Cyber Insurance Survey Prepared for ISO November 2014 In the following report, Hanover Research presents the results of an online survey gauging insurance industry interest in cyber security and the prevalence of cyber security policies. The survey sample includes 271 respondents, and the survey was conducted in August, 2014.
TABLE OF CONTENTS Executive Summary and Key Findings... 4 INTRODUCTION... 4 KEY FINDINGS... 4 METHODOLOGY... 6 Section I: Respondent Data... 7 COVERAGE PRESENCE... 7 Segmentation by Cyber Security Personnel... 8 Segmentation by Commercial Premiums... 9 COVERAGE OFFERED... 9 Segmentation by Growth Expectations... 10 Segmentation by Cyber Security Personnel... 11 Segmentation by Cyber Security Personnel... 12 Section II: Cyber Security Market... 14 MARKET COVERAGE... 14 Segmentation by Commercial Premiums... 15 Section III: Cyber Security Perceptions... 16 RISKS... 16 Segmentation by Growth Expectations... 16 CHALLENGES... 17 Segmentation by Commercial Premiums... 18 HAZARDS AND INFORMATION... 18 Segmentation by Commercial Premiums... 20 Section IV: Company Information... 21 PERSONNEL... 21 Segmentation by Commercial Premiums... 21 FEATURES... 22 Segmentation by Cyber Personnel... 23 Section V: Respondent Characteristics... 26 JOB FUNCTION... 26 JOB LEVEL... 26 Project Evaluation Form... 27 2014 Hanover Research Market Insight Center 2
2014 Hanover Research Market Insight Center 3
EXECUTIVE SUMMARY AND KEY FINDINGS INTRODUCTION The cyber security insurance industry is small but growing. Although the vast majority of companies direct written premiums for cyber insurance are less than $10 million, those that do currently offer it expect the market to grow. At the same time, there is room to be optimistic, as the majority of people who currently do not offer cyber security insurance feel their company will or might offer it in the near future. Hanover Research administered an online survey of insurance company employees in August, 2014. The sample includes a total of 271 respondents. Only respondents whose companies offer cyber security insurance qualified to complete the entire survey (115 of 271). Respondents from companies not currently offering cyber security insurance were asked if their respective companies plan on instituting cyber policies within the next 12 months. Section I focuses on the current prevalence of cyber security insurance and the policy forms it takes. Section II discusses the current structure of the cyber security market. Section III investigates perceptions of the significance, risks, and challenges of cyber security insurance. Section IV details responding company demographics. Section V describes demographic characteristics of the respondents. KEY FINDINGS Less than half (46 percent) of respondent companies currently offer cyber security insurance coverage, but a majority will in the next year. o Of those not offering coverage currently, (11 percent) will begin offering it in the next 12 months. o Further, many respondents not offering cyber insurance currently (47 percent) speculate that their companies may offer cyber insurance in the next 12 months. Among companies that offer cyber coverage, 91 percent offer it in the admitted market. o Nearly three-quarters of respondents companies offer cyber coverage exclusively in the admitted market, while a small minority offers coverage in only the excess and surplus market. o The admitted market offers a more stable platform to implement cyber coverage policies. 2014 Hanover Research Market Insight Center 4
o Of companies currently offering cyber coverage, the majority expect to offer more cyber security coverage in the coming year. Over half expect a growth rate of between 1 and 25 percent, and nearly a quarter expect growth of 25 percent or greater. o The companies that do not expect growth in the future seem to specialize in the most common areas of cyber insurance coverage. Those that do expect growth have a wide variety of cyber insurance offerings. o Around a quarter of respondents expect their companies to underwrite the same amount of cyber insurance coverage in 2015, when compared to 2014. o Future growth is expected throughout the industry in the coming years, partly in response to several recent large data breaches involving