Not unlike how both the number of users and their experience of the Internet has changed dramatically in the past two decades, cyber insurance products have made quantum leaps in the exposures and losses they cover. Policies available today are perceived as worth the investment as they provide greater limits and respond to a wider variety of cyber risks.
For example, in the late 1990s, coverage for cyber events was arguably included in miscellaneous errors and omissions (“E&O”) liability and technology E&O liability policies and then only for third party damages. The principal purchasers of the limited coverage available at that time were professional services firms and technology companies, standalone cyber coverage was just being introduced. Fast forward to today, and the marketplace is vastly different with carriers offering expansive policies covering breach costs, regulatory investigations and fines, vendor incidents, and extended first party business interruption coverage. In addition, sublimited coverages, once prevalent, are far less common in cyber policies and coverage for losses involving property damage are beginning to come into play. Purchasers now view cyber insurance as a wise spend with successful claim resolutions and buyers across industries.
One reason for this evolution is that the nature of the threat has changed. Fifteen or more years ago, hackers tended to break into networks for the purpose of defacing or disrupting websites. That activity seems almost benign compared to today’s events. As a black market developed for credit card data and other personal information, cyber attacks targeted retailers and other businesses to engage in identity theft. Denial-of-service attacks that shut down networks are growing in frequency and severity. Now, nation-states and other sophisticated hackers are seeking different forms of valuable information, such as intellectual property.
“There is a very fast-paced evolution of technology, which is influencing the laws and regulations that govern the cyber world,” said Steve Bridges, senior vice president in JLT’s Cyber/E&O practice. “Cyber insurance language has improved dramatically and it has evolved as the industry has suffered claims. That happened in a similar way a long time ago in property insurance, directors’ and officers’ liability insurance and other mature lines,” he explained. “Over the past 10 to 15 years, we’ve gone from policies that were very limited to policies that cover breach costs, network attacks and system failures -- all driven by events in the real world.”
The changes are part of an ongoing evolution as businesses and underwriters gain a deeper understanding of cyber risks, noted Patrick Donnelly, president and deputy chief executive officer of JLT Specialty USA, a division of JLT Group.
“Coverage has changed in specific ways. It’s materially different from 15 years ago. In the early days, around 2002, cyber coverage for liability risks was not well understood. The focus of most coverage was for liability arising out of network attacks,” Donnelly said. “After 2007, coverage began to contemplate data breach risks more broadly and coverage expanded to address many of the costs incurred by a company after a breach, such as forensics and regulatory and notification requirements. The market responded and offered meaningful coverage with sublimits, and then those sublimits became full limits.”
Coverage for data breaches has become valuable in the past decade, as both the number of events and volume of records exposed continue to rise. Recent breaches have recalibrated the scale for records exposed: 80 million records to 100 million and beyond.
Data breach losses, which are a large portion of cyber liability claims, are generally well addressed in current cyber coverage, said Bridges. “There are two big buckets of costs following a data breach event: the costs to respond to the event and then, the costs to defend claims and pay damages. The cyber market has done a great job of addressing both components,” he said.
One area where carriers have helped their client base address breach costs is by investing heavily in creating vendor panels and providing risk mitigation services to assist their clients both before and after a breach and these services have proven to be valuable to many cyber buyers.
“Companies are starting to better understand that properly handling breach response will mitigate third-party losses and many are relying on the tools and vendors offered by their cyber insurer. Ultimately, the best thing about current cyber coverage is that, with respect to data breach incidents in particular, they work. They’re responding well and paying claims,” Bridges said.
“Companies with a lot of personally identifiable information will continue to face breaches, and these policies do a great job of paying seven- and eight-figure losses and, in certain cases, protecting companies’ balance sheets,” he said.
Even businesses that do not typically hold vast amounts of personal information, such as manufacturers, are realizing that they are not immune from cyber attacks. A risk manager for a large industrial manufacturer based in the central United States conducted a review of the organization’s cyber exposures and concluded that it needed to consider cyber insurance, even though the company believed its cyber security was strong. In prior years, the company was like most of its peers in manufacturing – it did not see value in cyber policies, but that has changed, the risk manager said.
As the risk of ransomware attacks has increased, cyber policies are responding, said Florence Levy, senior vice president in JLT’s Cyber/E&O practice. “Ransomware attacks can lead to a variety of costs and losses to the companies attacked. A broad cyber policy will respond not only to the costs to investigate a ransomware attack and the costs of any ransom paid, but should a ransomware attack lead to a network outage, a well-crafted policy will respond to the resulting lost revenue and extra expense,” she said.
In the past five years, policies have been including loss control assistance to help businesses respond and recover, Donnelly said. “Limit adequacy has evolved considerably in that timeframe. There is still work to do, however, on first-party losses such as contingent business interruption and physical damage losses,” he said.
UPTICK IN PURCHASING
Another sign that more organizations are recognizing the value of cyber insurance is growth in limits purchased, according to Levy. “Clients, large companies in particular, are buying more limits because they realize their risk is potentially much larger than anticipated. The marketplace has generally responded by offering greater capacity, in excess of $600 million, for those complex risks.”
“Capacity is slowly but surely increasing,” she went on to say. “The market is expanding, and some carriers are offering $100 million facilities – though these towers are often targeted toward more challenging risks and involve a robust underwriting exercise. Limit deployment tends to be greater for third party liability than it is for first party, particularly for network business interruption, where the market is experiencing paid insurance losses for the first time.”
The price of cyber insurance has come down, terms have improved, and insurers have benefited from the fact that more companies are buying the coverage – they are more able to spread the risk, Levy said. She noted that “generally, carriers want to write across industries, though some classes are tougher to place than others.”
CONTROLLING CYBER RISK
More businesses are valuing cyber insurance and purchasing additional coverage, but there is still a need for organizations to adopt a strategic, rather than tactical, approach to managing cyber risk. The strategic approach does not start with insurance; rather, businesses should seek to understand their exposure to cyber events and the impact that those events cause. Identifying and quantifying cyber risk, then evaluating potential ways to mitigate those risks, are the first steps. Taking those steps not only helps the organization reduce its exposure but it also informs decision making about insurance solutions. Shortcutting the process in favor of an insurance solution is akin to putting the cart before the horse.
“A strategic approach perspective means having a granular discussion with the client around their risks and identifying risk controls to mitigate or prevent exposure, which also can aid in recovery,” Donnelly said. “There should be a recognition in the insurance space that until clients know how to mitigate the risks, it will be difficult to talk about an insurance purchase. Once clients identify the remaining risk and the likelihood and severity of an event, the industry can discuss the most effective way to finance that risk.”
JLT uses a flexible four-step process with clients on cyber risk:
- Understand the risks.
- Assess the efficacy of risk controls.
- Apply models and analytics.
- Determine the value of insurance and risk transfer for the specific risks.
Clients are at all different levels in understanding their cyber risks, Donnelly said. Some have a strong handle on cyber risk, while others are in the early stages of recognizing their exposures. Organizations that are further advanced in understanding the risk can be frustrated by a rigid process, he said.
“We don’t sell cyber insurance for our clients as a first step. We help them understand their risk, and we also challenge the markets to evolve further to meet clients’ needs,” Donnelly said.