While carefully examining a cyber insurance policy, John Ahmuty, a broker for Swett & Crawford, uncovered a confusing requirement for coverage to be effective. According to the policy, the insured’s security software had to be the “most up to date.”
But the policy did not define exactly what “most up to date” meant. When he questioned the underwriter, Ahmuty says, “he could not provide further clarification.” You might not be surprised to learn the client chose a different policy.
For Ahmuty, this exchange was just another adventure in selling cyber insurance. “Insurance carriers are constantly updating their forms, so what they may have presented six months ago they are no longer presenting,” he says.
As a result, each policy requires time-consuming review. That meticulous review is imperative, Ahmuty says, because agents and brokers who do not accurately differentiate between each policy could face potential lawsuits related to errors and omissions.
For agents and brokers who sell or intend to sell cyber overage, this is one of several challenges in the emerging cyber market. As cyber insurance continues to evolve, we can expect to see many growing pains on the road to maturity.
These include the need for policy standardization and for more agents and brokers to understand the nuances of coverage. And while the demand for cyber coverage is on the upswing, plenty of room remains to expand the customer base.
“It’s analogous to where employment practices liability (EPL) was 10 years ago,” Ahmuty says. He expects cyber to go through similar stages as they did with EPL, about which clients initially knew little. As they became more aware, they asked their brokers for quotes but found the policy language could vary greatly. At that point, many clients still decided it was too expensive. Today, Ahmuty calls employment practices liability “one of the most important coverages for an insured.”
These days the demand for cyber coverage is growing, but Ahmuty says policy language still needs substantive standardization. “We see carriers making significant amendments to forms they had come out with a few years ago,” he says.
And more carriers are entering a market already flooded with a dizzying array of coverage options. It’s “amazing how many carriers are jumping into the cyber arena,” says Ken LaBelle, a broker at Burns & Wilcox. “It is non-stop.”
Nearly 50 insurers offered cyber coverage in 2014, according to The Betterley Report’s Cyber/Privacy Insurance Market Survey. Ahmuty estimates about 20 are offering what he considers to be full coverage while other offerings are “significantly scaled back.” Due to the lack of standardization, he says, “a policy may not offer significant coverage.”
The more crowded the market becomes, the more agents and brokers need to immerse themselves in the finer details of ever-changing products, names, terms, policy language, exclusions, endorsements and triggers. The learning curve is steep, but the benefits of mastering an emerging insurance line and responding to customer requests promise future dividends.
That might be why 60% of brokers not currently selling coverage intend to do so in the next three years, according to PartnerRe/Advisen’s Survey: Cyber Liability Insurance Market, released last fall.
They will have a lot to learn. Of surveyed brokers already selling the coverage, only 29% describe themselves as “extremely knowledgeable,” while another 65% consider themselves “moderately knowledgeable.”
Ripe for Growth
Cyber coverage was introduced in 1999 by AIG to address a coverage gap in general liability coverage, says Robert Parisi, managing director and cyber product leader for Marsh USA, who helped develop the product. He estimates insurers collected about $2 billion in gross written premium in 2014.
Parisi has seen growth spikes in demand before. The first big one occurred in 2004-2005 after states started to implement privacy breach notification laws. More recently, premium growth really began to accelerate when numerous high-profile breaches put a spotlight on the vulnerability of all organizations. The growth has intensified in the past 12 months as the concern over cyber attacks has risen to the corporate board level.
“We see demand for this coverage accelerating for the foreseeable future,” Parisi says. And there is still plenty of cyber coverage to sell. “Anecdotally,” he says, “we believe that penetration of cyber insurance into the economy is about 25% to 35%, with different levels of adoption of coverage based upon size of the entity and industry.”
From the desire for higher limits to more products and new customers, growth is taking place in different ways. Customers who already have cyber coverage want more. Fifty-seven percent of carriers say they sometimes receive a request for higher limits, according to PartnerRe, while 37% say they frequently receive such requests.
There is also greater demand for more types of coverage. The most popular coverages driving first-time purchases are for breach notification costs and regulatory investigations, fines and penalties, Ahmuty says.
Demand is also growing by industry sector. There is still plenty of room for growth in the highly exposed sectors of retail, healthcare and financial services. Education, telecommunications and manufacturing are not far behind.
The Anthem data breach in February is the latest major example of the healthcare sector’s cyber vulnerabilities. The healthcare industry has been consistently getting the highest number of data breaches for the past three years, amounting to 42.5% of all U.S. breaches, as tracked by the Identity Theft Resource Center (ITFC).
The number of data breaches continues to rise. The center counted 783 breaches in 2014, a 27.5% increase from 2013.
“Larger organizations are more likely to already have coverage than smaller firms while retail, financial, healthcare and higher education tend to be more likely to buy the coverage than entities that don’t view themselves as having a large privacy risk,” Parisi says.
