By John Hintze
Cyber insurance premiums fall despite major hacks; scrutinizing coverage still a must.
Despite the continuing steady flow of news about major companies getting hacked, cyber policy premiums have continued to fall and their coverage broaden as insurers crowd into the space.
In fact, the magnitude of cybercrimes only seems to be growing, with recent revelations that all of Yahoo’s three billion customer accounts were hacked, as were Equifax’s 140 million customers, along with Deloitte’s client emails and certain SEC filings. As a result, some cyber insurers have increased underwriting scrutiny for certain risks while others still offer premiums that continue to fall, according to Kevin Kalinich, the global practice leader for cyber risk at brokerage Aon.
“We have over 70 cyber carriers out of the US, Bermuda and London. Therefore, despite the recent cyber incidents, unless you are in a ‘high risk’ industry class, because there’s so much competition we’re seeing rates come down,” Mr. Kalinich said. “If you’re buying cyber insurance, now is definitely a good time to buy it.”
David Bradford, chief strategy officer and director of strategic partnership development at Advisen, a provider of data, media, and technology solutions for the commercial property and casualty insurance market, said that many companies are currently experiencing reductions between 5% and 15%, a trend that should continue for the immediate future. He said the Equifax breach is unlikely to have a significant impact on premiums, because the company has $150 million or less of coverage, and so is unlikely to drive capacity out of the marketplace. “It will probably cause some alarm among certain classes of buyers, but it’s within the range of what insurers expected to pay,” he said.
Premiums remain elevated for companies in industries such as retail and healthcare, which have seen significant breaches in recent years. However, they likely will fall gradually as cybercriminals turn their sights to other industries. The broad downward pressure on premiums fundamentally stems from supply outweighing demand—the 65 insurers Advisen estimates plying the cyber-policy space are chasing after a relatively small pot of premiums, approximately $3.5 billion. Companies can take on upwards of $600 million in coverage, Mr. Bradford said, although brokers must cobble together that capacity using policies from numerous carriers.
At a NeuGroup Treasurers’ Group of Thirty meeting in May, most members raised their hands to indicate that their companies had purchased cyber insurance policies, and that premiums had dropped noticeably. Indeed, a bigger issue appeared to be whether ever-evolving cyber-related risks are covered by dedicated cyber policies or fall under current property, crime, general liability, kidnap and ransom, or professional liability policies.
Business email compromise (BEC) attacks that enable unauthorized funds transfer, for example, have become routine at large companies, and the consensus appears to be that inevitably some will succeed. Crime policies typically address employees stealing from the company, perhaps through fraudulent wire transfers, but risk managers should confirm that the language also covers instances where employees are duped by a BEC to wire those funds.
“Recent contradictory case decisions have shown that there’s a bit of gray area from a crime policy standpoint, and those policies may not pick up social engineering fraud,” Mr. Kalinich said. He added that BEC most appropriately fits under traditional crime policies due to the funds transfer damages element, but starting in 2014 cyber policies started providing that coverage, often via an extension and for small- to mid-market policies.
Mr. Bradford described BEC as currently a “hot issue,” with cyber insurers looking to crime-policy carriers to provide the coverage and vice versa.
“Neither one has wanted to take it head on, and both have tried to avoid the issue until recently,” Mr. Bradford said. “Now we’re seeing steps toward affirmatively providing meaningful coverage in this area.”
He added that although it can be argued many crime policies may already cover BEC claims, the opinions of insurers and courts can differ. Recent court cases such as Principle Solutions Group LLC v. Ironshore Indemnity have ruled in favor of the insured.
In addition, more cyber policies appear to be covering the risk. Betterley Risk Consultants, which tracks specialty insurance companies, found 14 insurers covering BEC losses in cyber policies in 2016 compared to 22 as of June this year. However, said Rick Betterley, editor of The Betterley Report, some ambiguous responses by insurers suggest those numbers are rough estimates. “I think the actual answer is there’s been a gradual increase [in insurers’ cyber policies covering BEC-related losses], but insurers are very cautious about this,” he said.
Insurance coverage of ransomware attacks, spotlighted earlier this year when several global attacks occurred that encrypted files and made them unusable until the ransom was paid, can also be hazy. At first glance, the risk might seem appropriate under a crime policy, noted Mr. Betterley, although covering the risk has become a common option under cyber policies. Typically, it covers the loss from paying the cyber criminal’s ransom. However, he said, companies must scrutinize whether it also covers losses should the cybercriminal take the money and run without removing the encryption, locking away the stolen data and interrupting business.
Mr. Kalinich said there were several ransomware attacks targeting hospitals in 2016, and he noted the Goldeneye ransomware hit companies worldwide in June 2017.
“When you start to talk about the overlap between property coverage, business interruption, and cyber coverage, it will be interesting to see how claims play out and how the market adjusts to that,” he said. For instance, just last week, FM Global announced a partial retraction of cyber-related business interruption coverage in its base policy forms.
In terms of coverage broadening, Mr. Kalinich said, cyber coverage initially focused on privacy, both in terms of liability and from a first party reimbursement standpoint. Business interruption coverage began emerging more 2014 and 2015, although early on there was little demand for it. More recently, however, most carriers have broadened terms to cover system failures, including failure of technology, whether from an operational error, outsider hack, negligent act or internal omission.
“That’s very important from a coverage standpoint, since organizations work off a technology infrastructure,” he said. “It’s not just a malicious attack on a network, but if there’s some type of outage, even if it is not from an intentional cyberattack, the policy can pick that up.”
Another “hot” issue now, according to Bradford, is bodily injury and property damage resulting from a cyberattack. For example, if malware compromises the software in a self-driving car that ends up in an accident, who is liable for that?
Bradford said FM Global has made cyber-related property coverage a selling point for its property policies, but other insurers have been less enthusiastic. Similarly, on the cyber-insurance side, most policies do not cover such property damage, nor do they cover bodily injury. “I’m only aware of one—AIG’s CyberEdge policy—but the pressure is on others to extend it,” Mr. Bradford said. “It’s a big issue now, given the interest around the Internet of Things.”
Still relatively new and not yet uniformly available is coverage for contingent systems failure, which covers losses stemming from a vendor’s technology failure. Mr. Kalinich said that, “the breadth of such coverage can be staggering,” and carriers are essentially underwriting not only the intended insured’s risk but also its vendors’.
“It’s a good thing for clients. The number one thing we talk to clients about is the financial impact of a breach,” Mr. Kalinich said. “It’s not solely about privacy and security anymore but about cyber assessment, quantification, mitigation and incident response to protect the organization’s financial statements, which has been really underscored by recent disruptions.”