The key to broadening the appeal of cyber liability insurance to all businesses may be to get more insurers up to date and on board with offering the coverage, as well as improve the familiarity of all insurance producers with cyber risks.
The cyber insurance market has largely been the domain of specialty and surplus lines insurers. Record surplus in the industry appears to be encouraging more companies to investigate expanding into the line, as awareness of the risks of data breach, identity theft and business interruption intensifies.
Cyber has been tagged as the next biggest growth opportunity for the insurance industry, and more companies want in.
Philadelphia Insurance Companies’ Evan Fenaroli told Advisen it is “committed to offering cyber liability and other complementary coverage (such as E&O, D&O, and EPLI) for a variety of classes in the SME space (small and medium-sized enterprises).”
“For cyber, we have a broad underwriting appetite and currently have many small businesses and non-profits as policyholders,” noted Fenaroli, cyber product manager at PHLY. The “majority” of PHLY’s policies are written on admitted paper.
“In general, there is a lot of capacity in the market for cyber liability, with many new carriers entering the market — given competition I think we will continue to see more domestic carriers writing on an admitted basis,” Fenaroli added.
Eric Cernak, vice president of strategic products at Hartford Steam Boiler Inspection Company, told Advisen he has seen much more interest in cyber liability coverage in the last year.
“There’s been a significant uptick in interest,” he said, explaining that property-casualty insurers have asked HSB for more information for themselves and their agents on the products the firm offers on a reinsured basis. “With the big names making the headlines on a daily basis, that keeps it in everyone’s minds.
Increasingly, traditional commercial insurance coverage excludes cyber liability and data breach risks.
“It’s caused a lot of our partners to look at their GL and BOPs and say, ‘What can we do to bring coverage back to our folks?’” said Cernak.
The smaller commercial insurers may not have the “resources to dedicate to such an evolving realm as the cyber exposure,” Cernak explained. However, the risk exists for their clients of all sizes. In a recent speech to the New England 1752 Club, an industry association for insurance field representatives, the HSB executive said, “Today’s economy is driven by data. Data is the new raw material.”
“Clearly, everyone has an exposure. It’s just a question of to what degree,” he said. Cernak cited data indicating that 29 percent of small businesses in the U.S. experienced a cyber attack in 2012. Of those, 72 percent were not able to fully restore their company’s computer data.
“What does that do to a business in terms of business interruption?” he asked the group.
For many insurers, the push to offer cyber coverage may be coming from their independent insurance agency network. Insurance producers are being inundated with questions from their commercial clients wondering what their cyber risk might be. For the right information about cyber liability to filter down to businesses, agents need to understand the exposure.
“I do think that carriers will need to rely on their agent/broker network to explain the coverage and exposures, especially to smaller businesses/organizations,” said Fenaroli. “One of PHLY’s focuses is on educating our vast network of marketing reps and retail agents who can in turn reach their smaller clients.”
According to Ron Berg, executive director of the Independent Insurance Agents & Brokers of America’s (IIABA) Agents Council for Technology (ACT), agents are interested and ready for the critical information needed to address cyber risk.
“I see it escalating, whereas two years ago, it was a subject that was not talked about,” he told Advisen.
The agency force needs more from insurers, however. “There’s an awareness that needs to be made around actual incidents that make it really hit home to change the mindset of those that are unaware to be interested and engaged,” said Berg. “My experience is that agents are getting a lot of inquiries which are leading them to question themselves.”
George Robertson of Robertson Consulting has been working with IIABA on cyber liability and emphasized the extent to which businesses face stringent requirements with state data breach notification laws.
“I think we have an issue with agents that don’t understand the exposure and with customers who don’t understand the exposure,” he told Advisen. “A lot of information needs to be pushed out. It doesn’t matter what size your business is. It’s the records.”
He cited a particularly strict law in Florida that will fine businesses for not notifying customers in 30 days. The fines for exposing 500 Florida customer records can be $1,000 per day, up to half a million dollars.
“The fines on this are so huge, it could put them out of business,” said Robertson. “We’ve really got to educate agents on this risk, as well as their clients. This thing could hit you at a moment’s notice and then you’ve got clients saying, “why didn’t you tell me?’”
Berg and Robertson both noted that agencies are not only looking to secure their clients against cyber risk, but their own businesses as well. ACT this week launched a new security working group dedicated to improving the agency world’s expertise on and use of cyber insurance.
According to Berg, more work can be done by the industry to improve the take-up rate of cyber insurance. It’s a request that insurers are aiming to heed.
Robertson noted that for many agents, the terminology used in the cyber insurance field is foreign, a thought echoed by HSB’s Cernak. He suggested that the application process should be simplified, “so a businessperson has a good shot at answering the questions.” On a policy with lower limits, the application process could involve fewer questions and more yes-or-no questions.
To broaden the appeal of cyber coverage, the policies could be written “in a manner that is not overly tech-y,” Cernak said. HSB has tried to make its coverages “a little bit more modular,” with a tailored offering and the price point at “a place where they’re willing to try the coverage,” according to Cernak. This avoids confusion for businesses new to the cyber insurance field.
“Even if they know they need cyber, they start looking at forms and the options available to them and they have a hard time determining what they need,” he added. “Services are also a key element to an offering.” Loss mitigation tools provide assistance for both agents and their customers, he noted.
For PHLY’s Fenaroli, cyber insurance is making the right strides to becoming a regularly purchased coverage.
“With many highly-publicized breaches in the retail and healthcare industries over the past several years, it seems that most organizations in this space (in particular larger companies) currently purchase some form of cyber liability insurance,” he said. “That being said, there is still growth potential for smaller retailers and healthcare providers, as well as larger organizations seeking higher limits. Outside the retail/healthcare space — and especially for smaller businesses and non-profits — there is still ample growth potential. With the public eye on cyber security and data breaches, and the broad availability of coverage, it’s only a matter of time until this coverage becomes standard for all firms and organizations.”