Swiss Re’s Nancy Bewlay, Aon’s Steve Bridges, Freedom Specialty’s John Merchant and Advisen’s Dave Bradford discuss cyber insurance products.
Recent high-profile data breaches victimizing the healthcare, retail and financial institution industries has helped the insurance industry convince prospective policyholders of the need for cyber insurance, but apathy among buyers remains.
At Advisen’s Cyber Risk Insights Conference in Chicago on May 12, a panel representing the cyber-risk transfer chain told a packed conference room there are positive signs the take-up rate is, or soon could be, improving.
Market’s all grown up
John Merchant, associate vice president, cyber & professional liability for Freedom Specialty: When the cyber insurance market was in its infancy, applications were 30 pages long and did not address third-party data, he said.
Merchant said the market is now “at it’s height–maybe past the height,” and third-party data loss is the driver.
Steve Bridges, senior vice president at Aon: Retail, healthcare and financial institution industries make up “most of our book,” with the driver being protection of personally identifiable information.
Now there are 40-45 insurers writing cyber from maybe a dozen at the start. Insurers have “copied each other, which is probably wise,” but there is a “subset [of insurers] that do better.” AIG is a leader, he said.
Retail clients have “increased limits right away.”
Window shopping
Bridges: Though claims have pushed more to buy, “There is still a lot of inertia. They look at it, but don’t buy.” At least, he noted, there is no more IT push-pack, adding he used to get a “we got it covered” attitude from IT departments.
Nancy Bewlay, managing director, head of underwriting casualty in the US and Canada for Swiss Re: No immediate impact to the cyber insurance market could be related to the “planning process.”
“How long does it take to convince the Board of Directors?” she asked. Boards, as a whole, have recognized their cyber risks more than ever but it may still take time before the purchase.
Merchant: There is a “major disconnect” among smaller companies with no risk manager.
Not getting what you paid for
Bridges: Some policyholders “get ahead of the policy a little bit—charging ahead without the referencing the policy” when a cyber event occurs. Organizations consult vendors or attorneys that are not approved by the cyber insurer, he said.
“It’s more common than you think. Ultimately they use it, but there could be some coverage problems at that point.”
Merchant: “If there is a data breach, it’s not the risk manager who gets the call. That’s not the norm.” He said many breached companies are “calling the carrier after costs are incurred.” This practice flies in the face of paid coverage.
In the clouds
Bewlay: There is not enough information regarding the potential losses from a data breach at a Cloud provider.
Merchant: “It is a worry. We do try to track it.” Cyber risk takers are aware there are about 10 Cloud providers, so carriers try to spread the risk across them, he said. “You provide CBI to named Cloud provider only and sublimit it—narrow coverage.”
Batting 1.000
Merchant: Class-actions have been dismissed because plaintiffs haven’t been able to establish damages, he said. “The entity that’s been breached wins every time.”
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
