Cyber Insurance Does Pay Claims. You Can’t Afford Not to Be Covered

The cyber threat is big, growing fast. That’s the scary news. The good news is cyber insurance is taking off with most stand-alone policies paying out.
By: | March 15, 2019

The cyber threat is big, growing and moving fast. That’s the scary news. The good news is the cyber insurance market is taking off after it like a bloodhound on the trail of a raccoon.

“I think the market is going to be $10 billion-plus by 2020,” said Sean Conrad, a principal with EPIC Insurance Brokers & Consultants, who is based in Irvine, Calif.

Not everyone in the business is as sanguine on the growth of the market as Conrad is. And when we’re talking about cyber insurance, things can get muddled between property, general liability and stand-alone cyber policies that take different approaches to affirmative coverage for the cost of a breach as well as physical damage related to a cyber-attack.

Stephanie Snyder, a cyber executive with Aon, sees a market that has grown by leaps and bounds, with more carriers entering the space all the time.

“I have been involved in this space since 2000 and have watched the coverage evolve and expand,” she said. “We have watched more carriers come in to the market; more than 70 different cyber insurance carriers at this point.”

Munich Re put out an estimate a while back, placing the size of the stand-alone cyber insurance market at around $4 billion with a projection that it could grow to between $8 billion to $9 billion by 2020.

Tracie Grella, the global head of cyber risk insurance for AIG, doesn’t think the market will make $8 billion or $9 billion any time real soon.

“I think a lot of the estimates are overblown,” said Grella. She said it is unclear whether the reported estimates include coverage for physical damages, losses related to a breach, or both.

That said, she sees a growing market.

Sean Conrad, principal, EPIC Insurance Brokers & Consultants

“The market is definitely growing a lot, because companies are buying significantly more limits, and that is contributing to the growth,” she said.

“Risk managers, especially in the U.S., are starting to look at their portfolio in a more holistic way, because they are representing to the board how the coverage is going to work across their portfolios,” Grella said.

So, estimates of how big the market is vary. But opinions that it will grow substantially seem to be very much in line with each other.

“Right now, about 30 percent to 40 percent of all revenue classes and all industries purchase a dedicated cyber insurance policy,” Snyder said. “There is a lot of runway, there is still a long way to go and I think that many carriers have very favorable loss ratios.”

Grella’s views were echoed for the most part by Evan Fenaroli, cyber product manager for Philadelphia Insurance Companies.

“We can expect it to grow, I would say, 20 percent to 30 percent each year,” Fenaroli said.

“That is at least what we’re hoping and I think a lot of that is driven by what I would say are pretty low penetration rates for small and medium-sized businesses here in the U.S. That’s the space that we play in and I think global penetration rates are extremely low,” he added.

Do the Policies Pay?

Press coverage, even supposedly sophisticated press coverage, doesn’t appear to be adding much clarity to how cyber policies actually perform.

A recent piece in the Economist speculated that were Zurich to win a coverage battle against Mondelez related to the NotPetya attack, it could cast a chill on the cyber insurance market. But that premise appears to be ill-aimed.

“Education is a huge part of this, and it is something that the big writers of cyber have been doing for a while. Not getting into the nitty gritty of the language but describing the value proposition and simplifying it. — John Merchant, director of business development for Guidewire

“What is interesting about Mondelez/Zurich is that it is a property policy. The issue at hand is a war exclusion,” said Snyder.

“We have not yet seen coverage denials under cyber insurance policies related to war exclusions. We have seen over time certain denials, but those were due to basic insurance issues” either involving misinformation contained within the application or late reporting issues, she said.

“I am not seeing disputes,” said Jason Glasgow, Vice President E&O Division— Privacy and Network Security Practice Lead, for Allied World.

“Generally what is coming in is covered. Where you are seeing disputes in the insurance industry is policies that are not specific cyber policies such as a GL policy or a property policy, for example; trying to be construed to provide coverage for insureds for cyber that it really wasn’t intended to cover,” he added.

“Cyber is a high-growth area for the insurance companies that write in this space, and thus far, that appetite and capacity continues to expand,” said EPIC’s Conrad.

