At long last, most businesses are beginning to understand that cyber insurance is a necessity, not a luxury.
“All classes need it. It doesn’t really matter who you are, what you do—you have some exposure,” says Alex Wayne, president of A.J. Wayne & Associates, Inc. “Even if it’s only one record, you have some exposure because if that one record gets breached, you could potentially get sued as a result. There isn’t any discrimination from one class to another.”
As more of your clients start to buy this coverage, what can you tell them to expect in the years ahead?
Matt Prevost, cyber product manager, financial lines, Chubb, categorizes cyber classes into two segments: “those that bought previously—health care, retail, financial institutions—and then those that are realizing there’s real coverage, real exposure—energy, construction, real estate,” he says. “Where the opportunities lie is where the awareness continues to go up.”
Brian Thornton, president of ProWriters, adds that he sees many more professional service firms, law firms, manufacturers, construction companies, associations and nonprofits seeking out the coverage. “It’s been interesting to see because some of them are lower-exposure accounts, but they’re still interested,” he points out. “They might not have an enormous amount of exposure, but they want to protect their assets and they realize a claim could really impact them.”
For example, “a lot of nonprofits take donations via credit cards and aren’t really thinking about it, and at the end of the day it could be very damaging,” Thornton explains. And these apparently lower-exposure risks are ripe for competition, he adds, “where they can get the coverage at a reasonable price.”
Now that cyber is sweeping its way through commercial clients, the next frontier might be pushing it to your personal lines insureds as well. “I don’t think an individual in and of themselves would have a ton of cyber exposure to a third party,” Wayne says. “But what you’re seeing out there is coverage for individuals who may get breached—their personal lines policy would respond to some degree to cover them for their own personal breach. That’s something companies are going to use to differentiate themselves from the other carriers.”
“It’s actually a very prominent coverage that’s out there,” Thornton agrees. “Some carriers will essentially give the coverage as a part of their policy as an enhancement over the competition; some might give it as an add-on for a small additional premium.”
Typically, though, Thornton says a personal lines client might receive a sublimit of a small amount, maybe $25,000 in coverage. For a high net-worth personal lines client, cyber protection may be included as a base coverage, while on a standard personal lines policy, it may appear as an added endorsement for a low extra monthly cost.
“It’s kind of a white glove treatment where you can pick up a phone, call the number that’s designated and you’ll get somebody on the other end that’s an expert in helping you mitigate any sort of identity theft issues,” Thornton explains. “They’ll help you put a freeze on your account, they’ll help you call the right credit bureaus or send information out to repair your identity.”
Tech Check: EMV and the Cloud
Sooner than later, Thornton expects more consumers and businesses to migrate to the cloud for its storage capacity. “If you’re looking at a small to midsize business or even a larger business, you might say it’s better for them to outsource to the cloud, because at least a professional data storage and encryption technology firm is managing that data on their behalf,” he says.
At the same time, however, cloud storage “creates an issue on the carrier side of sort of an aggregation of risk if there was a breach at a cloud provider that affected multiple clients,” Thornton explains.
And then there’s the problem of misinformation: If your clients have data stored in the cloud, they might think they don’t have to worry about cyber liability. “I’ve had some people say to me that all their information’s on the cloud, so it’s protected up there and therefore there’s not much cyber exposure,” Wayne says.
They’re wrong. “Usually the cloud provider has a contract with their client—the company that’s putting the data up there—and that contract is usually very much slanted toward in the favor of the cloud provider instead of the client,” Wayne explains. “Just because you have information on the cloud—most cyber underwriters do not view that as a lesser exposure.”
If data stored in the cloud is breached, your client “is still going to have to provide notification, credit monitoring and all that because it’s their own data,” Wayne says. “The owner of the data is ultimately going to be responsible, whether it’s on the cloud or not.”
Another new technology that could have an impact in the cyber sphere: EMV, which all U.S. merchants should have adopted for in-person payments by Oct. 1, 2015. Designed to incentivize card security for merchants and reduce counterfeit fraud, this “EMV liability shift” transferred liability for counterfeit card-present transactions away from the issuer and onto merchants that are not EMV-compliant.
EMV, an acronym for EuroPay, Mastercard and Visa, refers to chip technology embedded in a credit card, which provides dynamic authentication information that changes for each transaction. The process makes the cards much more difficult to counterfeit than a traditional magnetic stripe.
But “for the most part, most retailers—or simply accepters of chip and pin—did not meet that deadline,” Prevost says.
What does that mean for cyber liability insurance? So far, not much. “We insure many cyber risks and we get a lot of submissions in this class, and I will tell you that the question about EMV has not come up once,” Wayne says. “And I have not seen the applications be amended to include those type of questions about whether merchants have compliance with EMV payment technology.”
“I think the expectation of most underwriters is that retailers have adopted that technology and would be compliant,” Thornton says. “Even though for the retailer that might have been a lot to swap out payment terminals and upgrade their systems and make sure they’ve got everything set within that date, the carriers have looked at it and expected that.”
That means that your EMV-compliant clients shouldn’t expect a rate decrease for following the rules. But as an agent, it’s something you should bring up—especially because the EMV liability shift leaves retail clients liable if a breach occurs and they’re not EMV-compliant. Although nothing has changed dramatically from an actual insurance perspective, “you will start to see, eventually, more claims in that space that affect the actual retailer,” Thornton says.
Jacquelyn Connelly is IA senior editor.