No one knows what the future of cyber risk holds. But more market choices and value-added services are now part of this fast-growing market.
“We don’t know,” said Blake Wiedman, partner at Nashville-based The Crichton Group. “We just don’t know what this risk is going to look like tomorrow. Until WannaCry, we’d never heard of that (exposure) before it happened.”
The reality of insuring cyber risk is that the risks will continue to evolve, cyber experts say. And the insurance market must continually evolve with those risks as well, according to Wiedman.
“It is always going to be changing,” he said. To insure cyber risks, the industry, business owners, agents and brokers have to stay at the forefront of the changing risks as much as possible, he said. “It will take a strategic and coordinated approach between everyone” to properly cover cyber exposures.
Yet, despite what may seem to be an insurmountable number of emerging cyber dangers, the insurance market for cyber coverage has never been better for buyers and underwriters.
“Now, there are probably 80 different markets out there that have cyber products,” said David Lewison, senior vice president, professional lines national practice leader for AmWINS Group. “As soon as one steps away or tries to raise rate, another one jumps in.”
Pricing for cyber coverage overall has trended down every year for the past few years, according to Lewison, who doesn’t see premiums going up anytime soon.
Overall, cyber insurance is a profitable line for the insurance industry, too.
Property/casualty insurers reported $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015. That’s according to Fitch Ratings and A.M. Best, which reported earlier this year that the direct loss ratio decreased from 51.4 percent in 2015 to 46.9 percent in 2016.
A.M. Best attributed the decline to the majority of reported cyber attacks being related to ransomware heists, on which losses were well below the deductibles and a simple backup recovery worked to prevent negative long-term effects.
“I’ve never heard cyber insurers say the line is remotely unprofitable,” Lewison noted. Part of that has to do with the cost of notification and credit monitoring declining over the years. “It’s dollars and cents per record now so it doesn’t cost a lot.”
Coverage terms and conditions have also broadened, which makes selling cyber easier than it was a few years ago, according to Wiedman.
“The evolution of the product has been incredible over the last three or four years,” he said. “The markets have been absolutely broadening what they’re able to provide insureds.” In particular, there is an evolution around what’s considered to be first party coverages, or the costs that an organization assumes when hit with a breach, Wiedman said. “That’s things like notification and credit monitoring, hiring a data forensics firm, going out and hiring a great public relations firm to control some of that reputational harm, setting up call center support, legal expenses, extortion attempts, those types of things,” he said.
Wiedman added: “I do feel like the insurance industry has done a fairly good job in this space of expanding coverages, making them more affordable, understanding the risk, and trying to plug into — not just the insurance purchasing and risk transfer side — but how they are going to help a client post-breach.”
Wiedman is quick to point out the cyber product evolution to those clients who are still on the fence about buying coverage. “That’s one of the first things I talk about,” he said. “The majority of our clients are middle-market companies that don’t have 10 people sitting in a room protecting data, coming up with strategic plans to respond to breaches. In the middle-market, you’re leaner. You rely on third parties more often.”
That’s where insurance carriers and their agents can win in cyber, he says.
“For me, when I’m communicating the benefit of the policies, this is something I say in every meeting is — if you’re not concerned about the severity of the breach, having the peace of mind of a company like Chubb, for example, that’s handled thousands of these cases is worth it. They have attorneys specific to data breach, they have breach coaches that can help coordinate with vendors for notification/credit monitoring, they may have pre-negotiated pricing with those vendors. All that’s taken care of for you.”
The presence of cyber-related services accompanying policies is a recent realization in the marketplace, according to Matt Prevost, senior vice president, cyber at Chubb.
“A lot of clients are starting to focus much more on the services accompanying the risk transfer policies and as coverage evolves, I think so do the services,” Prevost said. “As clients procure technology services from a third-party, a big part of that planning, in my opinion, is integrating insurance and some of the resources that the insurance companies and brokers provide as a part of that process.”
Prevost said that insurers and brokers are a small part of a business’s overall risk management strategy when it comes to cybersecurity but it all needs to be integrated and work together.
Prevost cited one example in which carrier services can be integrated with cybersecurity tactics.
“Most of our incidents are caused by poor passwords and employees making mistakes, so we’ve focused our services that accompany the policy on exactly those two things,” Prevost said. “It’s also recognizing this happens across all other lines.”
Prevost added that is where cyber creativity is coming into play from competitors. “I do think that’s where a lot of the innovation is coming from, not just from Chubb, but in the cyber marketplace, from a service perspective.”
Services for cyber policies are improving, without question, Prevost added. They must in today’s competitive market.
“The reality is that cyber is becoming more of a core product,” Prevost said. “How complicated and sophisticated is this as a product line itself remains to be seen. But you’re starting to see some of the coverage demands and some of the claims interacting with other lines, which only encourages this being more of a core competency of a broker.”
Lewison agrees. “It will become a standard product,” he said. Lewison admits he doesn’t like to say that coming from a wholesale specialty brokerage viewpoint, but it is a fear. “A few years ago, people could build a personal brand around cyber,” he said. “Now, we’re talking about different perils, first-party services, not just liability limits.”
Lewison has seen the admitted portion of his cyber book rise to where it’s nearly 50/50. “Five, six years ago, everybody was on surplus lines paper, except maybe AIG, maybe Chubb, maybe CNA,” he said. Today, a lot of the companies have admitted offerings. “That makes it easier for retailers who are appointed with them to place it, but do they understand the differences in the forms? Maybe not, and that’s where wholesalers can differentiate.”
Lewison, however, doesn’t worry too much.
“There’s always going to be a place for us, like everything, there are going to be those misunderstood risks that need our help.”