STATE of the market

ON CYBER RISK

TABLE OF CONTENTS

1The Takeaway

2The Overview

5Review & Outlook

7Placements & Considerations

9Summary

10Notes

Year-over-year increases in the frequency and cost of cyber incidents – nearly doubling since 2010 --

coupled with heightened regulatory scrutiny and growing litigation, are causing a surge in demand for

cyber liability insurance. As small and midsize businesses begin to recognize their exposure to cyber

liability, more insurance markets are committing capacity to serve those needs.

Cyber insurance products are complex, and they vary widely from insurer to insurer. Unlike mature lines

of business such as property insurance, the marketplace does not yet have a consistent set of policy

terms or definitions for cyber risks. Moreover, cyber policies also vary in their application of sublimits and

service offerings to respond to data breaches, such as forensic investigations, legal services and credit

monitoring. As a result, comparing cyber liability policies is difficult without extensive knowledge of the

products and the marketplace.

Retail insurance agents and brokers have nearly equal measures of opportunity and challenge when it

comes to selling cyber insurance. Businesses of all sizes are realizing that cyber coverage is becoming a

necessity. The question many businesses are asking is no longer, “Do we need cyber insurance?” but “How

much coverage should we buy?” The downside is that the fluidity of the market and the many nuances

in product offerings can make finding appropriate coverage for customers a tall order. To obtain the best

coverage options and meet clients’ service expectations, agents and brokers should turn to partners with

proven expertise in cyber coverage and a record of success in procuring it.

THE TAKEAWAY

1

2

Massive data breaches in the last few years, such as those at Target Corp., eBay, The Home Depot and Anthem Inc.,

which resulted in the exposure of hundreds of millions of records, have broadened awareness of cyber risk. Media at-

tention to these incidents, however, tends to obscure the fact that breaches are occurring across virtually all industries,

and are particularly common among small and midsize organizations.

A growing trend in connectivity, known as the Internet of Things, may become a significant factor in future cybersecurity

exposure. The Internet of Things is a collection of devices embedded with sensors capable of exchanging information. Cisco

Systems Inc. estimates that by 2020 the Internet of Things will comprise 50 billion networked devices.

According to the Identity Theft Resource Center (ITRC), nearly 800 data breaches were publicly reported in 2015,

in the press or by government sources, representing more than 169 million total exposed records. ITRC defines a

breach as “an event in which an individual’s Social Security number, driver’s license number, medical record, or a

financial record/credit/debit card is potentially put at risk – either in electronic or paper format.” While some of the

breaches involved very large organizations and millions of records exposed, many of the entities on ITRC’s breach list

were small or midsize.I Among those experiencing breaches in 2015 were:

• Sole-proprietor Certified Public Accountants

• Law firms

• Drycleaning companies

• Car wash businesses

• Sporting and recreational goods manufacturers

• High schools

• Food courts

• Gift shops

• Insurance agencies and brokerages

• Third-party claim administrators

The ITRC list shows that businesses in many industries, including agents and brokers themselves, are exposed to cyber

incidents.

THE OVERVIEW

3

Healthcare organizations are especially vulnerable to data breaches. While much attention focused on Anthem

Inc.’s announcement in February 2015 that it had a breach exposing nearly 80 million records, one of the largest-

ever data incidents, often overlooked are the many solo practitioner medical and dental offices and outpatient

healthcare facilities that also suffer data breaches. The situation is similar among retail merchants. Target’s 2013

breach involving more than 110 million records was an eye-opener, not just in the size of the incident, but in the

method hackers used. The retail company’s network was penetrated by hackers through a heating, ventilation and

air-conditioning vendor. If a company with Target’s resources was vulnerable, then virtually any merchant holding

customer records or employee records could be at risk of cyber attack.

