Doubling and Halving. CATEGORY 1 Doubling and Halving with basic facts.
STATE of the marketcrumpins.com/forms/newsPress/State_of_the_Market_cyber...Year-over-year increases...
Transcript of STATE of the marketcrumpins.com/forms/newsPress/State_of_the_Market_cyber...Year-over-year increases...
TABLE OF CONTENTS
1The Takeaway
2The Overview
5Review & Outlook
7Placements & Considerations
9Summary
10Notes
Year-over-year increases in the frequency and cost of cyber incidents – nearly doubling since 2010 --
coupled with heightened regulatory scrutiny and growing litigation, are causing a surge in demand for
cyber liability insurance. As small and midsize businesses begin to recognize their exposure to cyber
liability, more insurance markets are committing capacity to serve those needs.
Cyber insurance products are complex, and they vary widely from insurer to insurer. Unlike mature lines
of business such as property insurance, the marketplace does not yet have a consistent set of policy
terms or definitions for cyber risks. Moreover, cyber policies also vary in their application of sublimits and
service offerings to respond to data breaches, such as forensic investigations, legal services and credit
monitoring. As a result, comparing cyber liability policies is difficult without extensive knowledge of the
products and the marketplace.
Retail insurance agents and brokers have nearly equal measures of opportunity and challenge when it
comes to selling cyber insurance. Businesses of all sizes are realizing that cyber coverage is becoming a
necessity. The question many businesses are asking is no longer, “Do we need cyber insurance?” but “How
much coverage should we buy?” The downside is that the fluidity of the market and the many nuances
in product offerings can make finding appropriate coverage for customers a tall order. To obtain the best
coverage options and meet clients’ service expectations, agents and brokers should turn to partners with
proven expertise in cyber coverage and a record of success in procuring it.
THE TAKEAWAY
1
2
Massive data breaches in the last few years, such as those at Target Corp., eBay, The Home Depot and Anthem Inc.,
which resulted in the exposure of hundreds of millions of records, have broadened awareness of cyber risk. Media at-
tention to these incidents, however, tends to obscure the fact that breaches are occurring across virtually all industries,
and are particularly common among small and midsize organizations.
A growing trend in connectivity, known as the Internet of Things, may become a significant factor in future cybersecurity
exposure. The Internet of Things is a collection of devices embedded with sensors capable of exchanging information. Cisco
Systems Inc. estimates that by 2020 the Internet of Things will comprise 50 billion networked devices.
According to the Identity Theft Resource Center (ITRC), nearly 800 data breaches were publicly reported in 2015,
in the press or by government sources, representing more than 169 million total exposed records. ITRC defines a
breach as “an event in which an individual’s Social Security number, driver’s license number, medical record, or a
financial record/credit/debit card is potentially put at risk – either in electronic or paper format.” While some of the
breaches involved very large organizations and millions of records exposed, many of the entities on ITRC’s breach list
were small or midsize.I Among those experiencing breaches in 2015 were:
• Sole-proprietor Certified Public Accountants
• Law firms
• Drycleaning companies
• Car wash businesses
• Sporting and recreational goods manufacturers
• High schools
• Food courts
• Gift shops
• Insurance agencies and brokerages
• Third-party claim administrators
The ITRC list shows that businesses in many industries, including agents and brokers themselves, are exposed to cyber
incidents.
THE OVERVIEW
3
Healthcare organizations are especially vulnerable to data breaches. While much attention focused on Anthem
Inc.’s announcement in February 2015 that it had a breach exposing nearly 80 million records, one of the largest-
ever data incidents, often overlooked are the many solo practitioner medical and dental offices and outpatient
healthcare facilities that also suffer data breaches. The situation is similar among retail merchants. Target’s 2013
breach involving more than 110 million records was an eye-opener, not just in the size of the incident, but in the
method hackers used. The retail company’s network was penetrated by hackers through a heating, ventilation and
air-conditioning vendor. If a company with Target’s resources was vulnerable, then virtually any merchant holding
customer records or employee records could be at risk of cyber attack.
