Cyber coverage: What are companies looking for?
Amid the rising uncertainty of cyber risks, one thing is for sure: organizations have become much more sophisticated about buying cyber insurance.
There is a lot of discussion around the growing risk of cyber incidents and the importance of cyber insurance, but few people are talking about the increasing sophistication of the buyers of this specialized coverage.
My career in insurance includes more than a decade as an underwriter of cyber and technology exposures -- almost as long as cyber insurance has been available. During that time, I have observed a steady evolution occurring, in both the insurance products and their customers. Only a few years ago, many organizations were skeptical about cyber insurance, expressing concerns about whether it would respond or questioning whether they truly needed it. For the vast majority of organizations, that is no longer the case.
As more industries embraced computer technology and the Internet ushered in online commerce, cyber criminals saw opportunities to attack websites and computer systems. Over time, businesses outside of the technology sector started to experience cyber incidents, from denial of service attacks to data breaches, and liability claims quickly followed.
A startling picture of the growth in the number and distribution of cyber incidents is painted by NetDiligence's 2016 Cyber Claims Study, the sixth such report. NetDiligence identified industries reporting the most claims: Healthcare, representing 19% of the total claims studied; professional services, 13%; non-profits, 11%; financial services, 10%; retail, 10%; other industries, 17%. Technology firms represented only 6% of the claims studied. Additionally, the number of reported incidents is up across all industries. Some of the largest claims in this year's study, counterintuitively, came from smaller organizations.
This broad set of industries reflects what my colleagues and I are seeing in submissions for cyber insurance. Organizations of all sizes have become more conscious of the limits and specific coverages they would like to have, and they have become better able to present their cyber exposures and risk management controls to the underwriting community. Much of this growth in awareness is in part due to the growing brokerage community of Cyber Specialists, who have provided information and insight on cyber risks and coverage with more clarity and direction. From the large brokerage houses, to wholesalers, to regional brokers, buyers are readily able to find an in-house specialist to discuss the evolving threats and coverage offerings from insurers.
Cyber insurance buyers are becoming more selective about how they want to structure the coverage..."
Companies are thinking carefully about how much cyber coverage they need to buy, too. For some organizations, their decision to buy certain limits is dictated by strict budget limitations; many based on true exposure they face, and for others, coverage amounts are determined by contractual requirements. For example, a small company sought cyber insurance to fulfill its service agreement as a supplier. The company thought their own cyber exposure was minimal, but shortly after the policy came into effect, one of their employees in human resources lost a laptop containing employee data. The result? A sizable claim that the small company never anticipated. Fortunately, they had insurance coverage.
Cyber insurance buyers are becoming more selective about how they want to structure the coverage as well. One example is that more organizations are buying first-party only coverage also known as “crisis response.” This includes notification and credit monitoring, costs to conduct a forensic investigation and the costs to retain a public relations firm. Some are opting against third-party liability because they may have some cyber coverage in another insurance program, such as errors and omissions liability. They are looking to match their cyber insurance purchase with their greatest area of exposure and to fill gaps in coverage that were previously uninsurable.
Because customer exposures and buying patterns are constantly changing, the cyber insurance market has to be committed to innovating and updating our own coverage forms continuously with the ability customize offerings to underwrite to a customer's culture and coverage needs. The risks, the markets and the products are all continuously changing. Change is the one constant in cyber insurance. And for cyber underwriters like me, we welcome it and we’re working hard to be ready for what’s next.
About the author
Marcin Weryk is a vice president and underwriting manager in XL Catlin’s Cyber and Technology Insurance Group. Before joining XL Catlin in 2012, he underwrote cyber and technology risks for a large commercial lines insurance organization. To learn more about XL Catlin’s cyber coverage, contact Marcin at firstname.lastname@example.org or 212- 915-6838.