financial and cloudbased services. Data breaches are considered the most serious cyber risk facing businesses today. o However, over a third of respondents believe cyber crime to be more dangerous than data breaches. o These two are not mutually exclusive events, and may be coterminous should they occur. Many (40 percent) believe the greatest challenge in selling cyber insurance is that many companies simply don t think they need it. o Additionally, nearly 30 percent agree that companies choose not to purchase coverage because they believe they already possess cyber insurance within their plans. o The apathy toward the need for cyber insurance worries those in the industry. A majority (51 percent) of companies have no staff dedicated solely to draft cyber insurance policies. Nearly a third have a small staff of 1 to 5 people. o A majority (69 percent) of medium-sized companies do not have a dedicated staff to underwrite cyber security insurance. o A majority (57 percent) of smaller companies have at least one staff member. o Nearly 30 percent of large companies have a substantial staff of 11 or more people working to draft cyber insurance policies. 2014 Hanover Research Market Insight Center 5
METHODOLOGY Throughout the analysis, usable partial responses are analyzed alongside complete responses, so sample sizes vary among questions. Responses are segmented into three categories, based upon observed, relevant data. The Growth Expectation segment is broken up by respondents expectations of underwriting more or less cyber insurance in 2015, relative to 2014. The Cyber Personnel segment is categorized by the number of people dedicated to underwriting standalone cyber insurance policies in the respondents companies. The Commercial Premiums segment is divided by the range of 2013 direct written premiums (DWP) for commercial lines insurance in respondents companies. This report highlights differences among respondents where those differences are both statistically significant and substantively different. None or not applicable in the survey responses are not recorded in the segmentations. 2014 Hanover Research Market Insight Center 6
SECTION I: RESPONDENT DATA This section presents survey results related to the presence and form of cyber security insurance coverage among insurance companies. COVERAGE PRESENCE Slightly less than half of respondents employers offer cyber insurance. For those who indicated they did not offer cyber insurance, they were asked if they plan to offer it in the next 12 months (and were then screened out of the survey). Their responses are visible in Figure 1.1 below. Figure 1.1: Do you currently offer some form of cyber insurance coverage? If not, do you plan to offer coverage in the next 12 months? (N=271) Yes 46% No 54% No 42% Yes Maybe 47% Among those respondents who do offer cyber insurance, a vast majority (92 percent) provide coverage via some form of roll-on optional endorsements, such as a business owner policy (BOP) or a professional liability policy. Eight percent exclusively use a standalone cyber insurance policy, while 29 percent of respondents companies offer both (see Figure 1.2). 2014 Hanover Research Market Insight Center 7
Figure 1.2: Do you provide coverage via one of the options below? (N=115) A Stand-Alone Cyber Insurance Policy 8% Roll-On Optional Endorsements 63% Both Approaches 29% SEGMENTATION BY CYBER SECURITY PERSONNEL Respondents are segmented into categories based on whether their respective companies hosted a job position dedicated to underwriting standalone cyber insurance policies. For companies without such a position, not one used a stand-alone policy. A vast majority of those companies used roll-on optional endorsements. In contrast, for companies employing at least one person, a majority use both stand-alone and roll-on policies. This contrast is evident in Figure 1.3. Figure 1.3: Do you provide coverage via one of the options below? (N=115) None One or More 10 9 8 7 6 5 4 3 2 1 A Stand-Alone Cyber Insurance Policy 93% 25% Roll-On Optional Endorsements 7% 64% Both Approaches 2014 Hanover Research Market Insight Center 8