Smaller businesses’ vulnerability to cyber incidents is great, according to research by the National Small Business
Association.II In its 2013 Technology Survey, NSBA found that 44% of small businesses – those with $150 million or
less in revenue and fewer than 500 full-time employees – have already experienced a cyber attack. Moreover, 79%
said they do not understand or have little to moderate understanding of cybersecurity issues and how to handle
the online security of their businesses. In effect, smaller businesses fall into two camps: those that have already had
a breach and those that will eventually.
Into the BreachReported Incidents Rise Dramatically
Sources: Identity Theft Resource Center, Statista
The cost of cyber incidents has continued to rise and remains disproportionately high for smaller organizations, according to
various sources. The total cost does vary but generally increases with the number of records exposed. Therefore, a data breach
affecting millions of records is likely to cost more than one involving hundreds or thousands of records. Cyber risk assessment
firm NetDiligence, in its 2015 Cyber Claims Study, examined 160 incidents involving businesses ranging from less than $50
million in revenue to more than $100 billion. NetDiligence found that smaller businesses generated some of the largest claims.III
Critical drivers of these claim costs are: forensics, legal and regulatory costs.
Cyber Claim Costs High Among Smaller Firms
Total Cost of Claims From Data Breaches, Including Self-Insured Retentions
Revenue Size Average Cost Maximum
Less Than $50M $65,096 $809,788
$50-$300M $150,018 $764,225
$300M-$2B $578,233 $4.9M
$2B-$10B $910,801 $6.7M
$10B-$100B $4,800,000 $15M
The Ponemon Institute, in its “2015 Cost of Cyber Crime Study,” found that smaller organizations in the United States have a
significantly higher annual cost per capita from cyber crime than larger organizations, averaging $1,571 vs. $667.IV Ponemon also
found that the type of attacks that account for the largest costs among smaller organizations were:
• Malicious code, representing 27% of attacks
• Denial of services, 21%
• Phishing/social engineering, 12%
• Malicious insiders, 11%
The institute’s study examined organizations with a minimum of 1,000 individual connections to the Internet,
or enterprise seats. Smaller organizations were defined as those below the median number of seats, while larger
organizations were those above the median. According to Ponemon’s research, the cost of cyber crime in the
United States since 2010 has increased 82%, to an average of $15.4 million per company for 2015. 4
71%THE PERCENTAGE OF ORGANIZATIONS EXPERIENCING CYBER ATTACKS WITH TWO BILLION DOLLARS OR LESS IN REVENUE
Most Cyber Incidents Hit Smaller Firms
Source: NetDiligence 2015 Cyber Claims Study
5
The marketplace is observing businesses’ interest in cyber coverage and many insurance companies are positioning themselves
to gain market share. With the exception of a few classes of business where the perceived risk is high, e.g. healthcare, large retail
operations and payment processors, capacity for cyber risk is plentiful.
A manufacturing client that doesn’t hold a lot of records, for example, might find insurers willing to issue larger limits. After the
Target data breach in 2013, there was a brief hard market for retail accounts, but conditions have eased somewhat. Insurers remain
cautious about writing risks where a business holds a large amount of credit card data.
Cyber liability insurers in general are controlling risks in their books through sublimits and deductibles. Capacity for cyber risks
appears to be increasing as insurers see a big opportunity to grow their market share. Despite the sharply higher interest in cyber
insurance, relatively few businesses have purchased the coverage up to now – a situation that is certain to change as trends contin-
ue. One way to view the opportunity for growth in cyber insurance is that if only 10% of U.S. businesses are buying cyber coverage,
then 90% aren’t. There are literally billions of dollars in potential premiums that haven’t yet been written.
Pricing becoming favorable
For small businesses, the price of cyber coverage for many classes seems to be going down, while coverage is increasing. For orga-
nizations with fewer than 100 employees, prices are coming down, deductibles are decreasing and coverage limits are going up.
Coverage can still get pricey for medium to large businesses and certain higher-hazard classes, however.
