On Dec. 23, the last thing holiday shoppers at Target wanted to be thinking about was having their credit-card information compromised. But that was one luxury no one on hand could afford.
“We don't know yet,” one harried store manager in Staten Island painfully admitted to one especially persistent elderly woman demanding answers about what data thieves now knew. Was she safe? Could she continue to shop? Should she? How badly had the retail giant's consumer database been compromised? No one could say for certain.
Target's data breach, involving the theft of at least 40 million credit and debit card records and personal information of 70 million customers, dominated headlines after it was publicly revealed in late December 2013, driving home the need for better protections against the growing specter of cyber crime. But if the Target incident was unusually large in scope, it was by no means unique: The Identity Theft Resource Center, which has tracked data breaches since 2005, reported 619 publicly disclosed breaches in 2013—a 30% increase over 2012.
As the number of data breaches and cyber crime increasingly grows over the years, so has interest in cyber liability coverage by businesses—a trend that shows no sign of slowing. According to Betterley Risk Consultants Inc., cyber has grown to a $2 billion market (twice what it was in 2012), with the majority of carriers reporting premium growth between 10% and 25% and several reporting 25% to 50% and more.
“The impact of the Target breach on the cyber sector is that it will take a coverage that had already been growing in demand and make it even more so,” predicts Christine Marciano, president of Cyber Data Risk Managers, an agency that specializes in data privacy and cyber liability risk.
Unlike a few years ago, she adds, companies now are growing more serious about this area of cover: “You’d be hard-pressed to find an organization that hasn't explored ways to budget for cyber if they haven't purchased it already.”
Previously, the process of buying cyber cover spanned almost a year, in part due to the need to educate brokers and clients. Today, that awareness already exists when companies begin the RFP process, “and there is much greater buying activity than we’ve ever seen,” says Ziad Kubursi, senior vice president and head of management and professional liability at Philadelphia Insurance Cos. Kubursi adds that Philadelphia is seeing double-digit sales growth in the line.
INSUREtrust, a white-label distributor of cyber liability products, saw 20% growth in premium in 2013, a number consistent with previous years—“and we’ve achieved 30% growth among our targeted classes of business,” says Steven Haase, the company's president.
Yet, amazingly, not every business carries cyber liability protection: The Ponemon Institute estimates that about a third of 600 companies (of varying size) that responded to a poll it conducted in 2013 have a cyber policy in place. Marciano says that some non-buying companies mistakenly believe they are already fully covered by their CGL policies for cyber liability or don't understand the breadth of coverage available in stand-alone cyber forms. Others think that their IT security technology insulates them from attacks.
“Even though organizations see cyber attacks and data breaches continuing to occur and increasing in frequency, they still think, ‘It can't happen to us.’ That's naive,” Marciano says.
“For some companies, it's a budget issue,” says Tracie Grella, global head of professional liability at AIG. “Other companies struggle in the decision process to get their arms around the differences in coverage from carrier to carrier, while others are still trying to assess their exposure to cyber loss.”
“There are two types of organizations—those that have had a [data] breach and know it, and those that have had a breach and don't know it yet,” says Richard Betterley, president of Betterley Risk Consultants Inc.
Patricia A. Borowski, senior vice president at the National Association of Professional Insurance Agents, says that there is an opportunity for agents and brokers to market cyber liability by educating customers about the gaps in standard liability forms.
“Even among large mid-market insureds, there is a huge uptick that has to happen in terms of their attention to the real scope and detail of this exposure. This is even more the case with smaller commercial accounts,” she says.
Ken A. Crerar, president and CEO of the Council of Insurance Agents & Brokers, and NU P&C advisory board member, says that while there has been “more talk than action” among small- and medium-sized businesses around cyber insurance, he agrees that the market presents a significant growth potential for agents.
“The year ahead should give way to a much more proactive versus reactive space,” he says.
Capitalizing on that opportunity requires articulating the different types of risks small businesses face as well as different products available to small businesses. “Brokers can continue to help ramp up awareness and education of clients by facilitating the input of technical specialists into the dialogue who can showcase the layers of risks across businesses,” Crerar adds.
However, Borowski believes the tipping point in cyber purchasing will ultimately come not through broker outreach, but by the growing recognition of risk across the business community.
“While PIA members can help their customers better understand cyber issues and demonstrate how the available coverage can better protect them from exposure and losses, customers must have also gained an awareness of these matters independent of insurance carriers or their agents,” she says, adding that recent news stories regarding massive personal data breaches is helping to increase awareness of these risks to all businesses.
The cyber liability market remains highly competitive, with carriers still fighting over market share. Rates are stable, and brokers report capacity of up to $20 million with any one carrier and the ability to create $100 million coverage towers. And as competition remains high, underwriters are finding it increasingly difficult to exercise rigor in the underwriting process.
“It's definitely become easier to acquire the coverage,” Haase reports. “Companies are offering simpler application forms and a more buyer-friendly process.”
Kubursi recalls that when the coverage was first offered in the market in the early 2000s, underwriting was an involved process, involving on-site visits and interviews with clients’ technology officers to understand the controls and safety. That's no longer the case. “Because the loss experience on the product is very favorable, underwriting diligence has dwindled to virtually nothing at some companies,” he says.
Betterley reports working with one carrier that used to have 100 questions on its cyber liability application. Today, they have 10, Kubursi says. “When they tried to get answers to more questions, brokers simply took the business elsewhere.
