Cyberinsurance is a topic that receives more than its fair share of discussion and probably for good reason: it's an area of innovation and growth within the industry, yet it often is misunderstood by clients, so it continues to be a source of confusion for them.
What first emerged as network security liability policies - catering primarily to budding technology companies and online start-ups during the dot-com boom of the late 1990s - has grown into a full-fledged market with a dizzying array of ever-evolving product offerings for risks small and large.
When California enacted the country's first security-breach notice statute in 2003 - the first of many such state and international laws - companies suddenly faced strict regulatory requirements in the event of unauthorized access to, or disclosure of personal information belonging to customers, clients or employees. The steep costs associated with such data breaches (e.g., legal fees, forensic investigations, customer notification, credit monitoring and public relations expenses) proved a catalyst for the early growth of the cyber insurance market. Carriers were eager to develop and grow new lines of business, whereas buyers -particularly those who handled, stored or processed credit cards, Social Security numbers, medical data or other sensitive personal information - demanded a way to transfer the risk of first-party breach response expenses and third-party liability.
However, despite early demand from risks in the retail, financial services and health-care sectors, many companies and organizations continued to forego dedicated cyber liability coverage for a variety of reasons. Firms without large volumes of personal information didn't feel their exposure warranted the need to buy additional insurance. Companies assumed (incorrectly, for the most part) that their existing policies (e.g., property, general liability, crime and management liability) would pick up any data or privacy-related claims. Independent agents were challenged with not only understanding the ever-evolving exposures, but keeping up with the available coverage, and articulating the necessity to potential buyers.
Although market penetration remains low compared with more established lines of business, the tremendous growth in written cyber insurance premiums over the past five years points to a market that has come into its own and has largely overcome many of these early obstacles. While a truly standardized product is likely many years off, carriers now provide a common set of coverage parts, making it easier than ever to compare offerings. Perhaps most importantly, insurers are regularly paying claims across the wide spectrum of insuring agreements included within these policies; the value proposition of dedicated cyber insurance coverage has never been higher.
Here we will examine the current state of the cyber insurance market, highlight some of the key emerging coverage issues, and consider some of the changes that lie ahead.
Where We Are
At the end of 2018, reported U.S. cyber premiums exceeded $2 billion - more than twice what was reported in 2015 - with more than 500 insurers reporting at least some premium for the coverage (whether stand-alone or via endorsement to other policies).1 When examining the plethora of dedicated, stand-alone cyber insurance policies available in the market, virtually all products now offer a common set of coverage parts to address both first-party loss, costs and expenses, as well as third-party liability.
Typically, first-party coverage includes breach-response costs, cyber extortion coverage, cyber business interruption and data-restoration expenses. Third-party coverage includes liability to customers, clients, employees and others arising out of a network security or privacy breach, regulatory defense and media liability. Many of these insuring agreements and coverage parts have been standard for the past decade, but recent shifts in the cyber risk landscape have highlighted their importance. Other coverage parts and enhancements also have been introduced to fill previous coverage gaps or to address new or emerging exposures.
Perhaps the biggest theme of what is driving cyber insurance buying today as compared with five years ago is the growing understanding - and indeed reality - of cyber as an operational risk, as opposed to merely a data privacy risk. While data-breach response costs, regulatory risk and consumer-privacy litigation remain top concerns for certain sectors (namely health care, retail and financial services), they quickly are being eclipsed by the growing threats of cyber-related financial loss, ransomware and network-related business interruption. These new perils can affect any type of organization and are emerging as the primary loss drivers for many carriers in the cyber insurance market.
Cybercrime and Financial Loss
Historically, while offered as separate lines of business, the market has seen a rapid convergence and overlap between crime/fidelity and cyber liability products. In particular, there has been a growing trend for cyber insurance products to pick up losses involving the theft of funds or other property affirmatively, when such theft in some way results from the use of computer systems or occurs electronically. Aside from the long-available computer and funds transfer fraud, cyber and crime policies now will offer affirmative coverage for social engineering fraud.
In this context, social engineering is the use of deception to manipulate individuals into releasing money or securities under false pretenses. Usually, coverage is triggered when an insured employee transfers funds in good faith on email instructions from someone whom they believe to be a legitimate vendor or other payee. These schemes may involve manipulated invoices that appear to be legitimate, requests to change bank account and routing numbers or other deceptive tactics to induce the victim into voluntarily transferring the funds. These types of incidents have become all too common, with one study finding social engineering as the leading cause of loss under cyber liability policies in 2018, representing 30% of all reported claims for small- and medium-sized enterprises.2
Ransomware
Cyber extortion coverage - usually covering ransom payments demanded in order to avoid a credible cyber threat - has been included in many cyber insurance products for a while. Yet the growing threat of ransomware has brought new attention to this coverage, with many carriers expanding or clarifying policy wording to ensure that it appropriately responds to the present-day reality of these events.
