To say demand for cyber insurance is increasing would be anunderstatement. Existing buyers are looking for higher limits. Newbuyers—from industries that had never considered it—are purchasingcoverage. And companies of all sizes and stripes are looking forways to transfer risk through insurance products.

“I think it's fair to say interest in cyber has increased acrossthe board,” says William Boeck, senior vice president and claimscounsel at Lockton Cos. “All types of companies are focusing moreon the cyber risks they have, and as part of that, more areconsidering cyber insurance.”

Anthony Dagostino, executive vice president/FINEX Cyber leaderat Willis Towers Watson, notes that a few years ago demand camemostly from heavily regulated industries such as financial servicesand healthcare. Retailers were quick to follow after sufferinghigh-profile breaches. In more recent years, additional industrieshave entered the space, from manufacturing to education andprofessional services companies such as law firms and real estateagencies.

“Today, I'd say it's everywhere,” says Dagostino. “Companies inevery industry are looking to buy.”

David Derigiotis, corporate vice president and director ofprofessional liability at Burns & Wilcox, says demand is up notjust across industries, but among companies of all sizes.Previously, small to midsize companies (with revenues of less than$100 million) tended to be of a mind-set that a cyber breach wouldnot happen to them, he says. Today, those companies are recognizingtheir risks and purchasing coverage.

Aside from the broader spread of companies interested in cybercoverage, Oliver Brew, executive vice president, global head ofcyber risk and head of international professional indemnity forAspen Insurance, says companies that have bought cyber insurancepreviously are now looking at securing more meaningful terms.“Companies that bought $10 million [in limits] are now looking at$30 million,” he notes. “Companies that bought $50 million now want$100 million. That is a very common theme we're seeing.”

News reports featuring large, high-profile breaches in recentyears have certainly contributed to the rise in demand, but otherfactors play a role as well. Tracie Grella, global head of CyberRisk Insurance at AIG, notes that regulators are asking morequestions about companies' processes and procedures—“and ascompanies look in and evaluate risks, they realize the amount thatis actually there” and then determine how much to retain and howmuch to transfer through insurance.

John Coletti, senior vice president at XL Catlin, points to thenatural evolution of business and technology—how much companiestoday rely on technology that is potentially susceptible to abreach—as another reason for the spike in interest.

Bob Parisi, U.S. cyber product leader at Marsh, says there hasbeen a steady drumbeat with respect to demand for cyber insurance,and whether or not there was one single reason or event thatflipped the switch for many buyers, the market has reached a pointwhere everyone in an organization, from the board to the C-suite,recognizes cyber threats as an operational risk.

Cyber Threats and Solutions

For buyers, the potential of suffering a data breach remainstop-of-mind. If they manage a lot of data, and if they have abreach, “they're concerned it will be extremely expensive,” Boecksays. “Clients also look for cyber insurance to cover lossesthey're going to have as a result of those breaches.”

Beyond just response costs, companies want polices that willrespond to lawsuits, regulatory inquiries, and enforcement actions,says Boeck. He notes that policies do “a pretty good job across theboard” when it comes to breach response.

“The markets created viable risk-transfer solutions and riskmanagement products for customers,” Coletti adds. “We wouldn't havea $2 billion market if there weren't viable products.”

Yet cyber threats present a rapidly evolving set of exposures,and the industry needs to adapt to keep pace. Coletti explains thatcyber is not a product like property insurance, which canessentially remain static for 20 years; a cyber product may lookdifferent over a period of a few years due to the way technologyevolves.

Source: Statista

“We go out with the mind-set of being as flexible as possible,knowing this is an evolving product,” says Coletti. “You need tolisten to what clients want. I think what we're good at is notshoving what we view as a product at them and not offeringalternatives. Some competitors create a product they think iswonderful and try to make it the solution across the board.”

Derigiotis likewise stresses flexibility, and adds that's whereE&S insurers are particularly strong. “We have the freedom andflexibility to negotiate coverages to make sure we're tailoringthem to specific industries,” he says. “The E&S space is greatfor quick changes, amending forms, removing exclusions—we're verycareful with terms and conditions for clients.”

In many respects, the industry has been able to demonstrate thisflexibility to address buyers' emerging and changing concerns.Parisi says that as buyers' awareness of the risk has improved, sotoo has insurers' abilities to offer broader products. For example,manufacturing clients are interested in business interruptioncoverage that responds to a cyber event. Parisi says insurancesolutions in this area were “decidedly sub-standard” 10 years ago;policies only covered website-driven revenue back then. Now, heexplains, “we're looking at a cyber market that will cover anyrevenue that's disrupted from any kind of technology outage as longas it's not a physical event.”

Coletti notes that business interruption has expanded to includenot just an insured's network, but a disruption when a dependentprovider goes down as well.

He adds that the industry likewise responded in the area ofpayment-card breaches after high-profile events in recent years;insurers created affirmative coverage for the payment card industry(PCI) and for the cost that the PCI is assessing on insureds—thefraud costs and other assessments “that were not otherwise ininsurance programs are now regularly seen in cyber programs,” henotes.