For medium size businesses, insurance is not as expensive as many business owners might expect. A lot of businesses can buy
cyber coverage for $2,000 to $10,000 in premium. But it depends on the exposure, which can vary even among companies with
the same amount of revenue. A manufacturer, for example, might hold 5,000 records, while a restaurant producing the same level
of revenue might hold half a million credit card records. Their risk profiles are clearly different, and so will be the premiums on their
coverage.
Overall, prices for cyber coverage at renewal aren’t dropping across the board, but sublimits are starting to go away and capacity
is available. For example, exclusive facilities at CRC Insurance Services can provide up to $60 million in combined limits, along with
breach response services.
Services are critical to policy value
Businesses that purchase a cyber policy essentially are buying two things:
• Insurance. The exchange of premiums for cyber risk gives policyholders monetary assets to cover the financial elements of an
incident.
• Expert services. In addition to the underwriting and claims expertise of the insurance company, many – but not all -- cyber
policies include access to legal, forensic and other services to respond to a cyber incident.
REVIEW & OUTLOOK
6
Those services greatly increase the value of a cyber insurance policy because breach response services are expensive to obtain
separately. Legal fees alone could exceed the cost of the coverage. Insurance companies have spent hundreds of hours vetting
and negotiating costs with the best cyber lawyers and forensic companies, providing them to policyholders at below-market
rates. When a policyholder experiences a cyber incident, once the claim is reported the insurance company and its experts step
in and take on the work to help the policyholder recover. Knowing what services are available as part of the policy, and which
ones would be most beneficial to a given client’s situation, is a competitive advantage for retail agents and brokers.
Cyber market evolution
Cyber insurance is still evolving, but it is following a development path that has been seen before. The current phase cyber
insurance products resembles that of employment practices liability policies more than 20 years ago. In the early 1990s,
EPLI was a new product that attracted a lot of interest. Many employers considered it, just as companies are doing now with
cyber, trying to assess how much of the specialized coverage they should buy. Similarly, it took underwriters time to develop
consistent terms and pricing to refine the product, but that happened after a few years. Subsequent changes in the regulatory
environment made EPLI even more attractive. Today, EPLI is purchased by a majority of businesses.
The first cyber insurance solutions appeared in the late 1990s. The earliest forms of coverage were for technology errors
and omissions liability, then products evolved to cover network security. Now, the cyber insurance marketplace is providing
extensive coverage for data breaches. As businesses’ exposures to technology risks have evolved, so too have the products
designed to protect them.
7
Even though insurers’ appetite for cyber risk is generally high and capacity is available, differences in policies and
restrictions on certain classes of business require careful consideration to obtain the best placements. There are per-
haps 50 or so markets currently offering cyber insurance. For higher-hazard classes, such as large retail merchants or
healthcare entities, the number of markets willing to quote is much smaller. Product offerings continue to evolve and
the market overall is fluid.
Some markets offer coverage for first-party losses, such as the cost to conduct a forensic investigation, public relations,
credit monitoring and notification. Others provide coverage for third-party liability and some markets don’t; still others
have sublimits on third-party losses. Up-to-date knowledge of the marketplace is critical to successfully placing the
best coverage for a client.
Retail agents and brokers need to be familiar with the options before talking with their customers.
Understanding the nuances in cyber insurance products is challenging, however, because policy forms are
different from insurer to insurer. A cyber policy can be 20 to 40 pages long, and terms are not consistent across
policies. For example, what one underwriter calls “e-threat,” another might call “cyber extortion.” Privacy protection
and breach cost coverage can be defined differently, depending on who is underwriting it. A property policy, in
contrast, is straightforward and easy to understand because the vast majority of definitions are uniform. In cyber,
however, quotes may look the same but coverage levels may be vastly different.
Mapping the differences in cyber insurance is not a simple process, but relying on an expert partner that
understands many different coverage forms, as well as the intent of the underwriters, is a smart move. For example,
many agents and insureds assume that circumstances of social engineering involving voluntary transfers of funds is
covered by their crime policies under computer fraud, but it’s not. To ensure coverage, it typically needs to be
endorsed on either the crime or the cyber policy.