SEGMENTATION BY COMMERCIAL PREMIUMS Respondents are segmented by the range of their companies Direct Written Premiums (DWP). While a majority of respondents, segmented as such, used roll-on optional endorsements, a statistically significant variance exists for those whose DWP is between $250 million and $1 billion. Those that have DWP less than $250 million or greater than $1 billion are more likely to use both approaches. Figure 1.4: Do you provide coverage via one of the options below? (N=115) Less than $250M $250M to $1B Greater than $1B 10 9 8 7 6 5 4 3 2 1 6% A Stand-Alone Cyber Insurance Policy 61% 89% 56% Roll-On Optional Endorsements 39% 28% Both Approaches COVERAGE OFFERED Nearly 80 percent of respondents companies offer first-party coverage for data breach expenses. As shown in Figure 1.5, a majority of companies also offer data restoration and replacement, business interruption and losses, and public relations expenses coverage. Cyber extortion and cyber reward policies are only offered by a small percentage of companies surveyed. 2014 Hanover Research Market Insight Center 9
Figure 1.5: Do you offer first party coverage for any of the following? (N=78) 10 8 6 79% 63% 6 51% 4 2 18% 14% 8% SEGMENTATION BY GROWTH EXPECTATIONS Respondents are segmented into categories based on their 2015 expectations of underwriting more or less cyber insurance coverage than in 2014. When approached with the same question as above, those companies that don t expect growth in the next year specialize in the most common coverage options. Meanwhile, the companies that expect to see high growth next year offer a variety of options, and are more likely to offer cyber reward insurance (33 percent). When asked to specify other coverage, respondents listed business computer coverage, security breach extortion, and legal coaching. 2014 Hanover Research Market Insight Center 10
Figure 1.6: Do you offer first-party coverage for any of the following? (N=78) Unchanged Medium Growth High Growth 10 8 6 4 2 87% 78% 73% 71% 67% 68% 6 6 5 53% 44% 39% 16% 47% 33% 6% 6% 8% 7% SEGMENTATION BY CYBER SECURITY PERSONNEL When segmented by personnel, those with no dedicated cyber policy staff specialize in the most popular forms of coverage, while those companies with dedicated policy personnel offer a more diverse portfolio of coverage. This point is illustrated in Figure 1.7 below. Figure 1.7: Do you offer first-party coverage for any of the following? (N=78) 10 8 6 4 2 None One or More 96% 82% 63% 59% 64% 68% 56% 39% 33% 29% 14% 4% 4% 2014 Hanover Research Market Insight Center 11
Regarding third-party coverage, an overwhelming majority of companies, 91 percent, offer data breach liability. A little more than a third of companies offer network security and technology services liabilities as well. Other responses include, but are not limited to, regulatory defense, penalty costs, and legal expenses. Figure 1.8: Do you offer third-party coverage for any of the following? (N=78) 10 9 8 91% 7 6 5 4 3 2 1 Data Breach Liability 34% 34% Network Security Liability Technology Services Liability 27% Media Publishing Liability 14% Social Media Liability Other SEGMENTATION BY CYBER SECURITY PERSONNEL Companies segmented along personnel lines show the popularity of data breach liability. Despite a few outliers, insurance companies with no dedicated cyber policy personnel exclusively offer data breach coverage. Meanwhile, those with personnel offer far more liabilities, but nearly all offer data breach liability. The 18 percent answering Other are uncertain of their company s policies. 2014 Hanover Research Market Insight Center 12
Figure 1.9: Do you offer third-party coverage for any of the following? (N=78) None One or More 10 96% 88% 8 6 57% 48% 48% 4 3 2 Data Breach Liability 12% Network Security Liability 6% 6% Technology Services Liability Media Publishing Liability Social Media Liability 18% 4% Other 2014 Hanover Research Market Insight Center 13