Remaining Cyber Insurance Gaps

Insurers also are working to address capacity issues for thelargest companies, particularly the largest retailers. MattPrevost, vice president and cyber product line manager for Chubb,says, “Although there is capacity for up to and over $500 millionon a per-risk basis, the typical complaint is there isn't enoughcapacity for very large risks.”

He says companies are beginning to offer bigger blocks ofcoverage to address the need. In 2015, Chubb introduced a $100million primary block of committed capacity, he adds, allowingbrokers to build coverage from that primary block rather than fromsmaller blocks.

Work remains to be done in this area. “The market is looking toput together a $1 billion insurance solution that's not quite thereyet for the largest organizations that exist today,” saysDerigiotis, who notes that for companies below the Fortune 500 toFortune 1000, there's still plenty of capacity.

The issue of covering physical damage and bodily injuryresulting from a cyber attack is also high on the industry's radar.Boeck points to events over the last few years—such as the December2015 cyber attack on a Ukrainian power plant and the December 2014cyber attack on a German steel mill that resulted in massive damageto a blast furnace—as potential canaries in the coal mine for the“growing concern we will have a cyber event that causes massiveproperty damage or bodily injury.”

He notes that cyber insurance policies typically do not coverproperty damage or bodily injury, and property policies—while theymay provide silent coverage for property—do not provide affirmativecoverage.

AIG is one company that has addressed this need. For energy,manufacturing, and transportation companies, Grella says that cyberattacks causing physical damage or bodily injury are a majorexposure. “They want affirmative coverage, not just silentcoverage,” she says. “We wanted to come out with a product thatsays, 'If you want affirmative coverage, you buy this policy andyou will have affirmative coverage.' That's when we developedCyberEdge PC.”

Boeck says industry solutions for the risk of physical damageand bodily injury are “still in the formative stage,” and adds thatmany companies may not realize coverage exists. But he says theindustry understands the need and he is confident that moresolutions will be forthcoming.

Ransomware and Social Engineering

Parisi notes this issue is part of a convergence of the cyberrealm and the real world that the industry has its eye on.Ransomware and, increasingly, social engineering attacks are on therise—and represent another significant concern among buyers and theindustry. Multiple experts mentioned the $17,000 payment in theform of bitcoins at the Los Angeles-based Hollywood PresbyterianMedical Center made earlier this year after a hacker seized controlof its systems.

Boeck notes ransomware attacks are hitting everyone fromindividuals to large businesses, and while this threat may not benew, it is “something that is certainly on everyone's radar.”

Derigiotis says there is coverage and adequate limits forransomware attacks, but coverage for social engineering losses,while available, is tougher to secure. These events result when employees are tricked into giving money away, rather thanwhen someone hacks into the system. For example, employees may getan email from someone they think is their CEO or CFO asking forpayroll information, Derigiotis says, or for a wire transfer of funds.

If an employee willfully gives money away, Derigiotis notes, itis not typically covered by a crime policy; a social engineeringcomponent must be built in to the insurance solution.

Experts note a particular rise in claims stemming fromhackers: Dagostino says carriers are responding with more stringentunderwriting standards when crafting these highly bespoke policies.There is a sharper focus on making sure sensitive information isencrypted, he says, adding that carriers also are looking at theculture around organizations. Is there a culture around privacy? Doemployees understand their responsibility?

Dagostino says hackers are not necessarily getting smarter, butthey are getting faster. He says zero-day-exploit kits, forexample, allow hackers to launch attacks more rapidly and win therace between perpetrators trying to exploit holes and developerstrying to patch them.

Pricing habits are also changing. “There's no more recklessabandon,” Parisi says. “That ship has sailed.” He says carriershave reacted to being on the hook for big claims in recent years,and insurers are demonstrating a maturity in the marketplace that'sbeen long overdue.

Still, as with other evolving cyber risks, the industry isworking on solutions. Damian Caracciolo, vice president, ExecutiveProtection Practice, CBIZ Inc., says of social engineering, “Threeyears ago, that was not even contemplated in terms of coverage.” Ifinsureds had a claim, they would have to work through the policy todetermine whether coverage existed somewhere. Now, he adds,carriers are proactive in providing endorsements or building thecoverage into new polices.

“It's not revolutionary, but it is evolving at a speed muchquicker than [what] we have seen in other liability policies,”Caracciolo says of insurers' efforts to deliver meaningful cyberproducts and stay ahead of the risks. With the high level ofdemand, cyber can be an attractive area of focus for insurers,particularly as the commercial and specialty markets remaincompetitive. “I think cyber liability is an area a lot of carriersand wholesale and retail brokers want to be in because it's an areathat's going to carry them through this soft market we're in rightnow,” Derigiotis says.

“If you're not involved in it, you're going to be left behind,”he adds. “If you're not talking to your client about cyberliability, it's guaranteed someone else is speaking to yourclient.”