Even industries that aren’t privacy based, such as critical infrastructure organizations and manufacturers, are buying coverage, he says, out of concern for their dependence on technology and fear of losing revenue when technology fails.
Just how much is market demand picking up? According to the PartnerRe survey of brokers, carriers, risk managers and insurance buyers, 47.6% of brokers and underwriters report a significant increase. Another 45.7% cite a slight increase in demand while the rest either did not see any increase or were uncertain. When asked to name the top three drivers of growth in the cyber insurance marketplace, respondents listed “News of a cyber-related loss” at the top. This was followed by “Increased education and awareness of the product” and the “Requirement to buy the cover by a third party.”
There are also regulatory reasons for growing customer demand. “The risks that have a bigger exposure or more potential for regulatory fines are the ones purchasing more,” LaBelle says. “It is coming from certain arenas like healthcare because of the regulatory fines.”
Because potential regulations will also fuel the market, brokers will have to pay close attention to them, Ahmuty says. “With all the rhetoric in Washington and states reacting to the large occurrences of the past year or so, we don’t know what regulations and requirements will be coming out that will have to be addressed (through) different changes and enhancements in the coverage form.” As a result, he says, “We need to make sure the coverage mirrors what will be required by the various regulatory bodies. It’s a moving target.”
Customers are also getting more interested in buying cyber coverage for their companies because their personal information has been stolen in a data breach. Such an experience, Ahmuty says, “makes it more real.”
The evolution of cyber coverage also tracks with the migration of technology into the economy, Parisi says. “As privacy and technology events become more likely to cause harm or loss, the cyber policies have adapted to address these risks,” he says.
Barriers to Sales
Growth in customer demand is a reality, but that does not mean businesses are seeking cyber coverage en masse. More than 80% of brokers told PartnerRe there was greater interest from the C-suite or board levels but it has not translated into a “significant driver of sales.”
Awareness does not mean customers are clamoring for coverage. “Everyone is excited about it and everyone wants to sell it…but it is not ramping up like it seems,” LaBelle says.
Ahmuty says customers are seriously inquiring about it and they are willing to fill out the application, but that does not mean they will buy it. To him, the biggest obstacle is for customers to get used to paying for yet another coverage. “There is a resistance to the agent trying to come in and sell something additional,” he says.
According to PartnerRe, the three top obstacles to sales are cost, customers who don’t understand their exposure and the need for more broker education.
Denial is another reason. “Everybody knows about it,” LaBelle says. “The bigger issue is those who think, ‘It is not going to happen to me.’”
From the agent and broker perspective, cyber insurance policies and risks are still evolving, so there is still a lot to learn, even for the veterans. Policies are still chock-full of sometimes hair-splitting exclusions and limitations. “A risk can be offered to three markets, and there is not going to be a same response,” LaBelle says.
Policy forms are changing as coverage evolves. Originally designed to cover dot.com companies, Parisi says, cyber coverage was modified to focus on the broader risks of computer systems related to privacy and newly evolving perils created by increasing connectivity, mobility and cloud-based risks.
Unpacking these realities starts with the insurers offering the coverage. While eager to stake their claim in the cyber market frontier, they have to tread carefully. There is little historical data on which to base pricing, and cyber coverage does not promise to be future predictive as new types of cyber attacks emerge.
Keeping coverage affordable means requiring high deductibles and curtailing limits per customers. Forty-six percent of brokers in the PartnerRe survey said they sometimes can’t get insurers to offer higher limits, while another 5% said they frequently can’t do so. This calls for more involvement from the reinsurance industry to offer insurance companies opportunity to offer excess coverage.
“By all accounts, reinsurers are willing and able to provide capacity for cyber liability treaties, subject to the same risk management criteria that reinsurers use on their other lines of business,” says Catherine Rudow, vice president and senior underwriter of specialty casualty for PartnerRe U.S. “Reinsurers are looking to build premium to support loss activity while managing the aggregation potential within and across reinsurance contracts.”
In response to client requests, brokers and agents are building packages with multiple layers to secure aggregates of higher limits, which increases negotiations with other insurers or excess carriers. When putting together an insurance program that requires more than one carrier to achieve the desired aggregate limit, Ahmuty says, make sure primary and excess coverage forms are as similar as possible.
The good news, according to LaBelle: Policies are starting to standardize as insurers copy each other. “Great American just jumped in the market, and their form is like a collaboration of all the predecessors’ good ideas,” he says. The insurer also adds endorsements, so their first form is “very broad and full.”
Even though better policy language is making it easier for veterans to navigate forms, those new to the market are “still going to fumble their way through them,” LaBelle says.
As long as cyber risk volatility continues, every aspect of coverage, from data collection to pricing to anticipating new regulations and developing new endorsements, will be continuing for quite awhile. To compete, agents and brokers not only need to know their stuff, but should also consider innovating services to attract and retain their piece of the burgeoning cyber market.