Looking for cyber liability coverage? These days, agents have to look no further than a businessowners policy.
Rick Betterley, president of Betterley Risk Consultants, says one of the biggest trends in cyber coverage is it’s becoming an add-on in BOP and other standard lines, whether it covers just breach notification or is more extensive to cover liability and breach response.
And the trend of more coverage availability dovetails with the increasing demand for cyber protection across all types of businesses.
“From small mom-and-pop stores through large sophisticated Fortune-100 companies, we’re continuing to see an uptick in companies buying coverage,” says Tim Francis, enterprise cyber lead for Travelers.
Why the increase?
“Agents are becoming more aware of the breadth and depth of coverage available in the marketplace, and risk managers are more aware that cyber-related issues are not just the kind of thing that can affect very large companies, but have a material effect on smaller companies,” he says. “In the large company space, despite the fact that they have well-resourced IT departments, there is no IT department that is without vulnerability.”
With more expanded products and enhancements, David Derigiotis, assistant vice president,
special risk division-professional liability for Burns & Wilcox, says pricing for cyber coverage has “come down dramatically.”
Betterley agrees there is a lot of carrier competition in the stand-alone cyber market, and though he says he doesn’t think premiums are necessarily going down, “there are a lot of discussions going on.”
Betterley points out that, especially for smaller businesses, cyber coverage is not price prohibitive.
“For $120 a year, you can add on cyber coverage for breach response plus third party—somebody paying a few thousand dollars a year for a BOP ought to look at that and say it’s a no-brainer,” he says.
But Betterley points out that cyber is different than most areas of insurance other than crime because people are being actively hostile.
“Having your warehouse burn down most likely wasn’t done for a profit,” he says. “With cyber, people are trying to steal valuable information. If they don’t figure out a way to penetrate your insureds’ data today, they will try again tomorrow. How do you measure that risk? And it’s evolving as we’re talking. What I don’t know is if it is priced appropriately.”
Francis concedes that relative to other coverages, cyber is still less mature in terms of the industry loss data that shapes pricing.
“But I think you have seen over the last few years a little more consistency in terms of pricing and coverage,” he says.
One of the latest cyber enhancements, Derigiotis says, is covering PCI fines—the fines issued by credit card companies to retailers who are non-compliant with sensitive customer data and receipt storage.
“For any retail business that accepts credit cards, receipts have to be stored in a certain way,” he says. “Once word gets out to the payment card industry that you’ve had a breach, they could fine you. And if you’re doing it wrong for one person, you could be doing it wrong for a lot of people—and it could be a pretty hefty fine.”
Betterley also points out that cyber is expanding in value-added services that are not a part of the actual policy but provide a real benefit to the insured. Risk management services—such as breach response plan templates, state-specific information on who has to be notified in a breach and discounted response services—fall outside the actual coverage, but they help insureds from having a claim in the first place.
“For the agent, it’s a really good part of the sales presentation,” he says. “If the insured says, ‘I get insurance plus these other services’, the premium seems more reasonable.”
On the Horizon
Risk management will be the focus of the next evolution of the stand-alone cyber policy, says Betterley.
“Conceptually I liken it to having sprinklers,” he says. “In a cyber world, that includes products and services that help prevent a breach.”
Just last week, AIG announced that CyberEdge policyholders who qualify will have access to AutoShun, a third-party hardware device that sits between a customer’s firewall and the external Internet to help stop a cyber attack in real time.
Francis says the industry will keep evolving with cyber risk, and that agents need to stay current and choose the right partners.
“The ways customers use technology changes exponentially and the exposures keep pace,” he says. “Be aware of the current state of the market and customer needs but keep an eye out for changing developments. And make sure you have partnered with carriers who will do the same.”
Katie Butler is IA editor in chief.