Last year, 170 insurers wrote cyber insurance, compared to 140 in 2016 and 119 in 2015, according to Aon’s latest U.S. Cyber Market Update.
“And that’s just in the U.S.,” points out Prashant Pai, vice president, cyber offerings at Verisk. “We also see the market expanding globally. There’s a strong interest on behalf of the industry to tackle this exposure.”
According to Shawn Ram, head of insurance at Coalition, “carriers of all shapes and sizes have recognized this dramatic shift in companies using technology to further their business. It’s really something you can’t avoid,” he says. “As companies use technology to proliferate their operations, it creates risk, and that risk is generally not covered by other insurance policies.”
That’s made cyber “one of the fastest-growing product trends on a year-over-year basis,” Ram says. “The amount of capital entering the marketplace has driven price trends down dramatically.”
“Prices are dropping,” Pai agrees—and where they’re not, it’s because carriers are widening cyber coverage options as a strategy for “latching onto the same amount of premium.”
By making cyber policies “broader than they’ve ever been,” Ram says, insurance carriers are able to lower “perceived price” even as they hold rates steady.
“There’s so much more coverage coming out—limits carriers didn’t want to touch before,” says Ted Richmond, director, RGS Limited, LLC. “The carriers that have been in the space for a while are saying, ‘OK—I already have a policy out there, and I don’t want these new players encroaching on what I’m doing.’”
Ransomware is a prime example: “You used to get a sublimit for ransomware, but now that’s part of the entire limit,” Richmond points out. Why? According to Symantec, the average ransomware attack is down to $522—a sign that this particular cyber exposure has become commoditized.
“Cybercriminals know if they ask for $500, the insurance company’s going to pay it, rather than fight it,” Richmond explains. “The carrier’s going to pay that ransom because they don’t want a release of this data, which would be a bigger, costlier exposure.”
As ransomware demands become smaller, related coverages like business interruption become more important. With ransomware, “the first thing that comes to mind is the extortion amounts,” Pai says. “But what we’ve found is the resulting business interruption is actually far larger than the ransom the insured ends up paying out.”
In addition to business interruption caused by a ransomware attack or a more straightforward data breach, the coverage could also apply to outages of data force applications as more companies become reliant on cloud services.
If an insured can’t access a payment processor such as Square or PayPal, “that could potentially really impact their revenue,” Pai explains. “The realm of business interruption is growing. Carriers are starting to cover more and more of that.”
Cybercrime, or social engineering, is another area where carriers are beginning to expand coverage options for cyber insureds. Whereas there used to be some confusion regarding whether this type of exposure was better suited for a crime rather than cyber policy, “cybercrime is a core component in that policy now,” Richmond says. “That’s the No. 1 risk businesses are facing today.”
But it’s a tough nut to crack—carriers are actually “taking a loss on that coverage,” Richmond points out. And for that reason, “the coverage is still fairly restricted,” Ram says. “You might purchase a $1-million cyber policy, but only have $100,000 or $250,000 of social engineering coverage.”
Richmond observes that many new entrants to the cyber market “won’t touch social engineering yet”—but “they’re going to have to put some type of limit out there if they want to compete,” he adds, noting that the highest social engineering limit he’s seen so far is $250,000.
Finally, fierce competition is also leading many cyber insurers away from annual aggregate limits and toward per-claim limits for specific insuring agreements.
“That means if you have multiple claims per year, some of these policies could be on the hook for millions of dollars,” Richmond says. “A lot of carriers are saying, ‘Hey, we have a good 10 years of claims data now, and the odds of having multiple claims on one policy in the same year is very, very rare. We feel safe putting that limit out there.’”
As exposures like ransomware, business interruption and social engineering become core elements of many cyber insurance policies, which emerging cyber coverages should you be ready to explain in the future? Keep an eye on IAmagazine.com and upcoming editions of the Markets Pulse e-newsletter to find out.
Jacquelyn Connelly is IA senior editor.