagnant or lower premium rates. In the third quarter of this year cyber was the only commercial line that saw consistent and large rate increases in the United States — averaging more than 15 percent — according to an analysis, “Global Insurance Market Quarterly Briefing,” released by Marsh in November.

As claims come in from highly publicized, expensive breaches, insurers are learning from them in terms of underwriting and pricing. They also have been expanding of the types of coverages included in the policies, cyber insurance specialists say.

“Cyber insurance has been in evolution since it was created arguably back in the late 1990s. One of the things that has been happening as part of that evolution is that it’s been morphing from being not necessarily a standard insurance product, which you pay the premium and you get the claim paid in the event that you have an event, to more of a product where risk management services are being offered to help protect companies against the loss,” said Christopher Keegan, cyber and tech national leader at Beecher Carlson in New York.

The product now “is evolving extremely fast. Many carriers are adding bells and whistles and we aren’t anywhere close to a mature cyber product yet. Things are being added all the time,” said Michael Palotay, a senior vice president at California-based NAS Insurance.

Insurers are constantly thinking about what other things that can covered for insureds.

Coverage for cybercrime and reputational harm are coming. Policies are also likely to start including bodily injury and property damage coverages, Palotay said.

“Most cyber policies don’t cover bodily injury, but I can see it eventually evolving there. Especially as more and more of the things in our world become connected, it means that there is more potential for injury, physical injury, not just digital injury,” he said.

When cyber policies first came out “in ’96, ’97, we had denial of service, unauthorized access, unauthorized use. It was named perils,” said Manny Cho, regional underwriting manager at Axis Pro in San Francisco.

“Today the policies are … almost like a property form for reimbursements. … It makes sense, too. If you’re today signing an application about where your technology is, you may not know that you had malware input two years ago that’s sitting on your computer. To the best of your knowledge, that’s what you’re signing. When does the knowledge happen? When does the occurrence happen? That’s being innovated and talked about today in this new cyber world,” Cho said.

Like Palotay, Cho also sees crime elements beginning to come into the space.

“False attribution or takeovers of identities to convince people to send money to fraudulent banks or to fraudulent distributors to pay accounts that aren’t there. That’s going to be a pretty major issue for people to try and tackle and figure out,” he said. “Does it belong on the cyber side or does it belong on a crime policy? How do you underwrite it? There will be some interesting things that come up.”

Coverage for system failures is another area where carriers have taken the initiative, according to Sarah Stephens, partner and head of Cyber, Technology, and Media E&O at JLT Specialty Limited.

“AIG was the first one to introduce this sort of system failure coverage,” she said

Some Lloyds syndicates “have been offering much broader coverage for years and years,” Stephens said.

Still, there may be a limit to the expansion.

“You probably can’t keep getting broader forever,” she said.

Note: This article is based on video interviews with Keegan, Palotay, Cho and Stephens at the PLUS Cyber Liability Symposium in Chicago in September. View excerpts from those interviews at www.insurancejournal.tv.

Topics Cyber