“There are still two extremes in underwriting—from onerous to lenient—but most companies are toward the lenient side,” he continues. “We are somewhere in the middle. I do think the underwriting will become more rigorous across the market in the wake of high-profile breaches over the past year and as losses increase.”
Carriers are jockeying to compete not only thorough competitive pricing and streamlined underwriting, but with coverage and product differentiation.
“Cyber liability” is a catch-all term for insurance that typically includes a mix of third-party liability coverage for damages suffered due to loss of data, first-party coverage for response and remediation costs, and coverage for fines and penalties. Beyond those fundamental coverages, policies can include business income, intellectual property, errors and omissions, and more.
“The scope of coverage continues to expand, and what is already a broad product is getting broader,” says Thomas Herendeen, vice president of management and professional liability for Philadelphia Insurance Cos.
Philadelphia's original cyber form has been enhanced over the years to offer coverage for regulatory fines and penalties, business income and extra expense, and extortion. Endorsements provide coverage for risks such as corporate confidential information loss, breach of private information related to minors and expanded crisis-management costs.
Insurance carriers also include more value-added services to their products, including cyber security tool kits, training “and other things to help companies understand and manage risk,” says Marciano.
In 2013, AIG completed a major enhancement of its CyberEdge product, adding an array of risk-management tools to the third- and first-party coverage the product had provided. “We conducted a survey of customers, and 80% of risk managers felt that one of their biggest challenges was keeping up with changing cyber risk and emerging threats,” Grella says.
Any business, not just AIG customers, can access information on cyber risk through the CyberEdge Mobile App for iPad that provides news from around the world and a continuously updated breach map that shows hacking hotspots across the globe. AIG customers that generate more than $10,000 in cyber premium also have free access to the CyberEdge Risk Tool, which provides resources for security, training, and compliance, as well as an AutoShun hardware device from RiskAnalytics.
The AutoShun device is installed on a customer's network and uses proprietary technology to prevent communication with known “bad” IP addresses. The list, which Grella says is updated every 10 minutes, “gives businesses protection against communicating with bad IP addresses that is much more current than a typical firewall provides.”
In 2013, 170 customers signed up for the Risk Tool or an AutoShun device, a number that was in line with AIG's expectations. Betterley expects the amount and depth of value-added services offered by insurers to continually increase.
“Customers are looking not just for access to information, but answers to questions,” he says. “Most organizations don't have a chief privacy officer, so having an outside resource to bounce plans and ideas off of, as happens with other lines of insurance such as EPLI, will be the next evolution of service in the cyber world.”
Source: NetDiligence® 2013 Cyber Liability & Data Breach Insurance Claims Study
New Threats Raise Stakes
In managing cyber risk, businesses must address security concerns such as lost devices, unencrypted data and careless user behavior. At the same time, they must contend with new threats, including hackers' growing sophistication and organization. Increasingly, geopolitical forces are engaged in cyber terrorism.
“Hackers aren't necessarily persons or even groups of persons. They can be machines, often funded by criminal organizations,” says Bryant G. Tow, a partner at Vaco Risk Solutions in Nashville.
Evidence is also mounting that there is an ongoing, organized assault against U.S. retailers. In addition to Target, Neiman Marcus reported a breach of more than one million credit cards in late 2013. Michaels Stores advised customers in January 2014 of fraudulent activity that the Secret Service is investigating. The same month, HasbroToyShop.com was hacked, resulting in shoppers being redirected to a malware site.
Companies also deal with new types of hacking activity. That includes crypto-locking, where hackers prevent access to a company's own data and threaten to destroy the data unless a ransom is paid.
“Crypto-locking is a huge concern, but something that companies quite frankly haven't gotten their arms around yet,” says Matt Prevost, assistant vice president in Philadelphia Insurance's management and professional liability division.
Also, Microsoft's announcement that it will no longer support Windows XP effective this April has created significant vulnerability potential for companies large and small that still use it.
“XP makes up a little over 20% of the operating system market,” says Tow, who expects hackers to aggressively exploit systems that will no longer be regularly patched.
“The bad guys won't stop trying to find holes in it. I would say you probably have a month at best after support ends before you are going to be significantly vulnerable if you use XP, and a few months until you’re critically vulnerable,” he predicts. “There really is no choice for companies but to upgrade or switch operating systems on or before the deadline if possible.”
Claims Increasing, But Market Holding Steady
With increased breach activity and the growing use of cyber coverage, it follows that insurers would be handling more losses. INSUREtrust, for one, reports more than one breach incident a week, a frequency that Haase expects to grow.
“One of the problems with breaches is companies often don't know immediately that they’ve been compromised unless a third party tells them, so it can take quite a while for claims to develop,” he adds.
At AIG, says Grella, “We’re seeing about a breach per day. We’re definitely busy in claims.”
According to the Ponemon Institute, the breach cost per compromised record is $188. In the latest study by NetDiligence of cyber claims paid by insurers, the average claim was $954,253, which included legal settlement, legal defense and crisis-service costs.
“There is no such thing as a breach that costs $50,000 to resolve,” says Kubursi in Philadelphia.
Yet despite rising claim frequency, insurers report favorable experience on the line. As a result, industry observers expect the highly competitive market to continue for the foreseeable future.
“I have no idea when the market will turn. It seems that coverage gets broader every year,” Haase says. “Like any newer line of business, eventually critical mass will be reached in cyber claims experience, and companies will have to reassess how aggressively they underwrite and price coverage.”