Cyber-attacks don’t occur during regular business hours. Cyber extortion coverage is critical to respond to
ransomware demands that can paralyze operations. Brokers need to ask customers if they are prepared to respond
to these demands and partner with carriers with proven track records that can respond immediately to cyber
extortion demands.
PLACEMENT CONSIDERATIONS
8
Large, publicly traded companies tend to be very attuned to cyber exposures because they are in the headlines. Their
boards may have a number in mind as to how much in coverage limits they want and it becomes an exercise in how much
do they want to pay to have $10 million, $20 million or $50 million in coverage. For smaller and midsize clients, cyber risk is
on their radar but these buyers often seek only $1 million, $3 million or $5 million in limits.
Businesses needing a ready source of broad cyber liability coverage can access up to $10 million in limits through CRC’s
exclusive Corona facility. This facility provides cyber liability and technology E&O liability coverage for U.S. businesses with
up to $200 million in revenue.
Midsize and large businesses can obtain up to $50 million in limits for cyber liability from a new, exclusive CRC facility
under-written in London. The facility is open to most classes of business.
Pricing, sublimits vary
The marketplace remains unaligned on pricing, retentions and sublimits, as insurers continue to evaluate them. For
example, a policy with a $1 million limit may have a $250,000 sublimit on notification and cost $4,000; another insurer
may charge $7,000 for a policy with a $1 million limit; and depending on class of business, that same level of coverage
from a different insurer might cost $12,000.
Sublimits indicate where insurance carriers are concerned about loss. Large, global insurers tend to sublimit their cyber
policies, while the London market’s approach is generally to offer full limits. For that reason, placing a tower of cyber
coverage or seeking excess coverage typically is easier to do in London.
Some package policies include cyber coverage, but they usually contain a small sublimit, such as $25,000. That amount
could easily be consumed by the forensic costs involved in a breach of as little as 100 records. Understanding the client’s
exposure and resources in a breach incident is critical to obtaining adequate coverage.
Exclusions need to be parsed out in the different policies available to small and midsize businesses. For example, some
insurers exclude coverage for unencrypted mobile devices, and others exclude coverage for failure to maintain
information technology systems. There is a heavy burden on business owners to be consistent.
9
Cyber insurance products are complex, and there is no one-size-fits-all solution for cyber risk. Even though the
marketplace is generally eager to write cyber coverage, product offerings vary widely, and there is no uniform
set of terms or definitions.
Partnering with a wholesaler that has relationships with multiple markets, knows the specific appetites of those
markets and understands the differences in policy forms saves both time and money in obtaining the best
coverage solutions for the policyholder.
There are few insurance product lines where a mistake by the retail agent or broker can result in the loss of
the entire account. Cyber liability is becoming one of those; the stakes are higher. It’s easier to make an error
in cyber because every policy is different. One quote might look great, but another company might offer a lot
of services for free.
Regardless of size, the client needs help with cyber coverage. An agent or broker can’t provide a lesser product
or less service when it comes to protecting a client against cyber risk.
SUMMARY
NOTES
10
i Identity Theft Resource Center, “2015 Data Breach Reports,” http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
ii National Small Business Association “2013 Technology Survey,” http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf
iii NetDiligence “2015 Cyber Claims Study,” http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf
iv Ponemon Institute LLC, “2015 Cost of Cyber Crime Study,” https://ssl.www8.hp.com/us/en/ssl/leadgen/document_download.html
v Payment Card Industry Security Standards Council, PCI DSS Quick Reference Guide, https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
vi National Conference of State Legislatures, Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
© 2016 CRC Insurance Services, Inc. CA Lic No 0778135. No claim to any government works or material copyrighted by third parties. Nothing in this communication constitutes an offer, inducement, or contract of insurance. Financial strength and size ratings can change and should be reevaluated before coverage is bound. This material is intended for licensed insurance agency use only. This is not intended for business owner or insured use. If you are not a licensed agent please disregard this communication. Equal Opportunity Employer – Minority/Female/Disabled/Veteran.