This fall, Equifax revealed that hackers had stolen more than half the U.S. population’s Social Security numbers earlier in the year.
Beyond the public fallout, the breach will have significant effects on industries throughout the country—not least of all insurance. But in a market as young as cyber, it’s still too early to predict the full impact of the Equifax breach.
“We’re still in the infancy of this coverage,” says Karen Johnston, technical commercial consultant—staff underwriting at Nationwide Insurance. “With cyber, we really don’t have the aggregation of data like we do in the other lines of coverage. There could be large aggregate losses stemming from one major event. There are a lot of unknowns.”
But while “Equifax may have impact on larger account premiums,” says Anthony Dagostino, global head of cyber risk at Willis Towers Watson, “it’s going to have more of an impact on underwriting scrutiny. You’ll see more questions around patch management and asset protection.”
For your average small to midsize business, then, “it’s still going to be competitive,” says Dagostino, who notes that at least 60 carriers are currently vying for cyber business. “The underwriters see that as more of a quantifiable risk—these types of companies usually aren’t holding millions and millions of records.”
“Pricing will likely decrease in the middle market, depending on how quickly coverage expands in the next six months,” agrees Dan Burke, cyber and technology product head at Hiscox USA. “It’s a little hard to say, because in the cyber marketplace, the coverage is expanding rapidly. As that continues to happen, that helps dictate pricing a little bit.”
“There’s always going to be that next coverage that carriers are going to put out there to try to differentiate themselves,” agrees Eric Cernak, vice president at Hartford Steam Boiler. “That will command additional premium.”
Distinguishing Coverage Options
What will that “next coverage” entail? As cyber exposures continue to unfold, insurers are scrambling to provide solutions to fill the gaps. Here are a few of the most important types to secure for your clients:
DATA BREACH. Whether a breach involves personal or business information, it usually requires notification as mandated by state laws, as well as potential third‑party exposures that could put your client on the wrong end of a lawsuit—and data breach insurance covers the associated costs, Cernak explains.
On the first‑party side, “once you discover you have a breach, you might incur forensics to figure out what information was accessed, you may incur public relations costs, credit monitoring costs, customer notification costs,” says Brian Thornton, president of ProWriters.
On the third‑party side, “you may have things like defense costs or cyber counsel to defend you, or you may find regulatory coverage should there be any sort of investigation, which covers defense costs as well as potentially any fines or penalties that are insurable,” Thornton continues.
Nick Economidis, underwriter at Beazley, adds that some data breach policies include coverage for data restoration—“the cost to recreate or restore data that has been damaged or corrupted through a failure of computer security”—while others may include coverage for costs associated with crisis management or things like a call center to take consumer phone calls.
“Some people will argue, ‘I don’t have personally identifiable information, so I don’t really have a cyber exposure,’” Cernak says. “But almost every business today runs a computer of some sort. You’ll see computer systems‑type coverage, and that can cover things like restoring your lost or corrupted data, restoring your IT systems, reconfiguring those systems. It may also include network security liability, so if someone gets in and corrupts your data but then also propagates that malware to a third party and causes them harm.”
And note that because data breach coverage is the longest‑standing piece of the cyber insurance puzzle, “more and more, it’s an arms race from a limits standpoint—moving to higher sublimits or removing them altogether,” observes Matt Cullina, CEO of CyberScout, an ID theft resolution data breach management firm.
RANSOMWARE/EXTORTION. A cyber extortion threat could involve any number of scenarios—maybe someone threatens to release sensitive data, or perhaps they infect systems with malicious code that encrypts data. “In order to get the code to unencrypt the data, you have to pay them a ransom,” Economidis explains.
Until recently, most insurance companies weren’t comfortable playing in the cyber extortion space. “Insurers don’t like to pay ransom—they think of it as a moral issue,” Cullina says.
“The concern is that even if you pay off the extorters, are they going to be honorable? Will they free up your system if they paralyze it or lock it down? Once you pay them off, will they be back for more money next week?” points out Alex Wayne, president & CEO of A.J. Wayne & Associates, Inc. in Chicago.
But today, ransomware is “the No. 1 type of cyber event, hands down, across all markets—consumers, small business, large markets,” Cullina says. “Ransomware is where the highest frequencies are.”
“Out of necessity,” Cullina says, more and more cyber insurers are starting to offer ransomware coverage, which typically first pays for a forensic investigation to determine whether the business can withstand the ransomware attempt and recover from it without paying a ransom. Then, “more and more insurers also provide dollar coverage to pay the ransom in bitcoin or whatever it may be, if the business determines that’s their only option,” he explains.
Interestingly, anti‑terrorist law prevents many insurance companies from making direct payments to extorters—but there’s a loophole. “If the insurance company is going to pay the extorters off, they can basically front the money to the insured so the insured is the one who makes the actual exchange,” Wayne explains.