Smaller businesses’ vulnerability to cyber incidents is great, according to research by the National Small Business

Association.II In its 2013 Technology Survey, NSBA found that 44% of small businesses – those with $150 million or

less in revenue and fewer than 500 full-time employees – have already experienced a cyber attack. Moreover, 79%

said they do not understand or have little to moderate understanding of cybersecurity issues and how to handle

the online security of their businesses. In effect, smaller businesses fall into two camps: those that have already had

a breach and those that will eventually.

Into the BreachReported Incidents Rise Dramatically

Sources: Identity Theft Resource Center, Statista

The cost of cyber incidents has continued to rise and remains disproportionately high for smaller organizations, according to

various sources. The total cost does vary but generally increases with the number of records exposed. Therefore, a data breach

affecting millions of records is likely to cost more than one involving hundreds or thousands of records. Cyber risk assessment

firm NetDiligence, in its 2015 Cyber Claims Study, examined 160 incidents involving businesses ranging from less than $50

million in revenue to more than $100 billion. NetDiligence found that smaller businesses generated some of the largest claims.III

Critical drivers of these claim costs are: forensics, legal and regulatory costs.

Cyber Claim Costs High Among Smaller Firms

Total Cost of Claims From Data Breaches, Including Self-Insured Retentions

Revenue Size Average Cost Maximum

Less Than $50M $65,096 $809,788

$50-$300M $150,018 $764,225

$300M-$2B $578,233 $4.9M

$2B-$10B $910,801 $6.7M

$10B-$100B $4,800,000 $15M

The Ponemon Institute, in its “2015 Cost of Cyber Crime Study,” found that smaller organizations in the United States have a

significantly higher annual cost per capita from cyber crime than larger organizations, averaging $1,571 vs. $667.IV Ponemon also

found that the type of attacks that account for the largest costs among smaller organizations were:

• Malicious code, representing 27% of attacks

• Denial of services, 21%

• Phishing/social engineering, 12%

• Malicious insiders, 11%

The institute’s study examined organizations with a minimum of 1,000 individual connections to the Internet,

or enterprise seats. Smaller organizations were defined as those below the median number of seats, while larger

organizations were those above the median. According to Ponemon’s research, the cost of cyber crime in the

United States since 2010 has increased 82%, to an average of $15.4 million per company for 2015. 4

71%THE PERCENTAGE OF ORGANIZATIONS EXPERIENCING CYBER ATTACKS WITH TWO BILLION DOLLARS OR LESS IN REVENUE

Most Cyber Incidents Hit Smaller Firms

Source: NetDiligence 2015 Cyber Claims Study

5

The marketplace is observing businesses’ interest in cyber coverage and many insurance companies are positioning themselves

to gain market share. With the exception of a few classes of business where the perceived risk is high, e.g. healthcare, large retail

operations and payment processors, capacity for cyber risk is plentiful.

A manufacturing client that doesn’t hold a lot of records, for example, might find insurers willing to issue larger limits. After the

Target data breach in 2013, there was a brief hard market for retail accounts, but conditions have eased somewhat. Insurers remain

cautious about writing risks where a business holds a large amount of credit card data.

Cyber liability insurers in general are controlling risks in their books through sublimits and deductibles. Capacity for cyber risks

appears to be increasing as insurers see a big opportunity to grow their market share. Despite the sharply higher interest in cyber

insurance, relatively few businesses have purchased the coverage up to now – a situation that is certain to change as trends contin-

ue. One way to view the opportunity for growth in cyber insurance is that if only 10% of U.S. businesses are buying cyber coverage,

then 90% aren’t. There are literally billions of dollars in potential premiums that haven’t yet been written.

Pricing becoming favorable

For small businesses, the price of cyber coverage for many classes seems to be going down, while coverage is increasing. For orga-

nizations with fewer than 100 employees, prices are coming down, deductibles are decreasing and coverage limits are going up.

Coverage can still get pricey for medium to large businesses and certain higher-hazard classes, however.

For medium size businesses, insurance is not as expensive as many business owners might expect. A lot of businesses can buy

cyber coverage for $2,000 to $10,000 in premium. But it depends on the exposure, which can vary even among companies with

the same amount of revenue. A manufacturer, for example, might hold 5,000 records, while a restaurant producing the same level

of revenue might hold half a million credit card records. Their risk profiles are clearly different, and so will be the premiums on their

coverage.

