Cyber Insurance

Cyber Prices Hardening For Large and Complex Risks

Large, PII-Laden Firms May Find Rates and Conditions Toughest
By: | May 5, 2015

Cyber coverage for small businesses is competitive. But for larger entities, it’s a completely different matter.

Recently, a $3 billion in revenue hospital saw its Information Security & Privacy Insurance premiums increase 20 percent while its deductible went up by a third, said Greg Gamble, a director with insurance brokerage Crystal & Company.

The cyber program in question covers both first- and third-party claims and includes partial reimbursement for first-party claims such as digital asset recovery and privacy notification, as well as third-party claims for such risks as privacy related regulatory defense and fine.

“Competing insurers did not offer more compelling terms when we went to market,” he added, saying that “for businesses with $1 billion or more in revenue and 1 million or more names or personally identifiable information [PII] on record, it has become a harder and more selective market in the last 18 months.”

Gamble spoke to Risk and Insurance® following a panel discussion in Manhattan. While addressing the panel, which focused on nonprofits, he broke down Information Security and Privacy Insurance market pricing for nonprofit organizations as well as corporate firms as follows:

  • – A hard and selective market for large and complex risks.
  • – A competitive excess market for a $50 million attachment point.
  • – A very competitive and inexpensive market for small or mid-sized businesses.

The information jibes with a WillisWire post last month.

The post, by Willis’ Matt Keeping, said that, generally speaking, the trend remains positive for insurance buyers, with softening conditions accelerating this year.

On the other hand, cyber coverage for point-of-service retailers is increasing by a minimum of 10 percent to a maximum of 125 percent at annual renewals, according to Willis.

“The threat of [continued, significant] cyber-related losses seems to be a matter of if, not when,” Keeping added.

Marsh found that during 2014, the number of its U.S.-based clients purchasing stand-alone cyber insurance was up 32 percent over 2013.

Its existing health care and education clients had the highest cyber take-up rates last year at 50 percent and 32 percent, respectively, according to a Marsh Benchmarking Trends Report released in March.

Marsh found that during 2014, the number of its US-based clients purchasing standalone cyber insurance was up 32 percent over 2013.  Its existing health care and education clients had the highest cyber take-up rates at 50 percent and 32 percent, respectively.

Things have certainly changed. Gamble recalled his days at the former Reliance National, when he wrote his first network computer liability policy in the late 1990s.

At the time, ‘We wrote maybe three policies a year,” he said.

“It was slow on the uptake.”

Today, that has changed markedly. “Virtually all larger health care companies are opting for cyber coverage,” he said.

Much More Than a PII Issue

During the Crystal & Company panel discussion, Gamble stressed that cyber risk is not just a matter of PII exposure.

“Businesses without consumer information also have exposure to losses related to network disruption and damage to digital assets by hacking,” Gamble said.

For example, when Sony Pictures was subject to a high-profile, studio-wide cyber attack last fall, its computing enterprise was compromised for several weeks, and the organization incurred significant first party costs related to getting the computing resources back to working order.

Coverage for forensic investigations is also increasingly sought after, Gamble said.

Recently, he recalled, one of his customers noticed strange network activity after experiencing a power failure in the building. Because they had cyber insurance, the underwriter was able to hire a forensic consultancy to come in.

“They paid $500,000 to learn that two employees had simply downloaded BitTorrent, the movie file sharing software. There was no external hack and no data compromise,” said Gamble.

“The point is, there is financial loss associated with information security incidents tied to non-PII events,” he said.

On the other hand, Bob Parisi, Marsh’s cyber product leader, suggested during an April webinar that price increases do depend largely on PII exposure.

“We are seeing significant price increases for large buyers with significant volumes of protected health information (PHI) and credit card data, simply as a result of the catastrophic risk they present to insurers,” Parisi said.

Executives during the webcast stated that, from a risk management perspective, managing cyber risk cannot be the sole responsibility of the information technology department.  Finance, legal, compliance, operations, and others must also be committed to reducing the risk, they said.

Regulatory oversight of companies’ cyber risk management policies is likely to increase, Marsh officials emphasized, reasoning that cyber is one of the few areas on which both major U.S. political parties can agree.

Citing a third key takeaway from the webcast in a published report, Marsh stated that information sharing among those who have been affected by cyber attacks can help prevent hundreds, if not thousands, of future attacks.”

The importance of intelligence cannot be overstated,” the brokerage said.

Janet Aschkenasy is a freelance financial writer based in New York. She can be reached at [email protected].

More from Risk & Insurance