CYBERCRIME. Also known as social engineering, cyber deception, fraudulent instruction and business email compromise, cybercrime is one of the fastest‑growing exposures in the cyber realm. Whether a criminal is tricking an employee into wiring funds to the wrong account or sending them a link or attachment that contains malware, cybercrime is particularly dangerous because it involves “the human element, which is always the weakest link in the cybersecurity chain,” Burke says.
It’s still early for these types of solutions—“those coverages are generally going to be sublimited at $100,000 or maybe $250,000, and they’re usually add‑ons usually endorsements,” Wayne says. “But it’s becoming the norm vs. something you have to ask for. If it’s not on the policy, you’re probably placing coverage that’s not robust enough, based on what we’re seeing from the market leaders.”
Cernak adds that some clients may already have coverage for this type of exposure under a crime insurance policy: “You really need to look at the other lines of business the insured may have as part of their overall protection program, because they may already have elements of cyber through other policies.”
“A lot of these phishing‑type events are a cross between a crime claim and a cyber claim, and the insurance markets can address it on a cyber policy or a crime policy,” Thornton agrees. “But often we see that the limits available in the market don’t necessarily meet the demand from clients. Being able to get the limits in place for that is important.”
BUSINESS INTERRUPTION. “This is an area that has really been expanding quite rapidly over the past 6‑12 months,” Burke says. In response to the prominence of hacking incidents that cause a systems failure for an insured’s network, the coverage pays the income and profit loss sustained during the time their network is down and they’re not able to operate, he explains.
Originally, cyber business interruption coverage was designed for, say, an online retailer that needed protection in case their website went down for a few days and they couldn’t make money, Thornton says. “Now, with ransomware viruses or malware that go around and shut down many companies at once, that could have a much larger impact.”
Thornton cites an incident in which a cyberattack forced a major shipping company to shut down for days—resulting in an estimated $200 mil-lion in damages. “That’s a big difference from what the policies were originally designed for,” Thornton says.
When placing cyber business interruption coverage, read the policy language carefully. “Some carriers still only offer coverage for online revenue disruption, whereas others would extend that to your entire business interruption,” Thornton cautions.
The next frontier in this space will be dependent business interruption, Thornton predicts: “If you outsource some of your critical operations to a third party like a cloud provider, if they were to go down, that could cause you a material damage to your business.”
Streamlining the Risk
If you’ve ever secured cyber insurance for any client, you already know one of the biggest challenges in this market is the lack of standardization between policy forms. Economidis says it’s “apples to oranges”—it’s not even just the enormous coverage differences, but stuff you’d normally expect to stay the same, like the phrase a carrier uses to refer to a specific loss cause or the definition of a term that seems like it should be straightforward.
“The coverage is still definitely different across the board,” Burke says. “Primarily data breach and extortion coverage will be included in the base form, but the cybercrime stuff is typically added by endorsement, and some of the enhancements to business interruption will be added by endorsement as well.”
In the years ahead, Cullina expects differences to “iron out” as insurers adopt more coverage standards across the marketplace. The resounding theme? More, more, more. “The evolution we’re starting to see is that large market coverages are starting to go downstream,” he says. “We're seeing higher and higher limits while prices are being driven down, because there are more markets out there to choose from, and more robust coverage.”
Even a year or two ago, “some of these accounts had fairly low sublimits for things like regulatory or PCI or forensics, but now in the small to midsize space, most of those policies would have full limits on those coverages,” says Thornton, who expects that trend to continue. “You’re almost forced to market the smaller accounts more often to make sure they’re in line with what’s available in the market.”
For example, Wayne expects full prior acts coverage to become standard across policies. “When cyber coverage is written on a retroactive date inception basis, no wrongful act is covered prior to that date. But you may have malware embedded in your system for six months before it surfaces,” he explains. “Market leaders are stepping up and providing full prior acts, which means if you buy a policy today and you find out you had a breach three months ago, that would be covered as long as it was not a known circumstance.”
Whether they sublimit sensitive coverages like forensics costs or ransomware, or deny coverage altogether based on the cause of a breach, coverage restrictions in general are likely not long for this world.
“Let’s say a big payroll processor goes down and exposes many businesses’ employees’ data. Sometimes the policy will only cover the event if it originates from the business itself, not from one of these big catastrophic events,” Cullina points out. “Those types of policies will be less desirable. If you want to be competitive in a market where the insured is relatively unsophisticated about the details of their coverage, you can’t be so restrictive.”
And as coverages expand, so do your duties—and potential positive impact—as an adviser. As Cullina says, “there are so many different types of cyber insurance, and that places the burden on an expert to help the business make the right decision.”
Jacquelyn Connelly is IA senior editor.