The cost of cyber insurance is heading higher just as more companies are deciding to buy the coverage.
A recent outlook from insurance brokerage Willis sees premiums for most types of commercial insurance declining in 2016. But in the wake of a string of breaches in which hackers exposed mountains of data at big companies, Willis said cyber premiums could rise as much as 15% next year. Companies that are seen as particularly vulnerable to breaches, such as retailers and health care providers, could see price hikes of up to 150%, Willis said, but noted that small companies should see smaller increases.
“With some of the recent mega breaches, with some of the limit losses out there, the underwriters had to adjust their pricing,” said Neeraj Sahni, vice president for cyber and technology risks at Willis’ FINEX North America division.
Some of the big breaches that occurred in 2014, including incidents at Target, Home Depot, and Sony, resulted in bigger claims for insurers than had been seen previously, he said.
Given that, Sahni said, some underwriters have decided to sell coverage to small to midsize companies, rather than Fortune 500 companies. “They see cyber as a risk where they need to spread their book,” he said. “They’d rather underwrite more smaller companies than one big company.
The pricing also reflects the growing demand for cyber coverage, Sahni said. A RIMS survey of risk managers released in June showed that 51% of organizations purchase stand-alone cyber coverage, and 74% of those that don’t are considering buying coverage in the next 12 to 24 months.
Making Your Case
The forecast for higher premiums for cyber coverage suggests risk managers will need to put their best foot forward with underwriters.
“It’s a harder market, definitely,” Sahni said. “Everyone has to be sure they are pitching in the right way.” He noted that Willis works with its clients before they present to insurers, to prepare them for insurers’ questions about their cyber security. “Sometimes [companies] may have the controls, but they’re not being explained the way underwriters want to hear it,” he said.
And the questions are getting tougher. In fact, some big insurers have in-house security consultants who participate in conference calls with companies seeking coverage. “The underwriters rely on that security consultant to ask the right questions on that conference call,” Sahni said. “And that conference call goes into process, people, and technology and goes deeper into how that company is really engaging themselves to be sure they’re a better security risk.
“It just depends on how that conference call goes sometimes on how the pricing will look after that,” he added.
Carolyn Snow, director of risk management at Humana and former president of RIMS, suggested having the company’s IT security executives participate in discussions with underwriters.
“Partner with your IT security people,” Snow said. “They are your absolute best resources. And if possible, get them in front of the underwriters, do a conference call, and let them talk to the underwriters about what you do and how you do it.
“That’s what we did for our renewal,” she added. “We set up a WebEx [meeting], we had some underwriters—our IT guys did a whole presentation on what we do and took questions.”
Plethora of Cyber Policies
Joshua Gold, a partner in the New York office of law firm Anderson Kill and chair of its Cyber Insurance Recovery Practice Group, suggested that companies shopping for cyber insurance shouldn’t make the cost of coverage their primary consideration.
“That old adage ‘You get what you pay for’ can absolutely be the case here,” said Gold, pictured at left. “This is not the area where I would make the price the determining factor.”
There are currently many insurers offering cyber coverage, and there is no standard cyber policy. That diversity means companies have to be careful “comparison shoppers,” he said, and it makes it important that they work with an experienced broker.
“Because there are over 65 different primary insurance policies in the market, there’s not much uniformity of product,” he said. “I would not use just an insurance broker who is a jack-of-all-trades; I would find a broker who specializes in this coverage and really is conversant in the terms and the details.
“The market right now is pretty negotiable on terms, but you have know what to ask for,” Gold added. “Lots and lots of insurance policy forms in the cyber marketplace I think do a poor job of being clear and certain in terms of what the coverage is. But if you have a good broker at your side, they can often get endorsements that these insurance companies will offer and put them on the policy to make the terms clearer and the coverage more certain and have a broader scope.”
For example, he said, if companies use cloud computing, they should be sure that their cyber insurance policy makes it clear that the coverage extends to breaches that occur on a third party’s network or servers.
“Another important example is, there are conditions sometimes that say something like ‘The policyholder will use, at all times, the best cutting-edge security and always be reasonable in the way that they handle their data,’” Gold said. “That kind of vague clause is very susceptible to a big coverage fight that will lead to litigation. Reasonableness and what’s cutting-edge at the time is very much a subjective analysis.”
Back to Basics
Of course, companies arranging for cyber coverage should be sure they have put in place all the necessary cyber security measures.
“The better risk you are, the more options you are going to have in the marketplace,” Gold said. Companies should be sure they have a plan to safeguard their data and a breach response plan. They need to do due diligence with vendors and other third parties that have access to their systems, as well as having a program in place to educate their employees about how to handle data.
“The way the market is evolving, I think it will really become a matter of who differentiates better in their risk management,” Sahni said. “Underwriters are taking that approach to credit the companies that do a better job in risk management.”