Product Family


Senior Underwriter, Cyber Technology, AXA XL

A perfect storm of cyber risk is brewing for middle-market businesses, and many of them are unprepared.News headlines tend to emphasize data breaches at big multinational corporations and health care entities that expose millions of records, but studies show that smaller organizations account for the majority of cyber claims. Cyber risk assessment firm NetDiligence, in its 2015 Cyber Claims Study, found that 71% of claims came from organizations with less than $2 billion in revenue. The majority of claim payouts were due to notification and credit monitoring, forensic, legal and regulatory expenses.Large organizations have more resources to devote to technology security and cyber defenses, and therefore are becoming somewhat more difficult for hackers to crack. So where do cyber criminals look to exploit weaknesses and hone their skills? Easier targets, which means they are looking at midsize and small organizations. Many middle-market executives mistakenly believe their firms aren’t large enough or have the kinds of data to attract cyber criminals. With fewer resources, smaller IT security teams and greater interest from cyber criminals, middle-market businesses are facing a comparatively greater level of exposure.There’s a lot of value at risk in this segment. Middle-market businesses collectively are an engine of economic growth, accounting for one-third of U.S. jobs and contributing nearly as much in private-sector gross domestic product, according to the National Center for the Middle Market. The center defines the middle market as businesses producing revenues between $10 million and $1 billion, and counts more than 200,000 of them in the United States alone.Even if a cyber incident does not physically disrupt a midsize business, the costs associated with forensic investigation and breach notification can be a shock. The effect on the balance sheet may derail the organization’s plans and result in the loss of jobs and/or customers.According to the Ponemon Institute, the average cost of a single breach in 2015 was $3.5 million, and organizations lost $1.57 million in business, on average, from each breach. Part of the cost involves investigation and remediation. Forty-seven states have breach notification laws, and businesses cannot simply ignore those requirements if they have a data breach. Notification, forensics and related services are expensive to obtain, especially after a cyber incident occurs. Very few, if any, organizations have the in-house ability to address the legal, regulatory and technology issues that arise from a data breach. Outside expertise is almost always recommended and required. 


When an incident does occur, a single phone call to a hotline can activate a response plan with a team of experts...

Consider this example: A law firm with 25 lawyers and a relatively broad set of practice areas, including corporate litigation, suffers a data breach that exposes confidential information from hundreds of clients. The firm has legal expertise, certainly, and may be able to address the notification requirements and pursue recovery from a responsible party, if one is identified. But the firm likely does not have in-house staff who are experienced in computer forensics and data discovery or have crisis management experts who can help mitigate the law firm’s reputational damage. Professional liability policies typically do not respond to litigation triggered by data breaches and exclude immediate crisis management costs such as notification and credit monitoring, forensics, and public relation.  The firm could well have to pay hundreds of thousands of dollars in costs arising from the incident. Regardless of the type of business, a cyber incident can cause tremendous stress and threaten the life’s work of its founders or partners.What can a middle-market business like the above law firm do? It can invest in strengthening its IT security, to reduce the risk of breach. But companies of all sizes continue to experience cyber-attacks, so the risk can’t be eliminated. Cyber liability insurance, for almost all organizations, is a valuable solution. Cyber coverage provides a lot of value, not the least of which are the inclusion of expert services at below-market rates and stress relief for beleaguered business owners.Partnering with an experienced cyber liability insurer can be one of the smartest purchases a midsize company can make. When an incident does occur, a single phone call to a hotline can activate a response plan with a team of experts in multiple fields, including claims, and provide financial resources so that the business can focus on doing what it does best. Cyber insurance, while not an all-encompassing solution for a lack of preparedness, can provide peace of mind; for a middle-market organization, it can mean the difference between staying in business and closing its doors.


About the AuthorRichard Schulz is a vice president and underwriting manager in XL Catlin’s Cyber and Technology group. Before joining XL Catlin, he underwrote a broad spectrum of media, technology, privacy and network security risks for a global insurance company.

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.