STATE of the market ON CYBER RISK

Transcription

1 STATE of the market ON CYBER RISK

2 TABLE OF CONTENTS The Takeaway 1 The Overview 2 Review & Outlook 5 Placements & Considerations 7 Summary 9 Notes 10

3 THE TAKEAWAY Year-over-year increases in the frequency and cost of cyber incidents nearly doubling since coupled with heightened regulatory scrutiny and growing litigation, are causing a surge in demand for cyber liability insurance. As small and midsize businesses begin to recognize their exposure to cyber liability, more insurance markets are committing capacity to serve those needs. Cyber insurance products are complex, and they vary widely from insurer to insurer. Unlike mature lines of business such as property insurance, the marketplace does not yet have a consistent set of policy terms or definitions for cyber risks. Moreover, cyber policies also vary in their application of sublimits and service offerings to respond to data breaches, such as forensic investigations, legal services and credit monitoring. As a result, comparing cyber liability policies is difficult without extensive knowledge of the products and the marketplace. Retail insurance agents and brokers have nearly equal measures of opportunity and challenge when it comes to selling cyber insurance. Businesses of all sizes are realizing that cyber coverage is becoming a necessity. The question many businesses are asking is no longer, Do we need cyber insurance? but How much coverage should we buy? The downside is that the fluidity of the market and the many nuances in product offerings can make finding appropriate coverage for customers a tall order. To obtain the best coverage options and meet clients service expectations, agents and brokers should turn to partners with proven expertise in cyber coverage and a record of success in procuring it. 1

4 THE OVERVIEW Massive data breaches in the last few years, such as those at Target Corp., ebay, The Home Depot and Anthem Inc., which resulted in the exposure of hundreds of millions of records, have broadened awareness of cyber risk. Media attention to these incidents, however, tends to obscure the fact that breaches are occurring across virtually all industries, and are particularly common among small and midsize organizations. A growing trend in connectivity, known as the Internet of Things, may become a significant factor in future cybersecurity exposure. The Internet of Things is a collection of devices embedded with sensors capable of exchanging information. Cisco Systems Inc. estimates that by 2020 the Internet of Things will comprise 50 billion networked devices. According to the Identity Theft Resource Center (ITRC), nearly 800 data breaches were publicly reported in 2015, in the press or by government sources, representing more than 169 million total exposed records. ITRC defines a breach as an event in which an individual s Social Security number, driver s license number, medical record, or a financial record/credit/debit card is potentially put at risk either in electronic or paper format. While some of the breaches involved very large organizations and millions of records exposed, many of the entities on ITRC s breach list were small or midsize.i Among those experiencing breaches in 2015 were: Sole-proprietor Certified Public Accountants Law firms Drycleaning companies Car wash businesses Sporting and recreational goods manufacturers High schools Food courts Gift shops Insurance agencies and brokerages Third-party claim administrators The ITRC list shows that businesses in many industries, including agents and brokers themselves, are exposed to cyber incidents. 2

5 Healthcare organizations are especially vulnerable to data breaches. While much attention focused on Anthem Inc. s announcement in February 2015 that it had a breach exposing nearly 80 million records, one of the largestever data incidents, often overlooked are the many solo practitioner medical and dental offices and outpatient healthcare facilities that also suffer data breaches. The situation is similar among retail merchants. Target s 2013 breach involving more than 110 million records was an eye-opener, not just in the size of the incident, but in the method hackers used. The retail company s network was penetrated by hackers through a heating, ventilation and air-conditioning vendor. If a company with Target s resources was vulnerable, then virtually any merchant holding customer records or employee records could be at risk of cyber attack. Smaller businesses vulnerability to cyber incidents is great, according to research by the National Small Business Association. II In its 2013 Technology Survey, NSBA found that 44% of small businesses those with $150 million or less in revenue and fewer than 500 full-time employees have already experienced a cyber attack. Moreover, 79% said they do not understand or have little to moderate understanding of cybersecurity issues and how to handle the online security of their businesses. In effect, smaller businesses fall into two camps: those that have already had a breach and those that will eventually. Into the Breach Reported Incidents Rise Dramatically Sources: Identity Theft Resource Center, Statista 3

