As high-profile data breaches occur and attract public attention, insurance industry observers feel that more and more businesses will seek out first-party cyber insurance coverage to protect their assets and their reputation in the eyes of the public.
A burgeoning market exists for coverage for the costs of responding quickly and effectively to a data breach but it is tricky to find insurance to compensate a company for reputational harm or contingent business interruption due to cyber-related losses.
The challenge is for the business world to understand the kind of risk they have and the coverage they need.
According to Melissa Ventrone, a Chicago-based attorney with Wilson Elser, any company with an online presence, or that outsources work or employs outside vendors could have be at risk for cyber losses and should be looking to protect themselves with insurance or effective risk management practices. Unfortunately, they may not be aware of that risk.
“Companies’ infrastructures and their data and security are under attack,” said Ventrone. Whether the attacks come from cybercriminals, “hacktivists,” corporate espionage, a data breach, or a misdirected email with sensitive information, the threat is there, she explained.
Ventrone agreed that some businesses are addressing the risk, but more awareness is needed at every level of a business about how data are secured and what kind of back-up plans are in place.
“Most companies, when they think of cyber risk, think, ‘oh, a foreign country isn’t going to come after me.’ But there’s internal risk, too,” she said. From an operational standpoint, a breach in security can arise from bringing a laptop or unencrypted hard drive home for safekeeping and losing it or damaging it.
Once a company opts to buy cyber insurance, Ventrone emphasized that insureds need to understand exactly what their policies cover.
“For a company to be adequately covered, it’s so important that they explain to their broker what kind of coverage they’re looking for and what kind of information they handle,” she said.
Brokers and underwriters say that cyber insurance can typically be tailored to a company’s specific needs.
Michael Schmitt, assistant vice president with Lockton, said that businesses can generally find the coverage they need, but they should be prepared for an exhaustive underwriting process depending on the complexity of the risk. Smaller risks with more limited exposure may be underwritten quickly with just the information on the application. As the complexities grow, an underwriter is likely going to want to investigate further and speak with the potential policyholder, according to Schmitt.
For more complex risks and policies addressing more than notification requirements, coverage is going to depend on the market.
“How much you can achieve in limits and breadth of coverage depends on the carrier. The majority of carriers that play in the cyber liability world are going to provide most of the [basic coverage]. You can go to any of your traditional names,” added Schmitt, citing Chubb, AIG, Travelers, ACE, and Navigators.
Industry experts said clauses in a cyber policy will generally be fairly typical, but language varies according to each individual underwriter and each carrier’s risk appetite.
“Once you dig in a bit deeper, each carrier’s going to tweak their coverage a bit,” said Schmitt.
Underwriters tend to develop their own policy language, although Insurance Services Office (ISO) has created an e-commerce form approved for use in all states other than New York and Vermont. It includes a variety of first- and third-party coverages including the cost of responding to security breaches; loss of business income or extra expense due to viruses or cyber extortion; public relations expense; payments for “ransom” or other threats to an insured’s computer system or proprietary information; replacement of electronic data; media or website liability, including copyright or trademark infringement; programming errors and omissions liability; and liability to third parties for security breaches.
“ISO staff is aware of some participating insurers that have used the ISO cyber program as filed by ISO and approved by state insurance regulators, and others who have used the ISO policy language as a basis to develop their own cyber program,” said the firm, adding that some carriers in the marketplace have developed their own proprietary cyber programs.
ISO said it also plans to introduce an optional cyber endorsement for use with its businessowners program in the second quarter of this year.
However, ISO’s forms are provided and approved in states on an advisory basis and brokers said many insurers won’t offer coverage for reputational harm, patent infringement, or intellectual property loss. A few specialty markets provide it and work with the companies who want it and are willing to work with carriers on limits and clearly defined policy language.
According to Schmitt, an illustrative example for reputational risk coverage is the case of Oscar Pistorius, the South African runner who is currently on trial for the shooting and murder of his girlfriend. Pistorius had a major sponsorship deal with Nike that has since been suspended. Reputational risk coverage would respond, for example, to the costs incurred by Nike in developing a marketing campaign that was essentially scrapped. Companies would sit down with an underwriter and fully evaluate the impact on revenue streams of all marketing deals and sponsorships to determine the appropriate insurance limits.
Eric Allen, senior underwriter with Liberty Insurance Underwriters, said that intellectual property cyber coverage is “definitely something that is on the horizon” since insurance buyers are showing interest. Some London markets might cover a trade secret claim, but not in a replacement capacity. Such policy provisions would respond to the third-party aspects of the claim and litigation arising out of it.
In a line of business as new as cyber, there are limited data upon which to base pricing and underwriting. Claims are already rolling in, providing a better picture of the costs of cyber losses. And while businesses tend to be more close-mouthed about the hit to their finances, public companies will ultimately need to report revenue on their 10-K statements.
As the cyber insurance market grows, insurers are focusing on the crisis management culture of a company to determine their likelihood of loss.
“Cyber risk is a company risk,” said Ventrone. “It’s not just an IT risk. Companies need to make sure they have a holistic view and connected response that understands the risk and the coverage that they need.”
Schmitt explained that “three-headed leadership” drives effective cyber risk planning.
“In a perfect world, you’d want the input from the chief security officer, the head IT officer and the risk manager. It involves all of those areas. If you were to try to do one on one with an IT manager, buying insurance isn’t part of their world and with the risk manager, IT security isn’t their ballpark, either.”
Allen said that corporate governance plays an important role in determining a company’s exposure. Insurers can evaluate how a business’ privacy structure flows, how close it is to the top of the organization, and whether they have a well-tested breach response plan.
“They might have a plan in place, but they might never really test it,” said Allen. “We look to see if there’s a refined process in place and that they test it, at least on an annual basis.”
Companies can keep costs down by quickly and effectively responding to cyber events, but missteps in the response plan can negatively affect the overall outcome.
“That’s really the scary part of this insurance. You could blow through a couple of million dollars in the first 90 days,” said Allen. He noted, “How they respond to the breach can be just as harmful as the breach itself.”
Pricing, therefore, ends up taking into account the risk control companies have implemented. There’s no “average” price and the cost ranges widely from carrier to carrier.
“That’s a question we get a lot ‑ “What do you think the pricing will be?” said Schmitt. “The hurdle for that is you’ve got all these companies that have got different levels of risk and exposure and when you get into the market, you’ve got premium swings of 20 percent to 30 percent from one carrier to another.”
He explained that a billion-dollar company that makes shoelaces is going to present less of a risk than a $10 million company that sells shoes. A manufacturer is going to be less of a risk that retail-driven business, according to Schmitt.
There can be some sticker shock when heading out into the cyber insurance market, particularly for the more specialized coverages. Pricing is viewed as competitive, with plenty of companies interested in offering at least data breach notification coverage. Once more claims experience data come in, pricing could shift or grow firmer, especially if capacity decreases.
And finally, while insurers are developing these policies, are commercial insureds actually buying them? The industry reps to whom Advisen spoke say yes – of the customers who shop, between 30 percent and 40 percent pick up cyber coverage. It might not be extensive coverage, but it’s considered a start and the number is expected to grow. Many insurance buyers are “testing the waters,” seeing whether they’ll eventually make the purchase.
“We’ve seen more companies start to buy it,” said Ventrone. “As time goes on, I think we’ll see more and more companies put this in their toolbox and response framework.”