Product Family


Head of Cyber, Tech and MPL Operations, AXA XL

For US-based consumers, it was a breach like no other. An estimated 147 million records were compromised when consumer credit reporting agency Equifax fell victim to a major systems breach in March 2017. At risk were millions of names, Social Security numbers, dates of birth, phone numbers, email addresses, and passport information. Additionally, nearly 209,000 credit card numbers and expiration dates were compromised.Yet those numbers are small in comparison to how many identity record breaches have occurred in 2017 alone. Over 3 billion records were curated from an astounding 8.7 billion raw data records that were culled from nearly 3,000 different breaches. That represents a 64% increase in exposed data year over year.The real issue, however, is the overall cost associated with data breaches. According to Equifax’s 2018 first-quarter financial report, the company has spent $242.7 million in IT and data security costs and related expenses on breach-related recovery activity.While that may seem like an insurmountable amount, the Equifax event, so far, is not the costliest. That designation belongs to Epsilon, whose systems were compromised in 2011, exposing an unknown number of names and emails from 75 customers such as Capital One, Citigroup, Best Buy, and JP Morgan Chase. The cost to date: $4 billion.  On average, cyber-attacks and breaches cost US businesses $1.3 million per breach.The Indiscriminate Risk Despite attention-grabbing headlines suggesting cyber breach is a concern for the global corporations, there is no organization immune to cyber liability. Many small to mid-sized businesses have been targeted by cyber thieves, and there is no industry insusceptible to such attacks.  For example,  an elementary school lost or misplaced 151 enrollment records containing personal identifiable information of both students and parents;  A county government was hit by a crippling ransomware attack, bringing down its entire network, and the thieves demanded ransom in Bitcoin currency.If a business collects and/or stores customer information, payment data, or personal health records, there is a data breach risk. In many cases with small to mid-sized businesses, breaches are not immediately detected. The longer breaches go unnoticed, the higher the number of records that are compromised could be.The business financial losses are not the only losses to consider. The loss of customer trust and the hit to the business’s reputation can have a long-lasting impact. Still, far too many smaller business entities are going without cyber liability coverage. Why? Because too many businesses believe they are not at risk. In a survey of 2,500 small-business owners, 82% say they do not feel they are at risk for a data breach or cyber security incident.In fact, 60% of cyber-attacks in 2016 were perpetrated against small businesses. That’s the same percentage of small businesses that go out of business within six months after an attack. Such attacks are costly – estimates run between an average $177,000 to $148,000 per occurrence for a small business. Those are costs that 90% of small businesses have not protected against.


In fact, 60% of cyber-attacks in 2016 were perpetrated against small businesses. That’s the same percentage of small businesses that go out of business within six months after an attack.

Yet cyber liability coverage, particularly for the small to middle market business, seems sized for the larger, multinational organizations. Limits often exceed what a smaller enterprise would need, and premium costs could, in some cases, outpace the exposure. While prices continue to fall in the standalone cyber liability coverage market, it still appears far down the list of priorities for the Main Street business owner.Then there’s the matter of availability of right-sized coverage. Not all carriers and brokers offer cyber liability products. Even if they do, not all customers want or need a larger, standalone cyber product, and their brokers are unaware of any cyber liability products that could fit their customers’ needs.Solution: The Cyber Endorsement One solution is a cyber liability endorsement that attaches to the customer’s commercial general liability policy. For businesses that want protection from potential cyber events, yet are unsure whether a larger standalone policy is affordable for them, a cyber liability endorsement provides a good option to obtain coverage they need at a price that makes sense.A cyber liability endorsement benefits smaller companies in a number of ways:

  • The cyber endorsement, attached to a commercial general liability policy, gives customers a more economical option for covering cyber events;
  • Coverage limits are lower than those for standalone products, which makes it a more affordable option;
  • A cyber endorsement is a viable starting point for smaller entities looking to gain cyber coverage without a larger financial commitment, and;
  • The endorsement gives smaller companies an avenue for mitigating cyber risks, including access to forensics, public relations, and legal expertise.

For brokers, offering a cyber liability endorsement delivers much-needed protection to business customers who might have to look elsewhere for such coverage. Because the coverage augments commercial general liability products, it can be easily added to an existing line of business.  Plus, a cyber endorsement gives standard insurance companies entry into the cyber market without the need to have underwriting and claims expertise in that area.

The Endorsement Up Close When considering purchasing a cyber liability endorsement, or when looking to add such an endorsement to an existing product, industry experts suggest looking for a product that offers a broad network of breach response expertise. A cyber add-on product should include computer forensics, credit and ID monitoring, breach notification, call center support, public relations support, and legal support that comes with security and privacy expertise. Also important is access to 24/7 claims support.Other coverage options to look for:

  • The option to choose up to 100% risk transfer;
  • Longer reimbursement periods for data or cyber breach incidents;
  • Unlimited reimbursement period for  loss of business income and extra expenses, as well as;
  • Coverage for outsourced providers, including third parties contracted to perform service on behalf of insurer.

Also, brokers and consumers alike should look for a product from an insurance company that has the expertise needed to help recover quickly from a data breach.Because companies are unique, their cyber liability exposures vary in both nature and scope. Brokers and their customers should consider working with a company that offers an endorsement tailored to fit the business needs of their customers.Procuring cyber liability coverage is now an affordable choice for small and mid-sized companies. Through a cyber liability endorsement added to a commercial general liability policy , property policy or other insurance policy, businesses can attain good essential cyber coverage without a large investment. For brokers looking to help their customers protect their businesses, a cyber liability endorsement delivers a valuable solution for relatively low cost. About the author. . .Katherine Walas is a senior underwriter and head of cyber operations for XL Catlin’s Cyber & Technology insurance team. She can be reached at  or at +1 860 948 1858.


To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.