Corporate interest in cyber liability insurance continues to gain momentum, and could strain an already limited supply of policies, according to a new executive brief published this week by market research, advisory and consulting firm Novarica. The firm attributes the growing interest to increased cyber threats and the potential financial exposure they represent, as well as the changing regulatory climate.
The 8-page report, “Cyber Risk Trends,” authored by Novarica’s analyst Faye Yaun and research and knowledge systems manager Steven Kaye, notes that while cyber risks and cyber liability offerings have been around since the early 1990s, the threat landscape is drastically changing. The report cites recent high-profile cases, such as the recent hackings of Target and Nieman Marcus that compromised the personal information of more than 100 million customers, multiple articles and studies that look at cyber risk.
As an example, the report refers to an April Marsh Risk Management Research Briefing, “Benchmarking Trends: Interest in Cyber Insurance Continues to Climb,” which noted that the number of policies purchased rose 21 percent from 2012 to 2013 as executives, consumers and stakeholders grow increasingly aware of the frequency, scope and magnitude of cyber-attacks.
The Novarica report also refers to a 2013 cyber risk report issued by Betterley Risk Consultants, a risk and insurance management consulting firm. That report, “Cyber/Privacy Insurance Market Survey 2013: Carriers Deepen Their Risk Management Services Benefits - Insureds Grow Increasingly Concerned with Coverage Limitations,” states that although the annual premium volume information about the U.S. Cyber Risk market is hard to come by, the annual gross written premium is in the $1.3 billion range and there is potential to reach $2 billion.
Novarica also cites a study sponsored by AIG that found that 85 percent of executives cite cyber risk as a top concern, and that 69 percent say reputational costs arising from an attack far outweigh the associated financial costs.
Meanwhile, many losses involving digital attacks and data breaches still remain uninsured, according to the Novarica brief. A 2013 Harvard Business Review Analytic Services survey found that less than 20 percent of companies purchase some form of cyber insurance. And while companies are interested in buying incrementally higher limits on existing policies, a 2014 Crawford & Company study “The Future of Cyber Insurance” reveals that very few carriers are willing and able to indemnify over $50 million with the majority writing a maximum limit of $10 million or under.
Cyber Risk Policies Typically Include:
Business interruption. Covers loss of business income resulting from a cyber attack on a company’s network that limits its ability to conduct business.
Criminal rewards. Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of those who have hacked a computer system.
Crisis management. Covers the cost of retaining public relations assistance and advertising to rebuild a company’s reputation.
Cyber extortion. Covers the settling of an extortion threat against a network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
Data breach. Covers the cost and legal liability resulting from a data breach, such complying with regulatory requirements or addressing customer concerns.
Identity theft. Covers the cost of creating an identity theft call center in the event customer or employee personal information is stolen.
Liability. Covers defense costs, settlements, judgments and punitive damages incurred as a result of a data theft, transmission of a computer virus, failure of its computer security system and allegations of copyright or trademark infringement, libel, slander and defamation.
Source: Insurance Information Institute
The authors outline several challenges insurers face, including a lack of data and tools to accurately model and price cyber-related policies and a shortage of in-house talent to address emerging risks. For example, the authors note, without statistically significant actuarial data, most are reluctant to offer broad coverage and full indemnification.
Finally, the Novarica report offers advice on steps insurers can take to mitigate cyber risk and better manage liability. Based on the assumption that breaches are inevitable and that prevention is not fail proof, the recommendations include collaborating with clients to develop best practices and metrics for gauging cybersecurity maturity.
