Due to the number of large data breach attacks in the past few years, more companies are recognizing how important it is to have cyber insurance coverage or to increase their coverage, and insurers have been streaming in to meet the market demand. Cyber insurance is a relatively new product, that first began being offered in the market in the mid to late 1990’s. Articles from 2010 discussing cyber security mentioned that there were “a few carriers” offering stand-alone cyber insurance products. Today, however, it is reported that there are over sixty carriers offering cyber insurance policies, with over $2 billion spent on coverage in the market. By 2020, there are estimates that the cyber insurance market will triple in growth to about $7.5 billion.
Although the coverage provided by cyber insurance policies varies significantly depending on the policy, there are several common coverages, including:
- Liability (defense costs, settlements, judgments)
- Crisis Management (public relations, breach notification, credit monitoring services)
- Business Interruption
- Loss/Replacement of Electronic Data
- Expenses for Cyber Extortion
- Expenses for Regulatory Compliance
- D&O Management Liability - Cyber Risks
The cost of cyber insurance coverage can vary significantly, and the premium is typically dependent upon a company’s security practices. Carriers are interested in the risk management techniques applied by businesses, not merely the antivirus/antimalware software or whether the company has a firewall in place. Carriers seek to know whether the business has a disaster response plan in place, how employees access data and whether the business has cultural controls in place that will help prevent the type of activities or fraud that allows data breaches to occur.
Premiums and deductibles for cyber insurance coverage also have been increasing this past year. Health insurers and retailers in particular experienced large premium increases, and those companies who were previously hacked received premium increases that tripled the cost of their coverage. Carriers are also seeking to limit coverage amounts, in some cases to $100 million, in order to better limit their exposure in the event of a major breach, but which could leave a policyholder exposed for significant losses. Carriers are also imposing stringent conditions on coverage related to required security policies and procedures. However, these coverage conditions may lead to coverage disputes in the event of a claim if the carrier subsequently asserts that a company failed to comply with the coverage condition.
Many recognize that cyber insurance risk is hard-to-predict and that the industry may lack the ability to adequately underwrite the risk. Cyber risk is complex and constantly changing, which makes it very difficult to evaluate exposure, particularly when combined with the lack of historical data to properly underwrite and price policies. Additionally, there is an added concern with respect to risk aggregation, in that a single attack could potentially affect many companies at the same time, which further impairs the ability of insurers to assess the risk. However, as the demand for cyber insurance continues to grow, insurance carriers will continue gathering the data they need to set appropriate rates and developing new products and coverage options.