SECTION II: CYBER SECURITY MARKET This section presents survey results related to the current and future market coverage of cyber insurance policies, as per respondents respective companies. MARKET COVERAGE Companies offer cyber insurance coverage mostly in the admitted market (91 percent). Nearly three quarters (74 percent) of respondents companies offer cyber coverage exclusively in the admitted market, while a small minority offers coverage in only the excess and surplus market. Seventeen percent of companies cover both markets. Figure 2.1: In which of the following insurance markets do you offer cyber insurance coverage? (N=77) Both Admitted and E&S Markets 17% Excess and Surplus Market 9% Admitted Market 74% Around a quarter of respondents expect their companies to underwrite around the same amount of cyber insurance coverage in 2015, when compared to 2014. Interestingly, no respondent believes that coverage will decrease. Over half expect a mild growth rate of between 0 and 25 percent and nearly a quarter expect growth of 25 percent or greater. From this data, Hanover sees cyber security playing an increasingly larger role in the overall policies and structure of insurance companies. 2014 Hanover Research Market Insight Center 14
Figure 2.2: In 2015, do you expect to underwrite more or less cyber insurance than in 2014? (N=77) 25% 2 15% 25% 14% 21% 17% 13% 1 5% Less About the Same -5% More 5%-15% More 15%-25% More 25%-5 More SEGMENTATION BY COMMERCIAL PREMIUMS When segmented by the range of DWPs, the larger the premium, the lesser the expectation of growth. A third of companies with premiums greater than $1 billion expect to see the same amount of insurance in 2015. Nearly half of companies with premiums between $250 million and $1 billion expect to see at least 15 percent growth. Those corporations with a DWP of less than $250 million expect a more equal distribution of cyber policy growth. Figure 2.3: In 2015, do you expect to underwrite more or less cyber insurance than in 2014? (N=77) 5 Less than $250M $250M to $1B Greater than $1B 4 3 2 1 33% 17% 16% 16% 17% About the Same 22% 32% 21% 22% -5% More 5%-15% More 15%-25% More 17% 5% 17% 25%-5 More 22% At Least 5 More 2014 Hanover Research Market Insight Center 15
SECTION III: CYBER SECURITY PERCEPTIONS This section presents survey results related to the perceptions respondents have of the market regarding cyber security risks, challenges, and hazards. RISKS A majority of respondents believe that the greatest cyber risk facing businesses today is in the form of a data breach (51 percent). In contrast, over a third of respondents believe cyber crime to be more dangerous than data breaches. Though, these two are not mutually exclusive events, should they occur. Figure 3.1: Which of the following do you think is the greatest cyber risk facing businesses today? (N=73) 75% 6 51% 45% 33% 3 15% 8% Data Breach Cyber Crime Business Interruption 5% Cyber Extortion 3% Supply Chain Interruption SEGMENTATION BY GROWTH EXPECTATIONS When segmented by growth expectations, respondents offer contrasting thoughts on cyber security risks. Two thirds of those who expect zero and two thirds of those that expect high growth believe data breaches to be the greatest risks. Meanwhile, a plurality of those who expect to see medium growth in the coming year believe cyber crime to be a greater threat. However, more than a third of those expecting medium growth do see data breaches as the primary threat. 2014 Hanover Research Market Insight Center 16
Figure 3.2: What is the greatest cyber risk facing businesses today? (N=73) Unchanged Medium Growth High Growth 75% 6 67% 65% 45% 3 37% 28% 39% 24% 15% 6% Data Breach Cyber Crime Business Interruption 6% 8% 6% Cyber Extortion 5% Supply Chain Interruption CHALLENGES 40 percent of respondents believe the greatest challenge in selling cyber insurance is that many companies don t think they need it. Additionally, nearly 30 percent agree that companies choose not to purchase coverage because they believe they already possess cyber insurance within their plans. Those who responded Other listed lack of understanding and affordability as the greatest challenges. Figure 3.3: What do you think is the biggest challenge in selling cyber insurance? (N=73) 5 4 4 3 29% 2 1 12% 1 3% 7% Companies don't think they need it Companies believe coverage is provided Premiums are too high Market does not offer sufficient coverage Quoting multiple limits/deductibles Other 2014 Hanover Research Market Insight Center 17
