Much like the physical construction of a skyscraper, building a cyber insurance tower requires a strong foundation, careful planning of each layer, plenty of ventilation, and a healthy dose of innovation to meet the needs of all insureds and insurers involved on an account.
With cyber events occurring with regularity in nearly every industry, no insurer wants to be the sole company on the hook for a claim. Crafting an insurance tower means as many as 45 to 50 insurers can handle a portion of the hundreds of millions in coverage large multinational corporations seek nowadays.
Insurance advisers working with cyber insurance buyers say that they can almost always find coverage for their clients in a “reactionary” marketplace where insurers have raised premiums for high-risk industries, expanded policy options in many ways, and compete for the organizations that have made cybersecurity a priority. For cyber insurance, prices have risen significantly in the last two years – but brokers say their clients see the value of transferring their risk and typically seek to increase their limits and coverage, rather than shying away from the price tag. Experts in the field also told Advisen that underwriting appetites shift constantly, meaning every account involves marketing to a wide range of insurers to find the best primary and excess layers for programs that can range in limits up to $500 million. And every account is different.
“The only consistency is inconsistency,” said Thomas Reagan, cyber practice leader for Marsh. “There’s no single outcome that’s across the board.”
Challenges with placing cyber insurance programs tend to be underwriting appetite, attachment points for individual insurers in the upper layer of towers, pricing, and limits and sublimits, according to attorneys and brokers. The increased use of quota share agreements and thoughtful attention to each individual layer in a tower improves the chances that insurers will want to sign on to a program.
Reagan told Advisen, “The overall market remains relatively robust and we’ve been successful in placing our programs.”
Reports indicate that the cyber insurance market should be expected to growth exponentially in premium in the next five years, as long as the industry has the capital to support the demand. With new insurance players eager to take advantage of a growth market, even with some markets backing off, brokers say they don’t see a problem.
“On balance, there’s more capital coming in than limits going out,” said Christopher Keegan, senior managing director and cyber and technology national practice leader for Beecher Carlson.
“I don’t expect that the capacity is going to shrink,” said Roberta Anderson, partner with K&L Gates. “The way the market is responding – it’s not with reduced capacity or restricted coverage. It’s getting better all the time for insureds.”
She added, “It can get tricky to build it to $300 million, but the money’s there and it can be done.”
Getting the capacity necessary to meet the demand requires brokers to help their clients navigate extensive underwriting processes from the primary insurer up through the tower.
“One thing that’s very consistent is that underwriters have begun asking more thoughtful questions,” commented Marsh’s Reagan. He noted that being able to explain a corporate approach to cybersecurity proves valuable not only to insurers, but consumers, regulators, and business partners.
“Underwriters are just another example of how organizations have to tell their story about their cyber risk management process,” said Reagan.
According to Keegan, underwriters now focus more on checking whether organizations try to mitigate their risk with encryption, tokenization, new services offered by security firms, or chip-and-PIN cards. For a tower of insurers on a risk, those underwriting questions get shared throughout the tower, he said.
“If a company does well, there’s demand on the underwriting side for companies that are taking steps to improve their IT security,” he said. “They’re inclined to ask questions rather than just accept the application.”
For brokers, it can be challenging to determine from case to case how insurers might see different risks and select appropriate markets.
“The difficulty with cyber is that while we’re two years out from Target … the market just continues to change,” said Ryan Gibney, assistant vice president at Lockton. “With the shifting litigation, with the shifting threat landscape, the underwriters are still trying to clearly define their appetite.”
He cited one new-to-the-market risk seeking a $200 million tower and working with 27 U.S. markets, nine Bermuda markets, and an additional nine in London.
“So, we’re speaking with 45 different underwriters with 45 different appetites in order to meet the capacity,” Gibney told Advisen.
For policyholders, the goal becomes finding not only coverage for cyber risk, but the right coverage, according to Anderson, who advises insurance buyers on their cyber insurance contracts.
“What we’d like to do with a primary insurer, and up the tower, is write the broadest terms possible,” she told Advisen, adding that she looks for full limits for assessments, fines, penalties, as well as first-party coverage for contingent business income losses and systems failure. There are few markets that will offer the latter two coverages, Anderson noted. However, to build a tower above those broad terms can be difficult. With excess layers, she said she aims to get the tower to follow the terms of the primary layer – the coverage might be sublimited, but “it’s not a bad result.”
Anderson added that solid insurers with their arms around cyber risk should not be sublimiting privacy liability or fines and assessments coverage. A policy limit of $10 million with a sublimit at $100,000 for regulatory assessments quickly becomes a less valuable proposition, at a time when Federal Trade Commission (FTC) action on data breaches is heating up.
“$100,000 is just not meaningful. Those are the things that you need to watch,” she said.
According to Keegan, “core” cyber coverages such as privacy liability and notifications costs do usually carry throughout the tower. Broader first-party coverages like contingent business interruption or systems failure generally “narrow further up,” he said.
While clients might hope for full coverage throughout a tower, “usually they know where the cut-off parts are,” Keegan added.
Lockton’s Gibney commented that the market has expanded to offer coverage that reflects the changing threat landscape, as well as freeing up capacity for competition on more basic coverage such as breach response.
“Now you have key coverages that have evolved like business interruption and data restoration that are really providing true value to organizations,” he said.
What might appear to be the most challenging part of the placement conversation – the premium to be paid — with insurance buyers actually is not, according to industry observers.
“It’s a healthy dialogue with the marketplace around pricing,” said Reagan. “Clients continue to see a significant value in the product.”
Keegan reported seeing flat prices in industries viewed as less risky, with some negotiated savings. Retailers, banks, and healthcare entities tend to be seeing the toughest pricing.
According to Gibney, pricing went up significantly over the past two years and has now reached a stable, sustainable point – and a point that is reflective of the actual risk.
“From a broker perspective, the messaging and being upfront about where pricing has gone is an important part of the process.”
Perhaps more importantly, insurance buyers seem to understand the value of the coverage they buy, educated by cautionary tales of other major corporations that have suffered cyber events.
“There were no poster child breaches, highly publicized breaches before 2013,” said Gibney.
Indeed, the insurance towers set up for Anthem, Target, and Home Depot, to name a few, are likely to be exhausted by the claims from consumers, regulators, and payment card issuers. At the same time, a feeling exists within the insurance industry that if a policyholders shows diligence toward cybersecurity and handles a cyber event more effectively, the upper layers of a tower might not feel the sting of a claim.
Anderson of K&L Gates noted that while a 30 percent to 50 percent increase in coverage might be upsetting to policyholders, she encourages them to focus on the
“Look at the number and see that it’s a very good deal. Look at the total number and not at the fact that it went up 100 percent,” she said, adding that the old prices of two years ago weren’t “realistic.”
“Be happy that you can still get the coverage,” Anderson commented.
Insurance towers are not a new thing for the industry and for policyholders. Cyber insurance differs from directors and officers coverage, or property, in that insurers are still feeling their way through the market, determining the best risks and the appropriate underwriting methods. In speaking to the people working every day in this market, however, optimism reigns in terms of whether the market will continue to flourish.