Overall, prices for cyber coverage at renewal aren’t dropping across the board, but sublimits are starting to go away and capacity

is available. For example, exclusive facilities at CRC Insurance Services can provide up to $60 million in combined limits, along with

breach response services.

Services are critical to policy value

Businesses that purchase a cyber policy essentially are buying two things:

• Insurance. The exchange of premiums for cyber risk gives policyholders monetary assets to cover the financial elements of an

incident.

• Expert services. In addition to the underwriting and claims expertise of the insurance company, many – but not all -- cyber

policies include access to legal, forensic and other services to respond to a cyber incident.

REVIEW & OUTLOOK

6

Those services greatly increase the value of a cyber insurance policy because breach response services are expensive to obtain

separately. Legal fees alone could exceed the cost of the coverage. Insurance companies have spent hundreds of hours vetting

and negotiating costs with the best cyber lawyers and forensic companies, providing them to policyholders at below-market

rates. When a policyholder experiences a cyber incident, once the claim is reported the insurance company and its experts step

in and take on the work to help the policyholder recover. Knowing what services are available as part of the policy, and which

ones would be most beneficial to a given client’s situation, is a competitive advantage for retail agents and brokers.

Cyber market evolution

Cyber insurance is still evolving, but it is following a development path that has been seen before. The current phase cyber

insurance products resembles that of employment practices liability policies more than 20 years ago. In the early 1990s,

EPLI was a new product that attracted a lot of interest. Many employers considered it, just as companies are doing now with

cyber, trying to assess how much of the specialized coverage they should buy. Similarly, it took underwriters time to develop

consistent terms and pricing to refine the product, but that happened after a few years. Subsequent changes in the regulatory

environment made EPLI even more attractive. Today, EPLI is purchased by a majority of businesses.

The first cyber insurance solutions appeared in the late 1990s. The earliest forms of coverage were for technology errors

and omissions liability, then products evolved to cover network security. Now, the cyber insurance marketplace is providing

extensive coverage for data breaches. As businesses’ exposures to technology risks have evolved, so too have the products

designed to protect them.

7

Even though insurers’ appetite for cyber risk is generally high and capacity is available, differences in policies and

restrictions on certain classes of business require careful consideration to obtain the best placements. There are per-

haps 50 or so markets currently offering cyber insurance. For higher-hazard classes, such as large retail merchants or

healthcare entities, the number of markets willing to quote is much smaller. Product offerings continue to evolve and

the market overall is fluid.

Some markets offer coverage for first-party losses, such as the cost to conduct a forensic investigation, public relations,

credit monitoring and notification. Others provide coverage for third-party liability and some markets don’t; still others

have sublimits on third-party losses. Up-to-date knowledge of the marketplace is critical to successfully placing the

best coverage for a client.

Retail agents and brokers need to be familiar with the options before talking with their customers.

Understanding the nuances in cyber insurance products is challenging, however, because policy forms are

different from insurer to insurer. A cyber policy can be 20 to 40 pages long, and terms are not consistent across

policies. For example, what one underwriter calls “e-threat,” another might call “cyber extortion.” Privacy protection

and breach cost coverage can be defined differently, depending on who is underwriting it. A property policy, in

contrast, is straightforward and easy to understand because the vast majority of definitions are uniform. In cyber,

however, quotes may look the same but coverage levels may be vastly different.

Mapping the differences in cyber insurance is not a simple process, but relying on an expert partner that

understands many different coverage forms, as well as the intent of the underwriters, is a smart move. For example,

many agents and insureds assume that circumstances of social engineering involving voluntary transfers of funds is

covered by their crime policies under computer fraud, but it’s not. To ensure coverage, it typically needs to be

endorsed on either the crime or the cyber policy.

