By Janet Aschkenasy
Risk specialists will likely find non-admitted, excess and surplus (E&S) lines carriers are at the ready with more robust language and more companies competing for their insurance dollar in the area of cyberrisk.
The data security and privacy insurance market is a fairly immature market with little historical data behind it -- and one that many standard companies are addressing with sublimits under traditional business owners policies (BOP) and crime policies that may not supply sufficient payouts when losses hit.
Thus, many buyers are tapping E&S for a more specialized product, more participating carriers and a policy form that's easier to adjust as state and federal laws continue to emerge and pose new data-protection and loss-remediation challenges.
Stand-alone coverage for data breaches and privacy-related losses is still a tough sell for many risk specialists, but these days more and more mid-size firms are beginning to take the plunge and many of these buyers are turning to excess and surplus lines carriers.
Jake Kouns, director of Cyber Security and Technology Risks Underwriting at Markel in Richmond, Va., observed that "most carriers [in this field] are seeing large growth rates. Markel itself "was up 75 percent in premium for the line in 2012," with submissions up more than 150 percent over the past two years.
Of course now, it's no longer only technology behemoths at risk -- today, everyone from lawyers and accountants to medical professionals to educational institutions may find reasons to consider the purchase of cyberrisk insurance. Exposures exist not only for those housing large amounts of data, but even retailers like gas stations and supermarkets handling credit cards.
E&S experts said there are roughly 30 to 40 insurance carriers supplying stand-alone cyberrisk insurance for U.S. risks right now, but only a handful doing it on an admitted basis using state-regulated policy forms and rates. E&S markets providing stand-alone coverage include Markel, RSUI Group, Allied World Assurance Co. (AWAC), AIG and its surplus lines company Lexington Insurance, as well as Lloyd's syndicates including Hiscox and Beazley.
"I can only think of three or four doing it on an admitted basis," said Kouns. Moreover, he said, compared to the E&S market, admitted companies are often providing "stripped down coverage," though admittedly "at a lower cost," in some cases.
Costs for cyber insurance are pretty reasonable these days, however:
It is hard to believe that rates will stay this low given the increasing exposures and the number of data breaches that continue to occur," said Kouns.
"Right now, coverage is ridiculously affordable," he observed.
For instance, Markel's minimum premium is $1,500 for $1 million in insurance limits for its data breach claims-made policy. Markel now provides a maximum of $10 million in limits.
Breach mitigation expense is a key concern, experts said.
Kouns noted that Markel's data breach program includes coverage for breach mitigation expense -- which is currently "the most important and most used part of the policy," since rules in 46 states require companies to notify individuals when there is a data breach putting private personal information at risk.
The breach mitigation language is also designed to cover losses related to public relations efforts companies need to do to maintain their reputation following a breach.
Whereas risk experts might worry about third-party liability expenses to cover damages to those whose personal information is exposed, Kouns said that given the newness of the cyberexposure, courts have yet to develop standard procedures and "a lot of these cases are being thrown out."
Risk mitigation is a first-party coverage that is more and more in the spotlight right now given state requirements, experts said.
One clear reason buyers might turn to surplus lines companies and non-admitted paper is their ability to supply coverage changes almost immediately.
Since companies whose data is exposed are subject to state regulations regarding security breaches, and companies in the medical profession and health-related industries must comply with HIPAA, things can change rapidly, said wholesale brokerage executive John Pinelli of Partners Specialty Group in Stamford, Conn.
"In the admitted market it takes time to file a [new] form," he said, adding that coverage could be obsolete in a short time.
Despite the immediacy of the problem for all sorts of companies including small mom-and-pops and large multinationals, new research commissioned by corporate insurer Zurich found that only 19 percent of public and private risk managers surveyed in Europe have purchased insurance specifically designed to cover information security and privacy exposures.
Zurich's research focused on risk management specialists at 152 companies -- most of which are based in Europe -- but surplus lines experts say the findings are reflective of trends here in the United States as well.
Zurich found that more than three in four organizations surveyed have become more concerned about information security and privacy over the past three years, according to the Zurich-commissioned survey by Harvard Business Review Analytic Services, conducted in association with the Federation of European Risk Management Associations.
Kouns says that the European Union's stricter laws around data privacy and regulations regarding the movement of data suggest there are likely even fewer U.S. companies purchasing coverage covering data security risk.
"From our experience, only about one in five actually buy coverage during their first quoting cycle despite the increasingly publicized exposure," said Reza Khan, executive vice president at ThinkRisk in New York.
ThinkRisk is a managing general underwriting agency and part of Ryan Specialty Group. The firm specializes in errors and omissions insurance in areas including privacy and network security. Currently, it is handling excess and surplus lines business only, "like most companies in this segment," said Khan, though it plans to expand into admitted products to specific industry segments as well later this year.
Khan observed that the first blush of cyber insurance purchasers over the last five years included mostly health care institutions, large national retailers and Fortune 500 firms heavily entrenched in the technology industry.
"The genesis of cyberliability products in the 1990s was stand-alone third-party liability coverage initially purchased by technology-related companies offering services for others," he said.
But Khan said the days when only behemoths like Amazon and IBM understood they needed such insurance have passed.
"Changes in HIPAA laws and state privacy regulations prompted the product offering and associated customer base to dramatically change over time," he said.
Coverage has Evolved
Also, while the product is often still referred to as cyberliability, the coverage itself has evolved and now often covers first-party exposures, including business interruption and regulatory fines and penalties which, depending upon the number of records exposed during a breach or loss of data, can be catastrophic for many businesses.
Now, Pinelli said, "first-time buyers tend to be middle-market companies with $50 million or less in revenue," able to purchase limits of $1 million to $5 million. Smaller firms with $3 million or under in revenue can often purchase such limits "for $2,500 or less in premium and very manageable deductibles," he said.
Professionals also seem to be getting the message: John Gambale, head of Professional Liability and Lexington Financial Lines Executive, U.S./Canada Financial Lines, said "the submission flow for lawyers requiring cyber insurance -- on both an admitted and non-admitted basis -- was up "double digits" in 2012 versus 2011.
Khan agreed that, "from a philosophical perspective, it makes sense to look into purchasing cyber coverage from E&S companies able to bob and weave as exposures change" in a way that admitted companies can't. "Once you file [using] admitted rates and forms you're pretty much locked down," he said.
JANET ASCHKENASY is a freelance financial writer based in New York. She can be reached at email@example.com.
April 12, 2013
Copyright 2013© LRP Publications