SEGMENTATION BY COMMERCIAL PREMIUMS When segmented by the range of DWPs, companies with larger and smaller premiums believe apathy to be the greatest challenge in selling insurance. Conversely, those who work at medium range companies fear that companies will not purchase coverage because they are unaware that cyber coverage is not provided in their current plans. Figure 3.4: What do you think is the biggest challenge in selling cyber insurance? (N=73) 75% Less than $250M $250M to $1B Greater than $1B 6 56% 5 45% 37% 3 26% 28% 22% 21% 15% 6% 6% 5% Companies don't think they need it Companies believe coverage is provided Premiums are too high Market does not offer sufficient coverage Quoting multiple limits/deductibles Other HAZARDS AND INFORMATION When asked which classes they consider to be the most hazardous to insure, nearly three quarters of respondents are evenly split among credit card payment processors, financial institutions, and national retail chains. This breakdown is illustrated in Figure 3.5. 2014 Hanover Research Market Insight Center 18
Figure 3.5: Which of the following classes do you consider to be the most hazardous to insure? (N=73) 25% 25% 23% 23% 2 15% 14% 1 5% 7% 5% 3% Credit Card Payment Processors Banking / Other Financial Services National Retail Chains Hospitals / Health Care Systems Colleges and Universities Health Information Exchanges Other When asked about what information they consider to be the most important when underwriting cyber risks, respondents state that enterprise risk management philosophy and the nature of stored records or data are the two most important. Figure 3.6: Which information do you consider to be the most important when underwriting cyber risks? (N=73) Enterprise Risk Management Philosophy 25% Nature of Records or Data Stored 23% Security Tests and Audits 16% Updated Network Security/Firewall 15% In-house or Outsourced IT Services 5% Volume of Records or Data stored 4% Regulatory and PCI Compliance 4% Encryption 3% Other 4% 5% 1 15% 2 25% 2014 Hanover Research Market Insight Center 19
SEGMENTATION BY COMMERCIAL PREMIUMS For those at companies with the greatest DWP, records or data stored was not important at all. Risk management philosophy was the most important for the largest companies. Figure 3.7: Which information do you consider to be the most important when underwriting cyber risks? (N=73) Greater than $1B $250M to $1B Less than $250M Nature of Records or Data Stored 6% 32% 39% Enterprise Risk Management Philosophy 21% 22% 28% Updated Network Security/Firewall 16% 17% Security Tests and Audits 17% 16% Regulatory and PCI Compliance 6% 5% 6% In-house or Outsourced IT Services 6% 5% 6% Volume of Records or Data stored Encryption 5% Other 17% 5% 1 15% 2 25% 3 35% 4 45% 2014 Hanover Research Market Insight Center 20
SECTION IV: COMPANY INFORMATION This section presents survey results related to the structure of an insurance company that offers cyber security insurance policy coverage. PERSONNEL Respondents were asked how many people in their respective companies are dedicated to underwriting standalone cyber insurance policies. Figure 4.1 below illustrates that a majority of companies have no staff to draft cyber insurance policies. For the rest, nearly a third have a small staff of between 1 and 5. Figure 4.1: How many people in your company are dedicated to underwriting standalone cyber insurance policies? (N=73) 75% 6 51% 45% 3 3 15% 7% 9% 4% 0 1-5 6-10 11-15 21+ SEGMENTATION BY COMMERCIAL PREMIUMS When segmented by DWP range, a vast majority (69 percent) of medium-sized companies do not have a staff to underwrite cyber security insurance. Conversely, a majority of smaller companies have at least one staff member, while large companies have a more even distribution. Nearly 30 percent of large companies have a substantial staff of eleven or more people working to underwrite cyber insurance. 2014 Hanover Research Market Insight Center 21
Figure 4.2: How many people in your company are dedicated to underwriting standalone cyber insurance policies? (N=73) Less than $250M $250M to $1B Greater than $1B 75% 69% 6 45% 3 43% 36% 5 29% 25% 21% 15% 7% 7% 6% 0 1-5 6-10 11-15 21+ 7% FEATURES A majority of respondents companies issue property and casualty insurance. While only 5 percent have a dedicated cyber unit. Figure 4.3: Which unit(s) in your company issue(s) cyber insurance? (N=73) 75% 74% 6 45% 3 15% 25% 25% 15% 5% 4% 2014 Hanover Research Market Insight Center 22
SEGMENTATION BY CYBER PERSONNEL When segmented by the size of personnel dedicated to underwriting standalone cyber policies, companies with at least one person on staff offer a wider range of coverage options. Figure 4.4: Which unit(s) in your company issue(s) cyber insurance? (N=73) None One or More 10 8 76% 71% 6 4 2 43% 14% 14% 36% 7% 14% 14% 7% 4% A majority (53 percent) of companies collaborate with a third-party service provider, as shown in figure 4.5. Figure 4.5: Do you collaborate with a third-party service provider for any of the following services? (N=71) 5 46% 4 3 28% 2 18% 1 7% Cyber Education and Post-Data Breach Pre-Data Breach Remediation Services Assessment and Preparedness Training Services Both None 2014 Hanover Research Market Insight Center 23
Most respondents learn about cyber security news and information through trade media and the national news, at 82 and 53 percent, respectively. Figure 4.6: How do you find out about cyber security news and information? (N=71) 10 8 82% 6 59% 4 4 2 24% 24% Trade Media National News Local News Cyber Security Cyber Security Firms Blogs 3% Other For a vast majority of respondents, their company s range of 2013 DWP for exclusively cyber insurance equaled less than $10 million. Figure 4.7: What was the range of 2013 Direct Written Premiums for cyber insurance for your company? (N=68) 10 8 8 6 4 2 1 6% 4% Less than $10M $10-$25M $25-$50M $50-$100M 2014 Hanover Research Market Insight Center 24
In contrast, there is a more evenly distributed range of 2013 DWP for commercial lines, with a third equaling less than $250 million. Figure 4.8: What was the range of 2013 Direct Written Premiums for commercial lines insurance for your company? (N=68) 5 4 3 33% 25% 2 15% 2 1 7% Less than $250M $250-$500M $500M-$1B $1-$5B Greater than $5B When asked to list the percentage of their company s commercial lines DWP for cyber insurance, a large portion listed one percent. The median and average is 3 percent. Figure 4.9: Approximately what percentage of your company's 2013 commercial lines Direct Written Premium was for cyber insurance? (N=67) 5 4 3 2 22% 3 18% 1 1 3% 3% 3% 1% 1% 1% 1% 1% 1%.001%.01%.025% 0.1% 0.25% 1% 2% 3% 5% 1 3 5 2014 Hanover Research Market Insight Center 25
SECTION V: RESPONDENT CHARACTERISTICS JOB FUNCTION Two thirds of respondents are underwriters for their respective companies. Figure 5.1: Which of the following best describes your job function? (N=68) Underwriting 66% Product Development/Research 13% State Filings/Regulatory Compliance 9% Actuarial Marketing Legal Analytics Other 4% 1% 1% 1% 3% 1 2 3 4 5 6 7 JOB LEVEL Respondents job levels are illustrated below. Other responses indicate underwriters. Figure 5.2: Which of the following best describes your job level? (N=68) Executive/Director 13% Other 6% Manager 25% Professional/Analyst /Staff 56% 2014 Hanover Research Market Insight Center 26
PROJECT EVALUATION FORM Hanover Research is committed to providing a work product that meets or exceeds client expectations. In keeping with that goal, we would like to hear your opinions regarding our reports. Feedback is critically important and serves as the strongest mechanism by which we tailor our research to your organization. When you have had a chance to evaluate this report, please take a moment to fill out the following questionnaire. http://www.hanoverresearch.com/evaluation/index.php CAVEAT The publisher and authors have used their best efforts in preparing this brief. The publisher and authors make no representations or warranties with respect to the accuracy or completeness of the contents of this brief and specifically disclaim any implied warranties of fitness for a particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by representatives of Hanover Research or its marketing materials. The accuracy and completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every client. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Moreover, Hanover Research is not engaged in rendering legal, accounting, or other professional services. Clients requiring such services are advised to consult an appropriate professional. 2014 Hanover Research Market Insight Center 27
For more information please send e-mail to cyber-risk@iso.com or call Verisk Customer Support at 1-855-859-8775 2014 Hanover Research Market Insight Center 28