At Marsh, the number of U.S. based clients purchasing stand-alone cyber insurance increased 32 percent in 2014 over 2013, according to a report released last week. The cyber take-up rate — the percentage of existing Marsh financial and professional liability clients that purchased cyber insurance — rose to 16 percent. Early evidence in 2015 suggests a continued acceleration in the demand for cyber insurance.

“Cyberattacks are inevitable, and no amount in the IT budget is going to take that risk to zero,” Thomas Reagan, cyber practice leader at Marsh in New York City said in an interview.

“Businesses are already going to have some exposure, which requires good risk management that is more than just IT and prevention. It’s like defending castles and bank vaults – businesses have to defend against everything, but thieves only have to find one way to attack.”

“Cyberattacks are inevitable, and no amount in the IT budget is going to take that risk to zero.” — Thomas Reagan, cyber practice leader, Marsh

Good risk management should include risk transfer as one of the main ways to approach cyber risk, and risk managers need to recognize when existing insurance programs are not going to be sufficient enough to protect their systems, Reagan said.

Marsh’s health care and education clients — organizations with vast amounts of personal information in their databases — had the highest cyber insurance take-up rates in 2014 at 50 percent and 32 respectively, respectively, followed by hospitality and gaming (26 percent) and services (22 percent), according to the report. Nearly half (47 percent) of Marsh’s power and utilities sector bought standalone cyber coverage.

Marsh clients with more than $1 billion in annual revenues purchased 22 percent higher limits on average in 2014, at $34.1 million compared to $27.8 million in 2013.

Very large financial institutions continue to buy the highest average limits, followed by power and utilities firms and communications, media and technology companies. For all sized firms, power and utilities companies had the highest percentage increase in average limits, at 59 percent.

Premiums were volatile due to increases in the frequency and severity of losses and “near-constant headlines about attacks and outages,” with renewal rates for retailers rising on average 5 percent, and as much as 10 percent for some Marsh clients.

Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market, the Marsh report said.

For Beecher Carlson’s Fortune 1,000 companies, well over 50 percent in certain industries are buying cyber insurance, said Christopher Keegan, senior managing director, cyber and technology national practice leader in New York City.

Some sectors are buying more, such as health care insurance firms and their nonprofit equivalents; more 70 percent of those groups are buying cyber insurance, Keegan said. On the flip side, less than 10 percent of Beecher Carlson’s hedge fund and private equity clients are buying cyber insurance.

“More than half of the top 20 retailers are buying, but not some of the very largest retailers because they think that the insurance market really doesn’t have the capacity to give them the amount of limits which would be meaningful for them,” he said.

“But last year a $500 million cyber tower was put together for a very large tech company, so there is capacity but only for the best companies. To make the purchase worthwhile for these very very large companies, they really need large capacity in order for the size of transaction to make sense to them.”

Beecher Carlson’s Fortune 500 to 1,000 clients are buying at a “relatively fast clip,” but middle-market companies with $500 million in annual revenues or less are just starting to buy in volume the several years, Keegan said.

“That is the big growth area for cyber insurance.”

Many of the firm’s clients are seeking significantly higher limits, particularly those in health care, retail, energy and utilities, he said. Energy and utilities have been able to get some significantly higher capacity, but for retail, it’s been especially difficult because of all of the data breaches.

As such, the pricing of cyber insurance over the last year has changed, depending on the industry. For example, for retail, especially large retail — sometimes premiums have increased by multiples of two, three or more.

“The way the market is looking at retail is something like a property cat program, because if they have a breach, the whole tower is going to go,” Keegan said.

“But in other parts of the market, such as health care, the premiums have stayed relatively flat and in some cases, we’ve been able to broaden the policy terms.”

“We’re seeing more clients, especially those with $1 billion or more in annual sales that we call ‘risk management clients,’ buy even higher limits than before because of the costs of breaches.” — Adam Cottini, 
managing director, cyber liability practice, Arthur J. Gallagher Risk Management Services Inc.

Adam Cottini, 
managing director, cyber liability practice 
at Arthur J. Gallagher Risk Management Services Inc. in New York City, says his firm has seen 40 percent growth in the purchase of cyber insurance from 2013 to 2014, year-over-year.

“We’re seeing more clients, especially those with $1 billion or more in annual sales that we call ‘risk management clients,’ buy even higher limits than before because of the costs of breaches — for some large risk management clients, in excess of $100 million,” Cottini said.

Smaller companies that are in specific data-sensitive industries, such as health care, education, financial institutions, public entities and retail, are also asking for higher limits, he said.

“Organizations who have evaluated cyber insurance and rejected purchasing the coverage will need to absorb the cost of a breach through their own balance sheet,” Cottini said.

“Also, with or without cyber insurance there is a need to continue to investment in network security to maintain a robust security profile.”

Some middle-market companies are buying, but some are “struggling” to determine whether it is a good deal for them and a good use of their dollars for IT services, he said. For smaller companies where premium pricing is aggressive, the uptake is massive, just like it is for the larger companies.

Aon tracks purchasing data on a global basis, breaking it down by region, industry and size of insured, said Kevin Kalinich, global practice leader, cyber risk in Chicago. Purchases of cyber liability policies worldwide rose 50.3 percent in 2014, and the number of cyber policies placed by Aon in the U.S. rose 38.7 percent. The percentage increase in EMEA and Asia were much greater, because they were father behind the U.S. in purchasing prior to 2014.

Premium price per million, for both the median and mode, fell 4.1 percent for Aon clients in the middle market, Kalinich said. More cyber insurance carriers are now going after the middle market than are pursing larger insureds following a few large insured claims.

“But some alternative thinking insurers are taking advantage of the relatively big hard market opportunity in the large limit programs, with excess of up to $500 million attachments for higher price-per-million,” he said.

“Aon’s brokerage and reinsurance groups are now co-developing solutions that include reinsurance, either through captives or directly with reinsurance markets that typically haven’t been tapped for cyber insurance.”

Professional services clients, such as consultants and technology related industries of all brokerage firms typically do not buy stand-alone third party cyber policies, but rather address third party cyber exposures through their professional liability policies to ensure more coordinated coverage, Kalinich said.

“For all types of cyber insurance purchases, trends are changing dramatically in the wake of breaches at Home Depot, Sony and Anthem,” he said.

“The complete fallout of that for insureds is to be determined.”