After springing into life in the 1990s to protect the first breed of dot-com companies against network security breaches, the global cyber insurance market has gone from strength to strength. Policies have expanded rapidly to incorporate broad liability coverages, first-party expenses, business interruption, and some are even extending towards property damage.
As the coverage has expanded, so have the types of businesses buying cyber insurance. The earliest adopters included technology companies and dot-com companies, who had to identify cyber threats in their securities registration documents, and so bought cyber insurance as a way to demonstrate they had covered some of their cybersecurity bases. Financial institutions were also early adopters, especially following a number of privacy breaches in the mid-2000s, and they were quickly joined by retailers and healthcare organizations.
Most recent buyers to jump onto the cyber insurance bandwagon include companies with significant operational exposures, according to Brad Gow (pictured), global cyber product leader at Sompo International. This includes companies like airlines, large manufacturers, and logistics companies – really any organization with a complex supply chain or operation. Much of the growth among these later commercial classes has been driven by the NotPetya cyberattack in 2017, which was a significant balance sheet event for a handful of Western companies, and a reality check for those without any coverage.
“On the distribution side, a lot of brokers are now really focusing on cyber,” Gow told Insurance Business. “The larger brokers have various significant practice groups that are focused on articulating the exposures and the benefits of the policies to clients. That’s really driven the market to where it is today. However, there are still many brokers and agents that are very hesitant to initiate discussions about cyber, because they don’t feel confident in their knowledge of the risk. Fortunately, for those who aren’t specializing in this coverage – which I imagine very few smaller brokers or agents are – there’s a number of wholesale markets that specialize in cyber and can provide a tremendous amount of support.
“Today, in 2019, the biggest challenge for agents and brokers trying to sell cyber insurance is the fact that risk management budgets tend to be fairly static. When property rates and D&O rates are on the rise as they are today, it's very difficult to make a new sale. It’s hard to sell a new coverage when the prices of other products are rising so significantly. There was a D&O crisis about 10-years-ago, which really took the wind out of what was a very quickly developing cyber market. I don't expect that to happen again because cyber has really established itself, but it’s going to be challenging for insurance distributors in the balance of 2019 and 2020.”
When the sell is tough, brokers and agents can turn to the value-added services that most carriers offer with their cyber liability products. This is where carriers are really trying to differentiate themselves, according to Gow. While the leading markets all offer quite similar coverage grants in terms of third-party liability, breach costs, business interruption, and contingent business interruption (especially from an operational technology perspective), the services they offer to insureds pre- and post- breach can vary.
“There are two areas where carriers can really distinguish themselves,” said Gow. “First of all, in addition to the coverage grants, carriers can provide risk management service to insureds up-front. For example, at Sompo International, we offer complimentary social engineering and phishing campaigns to all of our insureds. We also offer a virtual chief information security officer to help insureds manage their cyber risk up-front. On the back end of a cyber incident or a claim, it’s critical that the carrier can provide exceptionally high-end event management services 24/7. If there’s a privacy breach, a ransomware attack and subsequent extortion, or another kind of network issue, the ability for the carrier to get on it quickly and provide immediate support to get the insured back up and running is critical. That’s where carriers are really differentiating themselves – around front-end and back-end value-added services.”
As companies learn more about cyber insurance and the value of the overall product that carriers can provide (including the risk mitigation and breach response components), the cyber insurance take-up rate will only continue to rise around the world. The extra services are particularly valuable for smaller organizations that perhaps don’t have resources to dedicate to proper cyber risk management. While the bulk of cyber insurance premium remains attributable to companies with revenues over a billion dollars, there’s a lot of activity aimed at the small commercial market at the moment. This is a trend Gow expects to continue for some time.