Cyber Insurance
Brokers: More Interest in Cyber Cover
Demand for cyber security insurance ranks No. 1, slightly topping that for supply chain disruption coverage. That’s according to a survey of 135 insurance professionals by RKH Specialty, a London-based specialty lines broker, now a unit of Hyperion Insurance Group.
Cyber coverage was the most sought-after insurance at 70 percent, followed by supply chain disruption at 61 percent, and flood at 30 percent. Other coverages in demand were product recall and drones (both 11 percent), tornadoes at 9 percent, and e-cigarettes, autonomous vehicles and telematics, all at 8 percent.
Many brokers are seeing that concern put into action, with increased purchases of cyber coverage.
“Many of these companies are particularly concerned about business interruption and dependent business interruption from cyber attacks.” — Adam Cottini, managing director, cyber liability practice, Arthur J. Gallagher Risk Management Services
Adam Cottini, managing director, cyber liability practice, at Arthur J. Gallagher Risk Management Services Inc. in New York, said his firm has seen “a really nice pickup” of cyber coverage — exceeding 50 percent year-over-year.
“Some of that growth has been achievable by streamlining our processes for clients under $100 million in sales, but a portion is also due to more business from the middle market — and not just health care, financial institutions and public entities, but a wider array of industries, including manufacturing,” Cottini said.
“Many of these companies are particularly concerned about business interruption and dependent business interruption from cyber attacks.”
David Rees, an RKH divisional director specializing in cyber, agreed that cyber policies were attracting companies across various industries as executives realize that cyber attackers do not always target theft of consumer data, but also aim to disrupt operations or supply chains.
He said some cyber policies now cover such exposures.
“For example, a cyber attack on an energy company with an oil pipeline could cause a valve to be shut or an explosion that causes a leak,” he said.
“Policies now cover business disruption in those situations as well as any resulting environmental impact.”
Alternatively, companies can negotiate with insurers of business interruption policies to remove any exclusion for cyber attacks, though it can be a “tug of war” to accomplish that, Rees said.
Marsh is another firm that has seen the take-up of cyber insurance across all industries over the past three years.
At this point, the firm is seeing manufacturers, and power and utility companies buying almost at the same rate as retailers, higher education and health care companies, said Robert Parisi, a managing director and cyber product leader for Marsh in New York.
“They are looking to cover losses when a cyber attack or technology glitch disrupts their manufacturing assembly lines or supply chains,” Parisi said. “This is almost now at the same level of concern as stealing personal information is to retailers, higher ed and health care firms.”
The pickup in cyber insurance purchasing via Aon has increased from less than 10 percent in 2014 to more than 30 percent through the first half of 2015, said Kevin Kalinich, global practice leader, cyber risk, at Aon in Chicago.
He said the bulk of the interest has been from larger companies in pharmaceutical, manufacturing, energy and food production.
But not all companies truly understand the threat, Kalinich said, pointing to survey results of 2,243 executives in 37 countries released in April in a “2015 Global Cyber Impact Report,” sponsored by Aon Risk Services and conducted by Ponemon Institute LLC.
While 72 percent of those respondents consider cyber risk as a top 10 business risk, 54 percent of respondents did not plan to purchase cyber insurance.
The main reasons for not purchasing coverage is that it is inadequate for their exposure (31 percent of respondents), premiums were too expensive (29 percent), property and casualty policies were sufficient (26 percent) or there were too many exclusions, restrictions and uninsurable risks (26 percent).
Rees said the interest in cyber policies has been heightened by news reports of breaches. It has made companies increasingly aware of how expensive it can be to fix such problems, including notifying potential victims of the breach and hiring forensic firms and privacy attorneys, among others.
For example, a privacy attorney can charge from $700 to $900 an hour, but with a cyber policy, companies can get preferential rates and pay from $400 or $500 per hour for that same attorney, he said.
Marsh’s Parisi has been working in the cyber sector for almost 20 years and has seen hacks from industrial espionage and state-sponsored terrorism to simple vandalism. However, particularly troubling these days is the increased sophistication, size and scope of denial-of-service attacks.
“The past year has seen dramatic growth in high-volume denial-of-service attacks, with the largest attacks using multiple techniques concurrently — and it’s definitely not coming from some kid in a basement,” Parisi said.
“Whether it’s ‘I don’t like your company’ [or] ‘I don’t like your country,’ something is going on to cause these attacks to become stronger year after year.”