6 Most Cyber Incidents Hit Smaller Firms 71% THE PERCENTAGE OF ORGANIZATIONS EXPERIENCING CYBER ATTACKS WITH TWO BILLION DOLLARS OR LESS IN REVENUE Source: NetDiligence 2015 Cyber Claims Study The cost of cyber incidents has continued to rise and remains disproportionately high for smaller organizations, according to various sources. The total cost does vary but generally increases with the number of records exposed. Therefore, a data breach affecting millions of records is likely to cost more than one involving hundreds or thousands of records. Cyber risk assessment firm NetDiligence, in its 2015 Cyber Claims Study, examined 160 incidents involving businesses ranging from less than $50 million in revenue to more than $100 billion. NetDiligence found that smaller businesses generated some of the largest claims. III Critical drivers of these claim costs are: forensics, legal and regulatory costs. Cyber Claim Costs High Among Smaller Firms Total Cost of Claims From Data Breaches, Including Self-Insured Retentions Revenue Size Average Cost Maximum Less Than $50M $65,096 $809,788 $50-$300M $150,018 $764,225 $300M-$2B $578,233 $4.9M $2B-$10B $910,801 $6.7M $10B-$100B $4,800,000 $15M The Ponemon Institute, in its 2015 Cost of Cyber Crime Study, found that smaller organizations in the United States have a significantly higher annual cost per capita from cyber crime than larger organizations, averaging $1,571 vs. $667. IV Ponemon also found that the type of attacks that account for the largest costs among smaller organizations were: Malicious code, representing 27% of attacks Denial of services, 21% Phishing/social engineering, 12% Malicious insiders, 11% The institute s study examined organizations with a minimum of 1,000 individual connections to the Internet, or enterprise seats. Smaller organizations were defined as those below the median number of seats, while larger organizations were those above the median. According to Ponemon s research, the cost of cyber crime in the United States since 2010 has increased 82%, to an average of $15.4 million per company for

7 REVIEW & OUTLOOK The marketplace is observing businesses interest in cyber coverage and many insurance companies are positioning themselves to gain market share. With the exception of a few classes of business where the perceived risk is high, e.g. healthcare, large retail operations and payment processors, capacity for cyber risk is plentiful. A manufacturing client that doesn t hold a lot of records, for example, might find insurers willing to issue larger limits. After the Target data breach in 2013, there was a brief hard market for retail accounts, but conditions have eased somewhat. Insurers remain cautious about writing risks where a business holds a large amount of credit card data. Cyber liability insurers in general are controlling risks in their books through sublimits and deductibles. Capacity for cyber risks appears to be increasing as insurers see a big opportunity to grow their market share. Despite the sharply higher interest in cyber insurance, relatively few businesses have purchased the coverage up to now a situation that is certain to change as trends continue. One way to view the opportunity for growth in cyber insurance is that if only 10% of U.S. businesses are buying cyber coverage, then 90% aren t. There are literally billions of dollars in potential premiums that haven t yet been written. Pricing becoming favorable For small businesses, the price of cyber coverage for many classes seems to be going down, while coverage is increasing. For organizations with fewer than 100 employees, prices are coming down, deductibles are decreasing and coverage limits are going up. Coverage can still get pricey for medium to large businesses and certain higher-hazard classes, however. For medium size businesses, insurance is not as expensive as many business owners might expect. A lot of businesses can buy cyber coverage for $2,000 to $10,000 in premium. But it depends on the exposure, which can vary even among companies with the same amount of revenue. A manufacturer, for example, might hold 5,000 records, while a restaurant producing the same level of revenue might hold half a million credit card records. Their risk profiles are clearly different, and so will be the premiums on their coverage. Overall, prices for cyber coverage at renewal aren t dropping across the board, but sublimits are starting to go away and capacity is available. For example, exclusive facilities at CRC Insurance Services can provide up to $60 million in combined limits, along with breach response services. Services are critical to policy value Businesses that purchase a cyber policy essentially are buying two things: Insurance. The exchange of premiums for cyber risk gives policyholders monetary assets to cover the financial elements of an incident. Expert services. In addition to the underwriting and claims expertise of the insurance company, many but not all -- cyber policies include access to legal, forensic and other services to respond to a cyber incident. 5

8 Those services greatly increase the value of a cyber insurance policy because breach response services are expensive to obtain separately. Legal fees alone could exceed the cost of the coverage. Insurance companies have spent hundreds of hours vetting and negotiating costs with the best cyber lawyers and forensic companies, providing them to policyholders at below-market rates. When a policyholder experiences a cyber incident, once the claim is reported the insurance company and its experts step in and take on the work to help the policyholder recover. Knowing what services are available as part of the policy, and which ones would be most beneficial to a given client s situation, is a competitive advantage for retail agents and brokers. Cyber market evolution Cyber insurance is still evolving, but it is following a development path that has been seen before. The current phase cyber insurance products resembles that of employment practices liability policies more than 20 years ago. In the early 1990s, EPLI was a new product that attracted a lot of interest. Many employers considered it, just as companies are doing now with cyber, trying to assess how much of the specialized coverage they should buy. Similarly, it took underwriters time to develop consistent terms and pricing to refine the product, but that happened after a few years. Subsequent changes in the regulatory environment made EPLI even more attractive. Today, EPLI is purchased by a majority of businesses. The first cyber insurance solutions appeared in the late 1990s. The earliest forms of coverage were for technology errors and omissions liability, then products evolved to cover network security. Now, the cyber insurance marketplace is providing extensive coverage for data breaches. As businesses exposures to technology risks have evolved, so too have the products designed to protect them. 6

9 PLACEMENT CONSIDERATIONS Even though insurers appetite for cyber risk is generally high and capacity is available, differences in policies and restrictions on certain classes of business require careful consideration to obtain the best placements. There are perhaps 50 or so markets currently offering cyber insurance. For higher-hazard classes, such as large retail merchants or healthcare entities, the number of markets willing to quote is much smaller. Product offerings continue to evolve and the market overall is fluid. Some markets offer coverage for first-party losses, such as the cost to conduct a forensic investigation, public relations, credit monitoring and notification. Others provide coverage for third-party liability and some markets don t; still others have sublimits on third-party losses. Up-to-date knowledge of the marketplace is critical to successfully placing the best coverage for a client. Retail agents and brokers need to be familiar with the options before talking with their customers. Understanding the nuances in cyber insurance products is challenging, however, because policy forms are different from insurer to insurer. A cyber policy can be 20 to 40 pages long, and terms are not consistent across policies. For example, what one underwriter calls e-threat, another might call cyber extortion. Privacy protection and breach cost coverage can be defined differently, depending on who is underwriting it. A property policy, in contrast, is straightforward and easy to understand because the vast majority of definitions are uniform. In cyber, however, quotes may look the same but coverage levels may be vastly different. Mapping the differences in cyber insurance is not a simple process, but relying on an expert partner that understands many different coverage forms, as well as the intent of the underwriters, is a smart move. For example, many agents and insureds assume that circumstances of social engineering involving voluntary transfers of funds is covered by their crime policies under computer fraud, but it s not. To ensure coverage, it typically needs to be endorsed on either the crime or the cyber policy. Cyber-attacks don t occur during regular business hours. Cyber extortion coverage is critical to respond to ransomware demands that can paralyze operations. Brokers need to ask customers if they are prepared to respond to these demands and partner with carriers with proven track records that can respond immediately to cyber extortion demands. 7

10 Large, publicly traded companies tend to be very attuned to cyber exposures because they are in the headlines. Their boards may have a number in mind as to how much in coverage limits they want and it becomes an exercise in how much do they want to pay to have $10 million, $20 million or $50 million in coverage. For smaller and midsize clients, cyber risk is on their radar but these buyers often seek only $1 million, $3 million or $5 million in limits. Businesses needing a ready source of broad cyber liability coverage can access up to $10 million in limits through CRC s exclusive Corona facility. This facility provides cyber liability and technology E&O liability coverage for U.S. businesses with up to $200 million in revenue. Midsize and large businesses can obtain up to $50 million in limits for cyber liability from a new, exclusive CRC facility under-written in London. The facility is open to most classes of business. Pricing, sublimits vary The marketplace remains unaligned on pricing, retentions and sublimits, as insurers continue to evaluate them. For example, a policy with a $1 million limit may have a $250,000 sublimit on notification and cost $4,000; another insurer may charge $7,000 for a policy with a $1 million limit; and depending on class of business, that same level of coverage from a different insurer might cost $12,000. Sublimits indicate where insurance carriers are concerned about loss. Large, global insurers tend to sublimit their cyber policies, while the London market s approach is generally to offer full limits. For that reason, placing a tower of cyber coverage or seeking excess coverage typically is easier to do in London. Some package policies include cyber coverage, but they usually contain a small sublimit, such as $25,000. That amount could easily be consumed by the forensic costs involved in a breach of as little as 100 records. Understanding the client s exposure and resources in a breach incident is critical to obtaining adequate coverage. Exclusions need to be parsed out in the different policies available to small and midsize businesses. For example, some insurers exclude coverage for unencrypted mobile devices, and others exclude coverage for failure to maintain information technology systems. There is a heavy burden on business owners to be consistent. 8

11 SUMMARY Cyber insurance products are complex, and there is no one-size-fits-all solution for cyber risk. Even though the marketplace is generally eager to write cyber coverage, product offerings vary widely, and there is no uniform set of terms or definitions. Partnering with a wholesaler that has relationships with multiple markets, knows the specific appetites of those markets and understands the differences in policy forms saves both time and money in obtaining the best coverage solutions for the policyholder. There are few insurance product lines where a mistake by the retail agent or broker can result in the loss of the entire account. Cyber liability is becoming one of those; the stakes are higher. It s easier to make an error in cyber because every policy is different. One quote might look great, but another company might offer a lot of services for free. Regardless of size, the client needs help with cyber coverage. An agent or broker can t provide a lesser product or less service when it comes to protecting a client against cyber risk. 9

12 NOTES i Identity Theft Resource Center, 2015 Data Breach Reports, ii National Small Business Association 2013 Technology Survey, pdf iii NetDiligence 2015 Cyber Claims Study, iv Ponemon Institute LLC, 2015 Cost of Cyber Crime Study, v Payment Card Industry Security Standards Council, PCI DSS Quick Reference Guide, PCIDSS_QRGv3_1.pdf vi National Conference of State Legislatures, Security Breach Notification Laws, CRC Insurance Services, Inc. CA Lic No No claim to any government works or material copyrighted by third parties. Nothing in this communication constitutes an offer, inducement, or contract of insurance. Financial strength and size ratings can change and should be reevaluated before coverage is bound. This material is intended for licensed insurance agency use only. This is not intended for business owner or insured use. If you are not a licensed agent please disregard this communication. Equal Opportunity Employer Minority/Female/Disabled/Veteran. 10