“Despite high-profile cyber-attacks over the past few years, the cyber insurance markets are expanding to meet global demand. From our vantage point as a broker, insurance policies are responding as expected in the event of a cyber event,” Conrad said.

“I think in general the policies do work well and they do pay, for the most part,” said John Merchant, a director of business development for Guidewire.

“That aside, I personally believe that one of the major problems is their complexity,” Merchant continued.

“Insurance is not English, it’s not even legal-ese; I am not sure what it is. That being said, I think you have a complex product for a limited understanding of an exposure area.”

“That has always been a huge problem,” Merchant said. “How you get around that has been a challenge.”

“Also, cyber itself is still a cottage industry with the products themselves. There is no standardization like you would find on a property policy or a casualty policy. Brokers can’t compare apples and apples. There are all of these products that say they cover the same thing but it is written in a very different way,” Merchant said.

“It’s really incumbent on the broker as the current intermediary in the system for cyber insurance to really work on that education because it can be very bespoke,” said Aon’s Snyder.

“It is really trying to help that client look across their portfolio of property and casualty policies to determine what if any coverage they may have in terms of a cyber extension,” she added.

“It is about working closely. It is really not about broking a policy,” she said.

“It is really about being a cyber risk consultant and working very closely to get them the right solution,” she said.

“When a claim comes in, companies are happy they have purchased the coverage and wish they purchased more of the coverage,” AIG’s Grella added. “So, the cyber policies are performing as they expected them to.

“Where claims have not been covered was where the insured was aware of the claim prior to purchasing the coverage; and in those cases, the clients weren’t really disputing it,” she said.

Further Growth

So, the cyber insurance market is growing at a strong pace and the (stand-alone) cyber policies are performing as expected.

But carriers and brokers have their work cut out for them to penetrate the middle market and small business sectors. Smaller businesses are no doubt at risk for cyber attacks, but the take-up rate in that economic strata has been anemic.

Stephanie Snyder, SVP and commercial strategy leader – cyber solutions, Aon

“Organizations are going through a digital transformation when it comes to their use of technology,” Snyder said.

“How do you model that out when it comes to some kind of breach or disruption at an organization — it’s pretty challenging.”

“Taking a step back and looking at how dedicated cyber insurance products have worked over the years; we started in the late 1990’s and 2000’s with policies that were essentially network security liability policies,” Fenaroli said.

He said California’s state breach notice law, passed in 2002, was a turning point.

That started a cascade of state regulations that held companies liable for losing customer data.

“There were laws that required companies to notify individuals when their information was compromised, to offer credit monitoring or identity theft monitoring, which enabled a cottage industry to grow around servicing those clients with breach coaches or attorneys, forensic consultants and notification firms,” Fenaroli said.

Fenaroli said the market stalled when demand was coming primarily from health care organizations, retailers or financial institutions, which house a lot of customer data. He said the market reignited when ransomware attacks and cyber business interruption events became more common.

“Now I think we are seeing more demand from manufacturers and other non-traditional buyers of cyber,” Fenaroli said.

“Education is a huge part of this, and it is something that the big writers of cyber have been doing for a while,” Guidewire’s Merchant said. “Not getting into the nitty gritty of the language but describing the value proposition and simplifying it.

“What this does is it provides the main-street agents with access to expertise they don’t have, so they rely on the carrier to do that.,” he added.”

“You have this symbiosis between the larger carrier that would like to sell more product and the agent. You bring them together and you get a more seamless transport of information,” he said.

EPIC’s Conrad has the following advice for risk managers, no matter the size of the company. He calls it the three C’s of cyber:

“First, you need to Commit,” he said. “This is going to need to be a proactive focus for your company. You have to talk to your C-suite and your board and commit that you’re going to be cyber ready.”

Second, Collaborate with your internal and external resources and your advisors and build a plan. Make sure you have a cohesive plan to protect your business.

Third, Coverage. “You have this rapidly expanding universe of options to choose from, and they all have their strengths and weaknesses,” he said.

“Quantify the risk you have and assess how to transfer that to an insurance carrier, and what are the terms and conditions and pricing, and then make the decision that feels right for the exposures at your company.” &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance