CYBER INSURANCE
CYBER INSURANCE
Ransomware and the pandemic test market capacity and capabilities
By Joseph S. Harrington, CPCU
Now is a time of testing for cyber insurers.
Just prior to the pandemic, British insurer Hiscox concluded in its Cyber Readiness Report 2020 that commercial enterprises have generally improved in their awareness of cyber threats and in their ability to prevent and repel an attack.
Yet the survey report had not even been completed and published when the world economy was upended by the coronavirus pandemic, which led organizations that could do so to institute work-from-home operations with little or no advance preparation.
“Because cyberrisk is an evolving threat, as certain coverage enhancements become standardized, new ones enter the market.”
—Thomas Kang
North American Head of Cyber, Tech and Media
Allianz Global Corporate & Specialty
It came as no surprise, then, that, according to an article on TheHill.com website, the FBI reported a surge in cyber attacks in the wake of the pandemic lockdowns. There also has been a notable increase in the sophistication and capabilities of cyber criminals, especially those utilizing “ransomware” to extort large sums of money from victims.
Do cyber insurers have the financial and technological capacity to meet these challenges? So far, it appears that they do.
“In general there is good supply in the current cyber market, especially in the lower-limit policy segments,” says Chris Larson, underwriter for the hospitality and restaurants program of Distinguished Programs. “There still seem to be new players coming into the cyber market and vying for market share.
“We’ve heard there is shrinking capacity for higher limits, but this is mainly for limits of $10 million and more.”
That assessment is largely shared by other observers.
“A number of markets continue to provide capacity, which is continuing to affect the availability and pricing of coverage for many cyber insurance clients,” says Thomas Kang, North American head of cyber, tech and media at Allianz Global Corporate & Specialty.
“It’s still very easy to place coverage now,” at least for small to mid-sized accounts, says Anita Byer, president of Setnor Byer Insurance & Risk. Down the road, in two to five years, Byer anticipates some hardening in the market, especially as data sharing becomes even more integrated with the implementation of 5G network technology.
Standardization, somewhat
Byer adds that the ability to place cyber coverage is facilitated by a steady evolution toward a standardization of cyber forms, which makes it easier to compare products and select the one that best meets the needs of an enterprise. “Cyber insurance is still a young product but one that has reached stability and standardization,” she says.
For his part, Larson finds “a good mix of both variation and standardization of forms” in the hospitality and restaurant sector he serves.
“With a lot of carriers vying for market share, different carriers present some variation in the forms,” he says. “Some offer extremely robust coverage; others just certain coverages.
“In the hospitality sector,” he continues, “with more franchise chains requiring cyber liability insurance, some commonality has emerged among carriers and the coverages they are offering.”
Emy Donavan, global chief underwriting officer for Resilience, generally shares that view. “What’s covered under a policy is generally becoming more uniform,” she says, but producers and buyers need to remain vigilant regarding differences in certain provisions of cyber policies.
Among the distinctions that can be decisive in settling a claim is the coverage trigger for contingent business income claims. “Does a policy require that the interruption result from an intrusive attack, or will it respond to a general breakdown of another’s system?” she asks.
Similarly, she cautions producers and buyers to be clear on whether coverage is for a “systems failure” or “technical failure,” and to understand the implications of the terminology used.
“A lot of companies have had toimplement work-from-home arrangements for the first time, and some have delayed buying insurance for cyber until they established their at-home setups.”
—Anita Byer
President
Setnor Byer Insurance & Risk
Awareness
Yet given how rapidly both cyber assets and cyber threats evolve, cyber insurance may never attain the degree of “stability and standardization” seen in other lines.
Michael Costello, co-founder and principal of Evolve MGA, which specializes in cyber coverage, says “the biggest issue cyber insurance faces is still the complexity surrounding coverage, as exposures and coverages change rapidly and competing insurers call the same coverage by different names.”
Nonetheless, growing awareness of cyber threats has all but eliminated any reluctance to acknowledge an organization’s exposure.
“Businesses now understand they have cyber exposures, as they have either had a hacking scare or seen their competitors experience attacks,” says Costello. “In response, we focus on educating retail brokers to explain cyber exposures to any business in any industry in under one minute. This includes explaining how hackers target a business, the costs associated with each type of attack, where to find the right coverage, and how to stop future attacks.”
As enterprises become more aware of their vulnerabilities, Costello finds that “cyber insurers are getting better at understanding that first-party coverage is the most important coverage in the policy. Some of the new competitors are offering very broad first-party coverage at a very cheap rate,” he says.
“There is increasing knowledge of cyber attacks and their impact on businesses across many industry classes,” says Kang. “Because cyber risk is an evolving threat, as certain coverage enhancements become standardized, new ones enter the market.”
Kang anticipates that expanding connectivity of devices through the Internet of Things and evolving exposures will prompt further innovations in cyber insurance, such as coverage for contingent bodily injury and property damage liability resulting from a cyber event.
“For the time being, such enhancements will need to be manuscript in nature, taking into account the insured’s risk profile as well as the insurer’s underwriting appetite,” he says.
“It’s not good to have risk management and IT managers meeting each other for the first time [when a loss occurs].”
—Emy Donavan
Global Chief Underwriting Officer
Resilience
Pandemic impact
Cyber risk is dynamic enough on its own. The level and tempo of risk have been compounded by the COVID-19 pandemic.
“Cyber exposures increased significantly during COVID-19 during the work-from-home transition,” says Costello. “Many people are on their unsecured home networks using personal computers that haven’t been equipped with companywide cyber security software.”
Larson also finds that “many businesses are now operating more remotely than before, increasing the potential for loss and the [severity] of the loss.
“The nature of claims is not changing because of the pandemic,” he adds. “There is just more frequency of losses.”
From a carrier perspective, Kang finds that “it is still too early in loss development to offer hard and fast figures for [severity] of reported claims, but we have seen an increase in cyber attacks resulting from expanded use of remote-work environments.”
“There’s been 10 years of change in 10 weeks in the way people do business,” says Byer. “A lot of companies have had to implement work-from-home arrangements for the first time, and some have delayed buying insurance for cyber until they established their at-home setups.”
Sources contacted for this article had strikingly contrasting observations on the impact of the pandemic on sales of cyber insurance.
In the hard-hit hospitality sector, Larson finds that “sales of cyber coverage have become tougher because many establishments are financially burdened and choose to not spend for something they regard as an ‘extra’ rather than as fulfilling an essential need.”
For his part, however, Costello sees sales of cyber coverage growing in response to increased claims, particularly for ransom ware extortion and funds transfer fraud but Kang counters that, while demand for coverage remains steady, “the pandemic has had minimal impact on the sale of cyber insurance.”
Producer advice
Byer notes that cyber insurance is rapidly becoming an essential element of “the circle of commonly used commercial insurance products,” which includes commercial property and general liability coverage, plus commercial auto and workers compensation when the relevant exposures are present.
Of those products in “the circle,” cyber insurance is arguably the most complex, she adds. Helping clients navigate those complexities will boost the value proposition and longevity of producers prepared to explain coverage and impart risk management advice. “I’m comfortable we’re here to stay,” she says.
It’s safe to say that risk management and loss control consulting is an integral component of cyber insurance, more so than for any other line of coverage.
To serve clients effectively, it is important to engage both the business and the IT managers of an enterprise very early on, says Donavan. When a loss occurs, “it’s not good to have risk management and IT managers meeting each other for the first time.”
For more information:
Allianz Global Corporate & Specialty
www.agcs.allianz.com
Distinguished Programs
www.distinguished.com
Evolve MGA
www.evolvemga.com
Resilience
www.resilienceinsurance.com
Setnor Byer Insurance & Risk
www.setnorbyer.com
The author
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.