Cyber-attacks don’t occur during regular business hours. Cyber extortion coverage is critical to respond to

ransomware demands that can paralyze operations. Brokers need to ask customers if they are prepared to respond

to these demands and partner with carriers with proven track records that can respond immediately to cyber

extortion demands.

PLACEMENT CONSIDERATIONS

8

Large, publicly traded companies tend to be very attuned to cyber exposures because they are in the headlines. Their

boards may have a number in mind as to how much in coverage limits they want and it becomes an exercise in how much

do they want to pay to have $10 million, $20 million or $50 million in coverage. For smaller and midsize clients, cyber risk is

on their radar but these buyers often seek only $1 million, $3 million or $5 million in limits.

Businesses needing a ready source of broad cyber liability coverage can access up to $10 million in limits through CRC’s

exclusive Corona facility. This facility provides cyber liability and technology E&O liability coverage for U.S. businesses with

up to $200 million in revenue.

Midsize and large businesses can obtain up to $50 million in limits for cyber liability from a new, exclusive CRC facility

under-written in London. The facility is open to most classes of business.

Pricing, sublimits vary

The marketplace remains unaligned on pricing, retentions and sublimits, as insurers continue to evaluate them. For

example, a policy with a $1 million limit may have a $250,000 sublimit on notification and cost $4,000; another insurer

may charge $7,000 for a policy with a $1 million limit; and depending on class of business, that same level of coverage

from a different insurer might cost $12,000.

Sublimits indicate where insurance carriers are concerned about loss. Large, global insurers tend to sublimit their cyber

policies, while the London market’s approach is generally to offer full limits. For that reason, placing a tower of cyber

coverage or seeking excess coverage typically is easier to do in London.

Some package policies include cyber coverage, but they usually contain a small sublimit, such as $25,000. That amount

could easily be consumed by the forensic costs involved in a breach of as little as 100 records. Understanding the client’s

exposure and resources in a breach incident is critical to obtaining adequate coverage.

Exclusions need to be parsed out in the different policies available to small and midsize businesses. For example, some

insurers exclude coverage for unencrypted mobile devices, and others exclude coverage for failure to maintain

information technology systems. There is a heavy burden on business owners to be consistent.

9

Cyber insurance products are complex, and there is no one-size-fits-all solution for cyber risk. Even though the

marketplace is generally eager to write cyber coverage, product offerings vary widely, and there is no uniform

set of terms or definitions.

Partnering with a wholesaler that has relationships with multiple markets, knows the specific appetites of those

markets and understands the differences in policy forms saves both time and money in obtaining the best

coverage solutions for the policyholder.

There are few insurance product lines where a mistake by the retail agent or broker can result in the loss of

the entire account. Cyber liability is becoming one of those; the stakes are higher. It’s easier to make an error

in cyber because every policy is different. One quote might look great, but another company might offer a lot

of services for free.

Regardless of size, the client needs help with cyber coverage. An agent or broker can’t provide a lesser product

or less service when it comes to protecting a client against cyber risk.

SUMMARY

NOTES

10

i Identity Theft Resource Center, “2015 Data Breach Reports,” http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf

ii National Small Business Association “2013 Technology Survey,” http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf

iii NetDiligence “2015 Cyber Claims Study,” http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf

iv Ponemon Institute LLC, “2015 Cost of Cyber Crime Study,” https://ssl.www8.hp.com/us/en/ssl/leadgen/document_download.html

v Payment Card Industry Security Standards Council, PCI DSS Quick Reference Guide, https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

vi National Conference of State Legislatures, Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

© 2016 CRC Insurance Services, Inc. CA Lic No 0778135. No claim to any government works or material copyrighted by third parties. Nothing in this communication constitutes an offer, inducement, or contract of insurance. Financial strength and size ratings can change and should be reevaluated before coverage is bound. This material is intended for licensed insurance agency use only. This is not intended for business owner or insured use. If you are not a licensed agent please disregard this communication. Equal Opportunity Employer – Minority/Female/Disabled/Veteran.