Just a handful of years ago, many ransomware incidents went unreported and virtually unnoticed. Business owners would routinely and quietly pay the (relatively) low demands in order to retrieve their data and maintain operations. Today, it's not uncommon to see extortionists demanding sums well into the six and seven figures - almost always in bitcoin and frequently only after initiating communication with the victim company and negotiating the ransom amount.
With worming capabilities that enable the virus to spread throughout the network (and even into backups) quickly, the new variants of ransomware often leave the victim having to negotiate and pay. Even in cases in which backups do exist (and are not infected by the malware), the recovery process can be slow and incomplete. Whether the company chooses to pay the ransom, recover from its own backups, or restore/recreate data from other sources, the result often is the same: days or weeks without any access to critical information, applications or entire computer systems, and thus a severe impact on operations.
In addition to covering the ransom payments (with affirmative language to include payments in bitcoin or other cryptocurrencies), today's cyber insurance policies will pick up all of the other expenses incurred in investigating the threat, determining the best course of action (whether to pay the ransom or restore from backups), negotiate with the extortionists, and implement recovery once the decryption key is obtained.
Business Interruption
Business interruption coverage is not a new concept in the property market, but cyber insurance policies have applied it to nonphysical coverage triggers. In other words, events that threaten the availability and/or integrity of data and computer systems.
Traditionally, most cyber insurance products have covered business interruption caused by computer crime or computer attacks, including viruses/ malware, distributed denial of service attacks, or unauthorized access to the insured's computer system/network. The aforementioned rise in ransomware attacks - which often lead to substantial network downtime and business disruption - is just one example of how insurers are seeing an uptick in losses.
Coverage often may be extended to also cover those components of the computer network that are operated by outsourced service providers or other vendors, including cloud providers, software-as-a-service applications or other managed IT services.
As most organizations increasingly are reliant on third-party providers, applications and data storage, the need for this type of contingent business-interruption coverage becomes even greater. Additionally, now coverage commonly is available to cover network interruption caused more broadly by the insured's own administrative or operational errors in the management of the computer network and IT infrastructure. Often referred to as system failure coverage, the key concept is that it will respond to network interruption caused by nonmalicious acts, errors or omissions on the part of the insured's own IT personnel or other employees.
No matter the industry or size of business, it's important for prospective policyholders and their agents to consider where their critical data lies and which applications and services are crucial to their daily operations -coverage can then be tailored to ensure that system failure and contingent business-interruption exposures are addressed appropriately.
What to Expect in 2020 and Beyond
As cyberinsurance continues to be seen as a necessary component of a comprehensive commercial insurance portfolio, we can expect to see higher market penetration and premium growth in the coming decade. Part of this demand will come from new buyers who see the value of coverage in light of the evolving cyber risk landscape, well-publicized data breaches or even uninsured losses. Further demand may be driven by existing buyers who want to purchase higher limits - either out of realization of the true nature of their own exposure or to comply with contract requirements from clients, funding sources and other third parties.
Agents and brokers must be vigilant as carriers come to terms with "silent cyber" coverage within other lines of business (i.e., unintended coverage that inadvertently may respond to direct or indirect cyber-related loss). As carriers begin to clarify the intent of their general liability, property and even auto policies - via exclusions, amendatory endorsements, or updated policy forms - this represents an opportunity for agents to highlight the importance of affirmative, stand-alone cyber insurance coverage.
From a pricing perspective, there are early indications that the cyber insurance market may soon follow the lead of the greater property/casualty market. Indeed, carriers that focus on larger, complex risks in the retail and health-care industries already are achieving double-digit rate increases on certain renewals.3
The unprecedented frequency (and often severity) of ransomware-related losses in 2018 and 2019 is starting to chip away at underwriting profits and we can expect carriers to seek rate increases gradually, manage their capacity, and tighten their underwriting criteria in response. For example, we may see a greater underwriting emphasis on certain risk controls, such as business continuity planning and system back-up and recovery procedures. Or, perhaps the (re)introduction of sub-limits for certain coverage parts and changes in underwriting appetite with respects to certain classes of business.
Yet, with the sheer number of participants, carriers that are committed to the market will continue to find ways to offer comprehensive coverage, and even expand risk management and other value-added services in order to improve the risk profiles of their portfolios. As the market continues to prove its value and as carriers continue to build loss experience, policyholders, ultimately, can expect greater stability, expertise and innovation from their cyber insurance carriers.
Fenaroli is the assistant vice president, underwriting with Philadelphia Insurance Cos.
Reprinted with permission from PIA Management Services Inc.
1 Best's Market Segment Report, 2019 (bit.ly/2PupOFq)
2 NetDiligence, 2019 (bit.ly/2szS5S0)
3 The Insurance Insider, 2019 (bit. ly/2S3QzCg)