At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
Keith Daniels | December 13, 2017
We are approaching one of the busiest seasons, not just for the Holidays, but for new business and renewals in the specialty lines insurance business. With the approaching dates of 12/31 and 1/1, I wonder if despite the broad knowledge of data breaches and cybercrime if the markets have still not persuaded enough people of the value in buying cyberliability insurance. Recent surveys seem to indicate not. In other cases, it seems that many who are persuaded to buy, may be confident enough to state that they know that they are buying the best coverage for themselves or how to utilize the coverage they buy in the event of an incident.
The past year has seen many major new data breaches making headlines, Experian with over 143 million accounts breached and Uber with 57 million announced more recently, are just a few of the many organizations big and small who have failed to protect private data (and private health information in some cases) from hackers.
In addition, thousands of organizations have been victimized by ransomware holding their systems hostage and while the payments made by many are individually rather small (most historically resolved for about $300 or less), the time that systems are off line has cost businesses millions more in lost income.
Cyber criminals have also been busy. According to FBI data more than $5 billion in losses due to Business E-mail Compromise scams has happened in the past few years. These scams are carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. The scam has evolved to include the compromising of legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds. The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. The FBI has tracked fraudulent transfers to 103 countries.
Nevertheless, numerous surveys, report that close to 40% of US entities are still not buying cyber liability insurance. They seem to believe that insurance coverage is either not broad enough or too expensive in comparison with their expected losses (https://www.statista.com/topics/2445/cyber-insurance/).
Another recent survey conducted by Ovum and FICO, found that of 350 companies polled, less than 50% of US companies purchased cyber liability insurance. The 350 companies ranged in size from fewer than 1,000 employees (30 percent) to over 10,000 (25 percent) with nearly half of them (45 percent) somewhere in between.
Half of U.S. businesses reported having cyber insurance, although only about a third of those (16 percent of the whole sample) were confident that it covers all their risks. Just under a quarter more (23 percent) reported plans to buy insurance in the coming year. The U.S. lags the U.K., where 69 percent report having at least some cyber insurance and 28 percent say it covers all risks. It also trails Canada and Sweden in the percentage who buy and believe it covers all their risks.
Lagging even more — health care. None of the U.S. health care firms questioned in the survey said they had insurance that covers all their risk, while 74 percent reported no cybersecurity insurance at all. (https://www.cyberscoop.com/half-u-s-firms-cyber-insurance-fewer-u-k-canada/)
Given this backdrop, with more than 80 insurance companies offering cyber liability policies at different price levels in the USA and using quite different policy forms (some on admitted paper and some on surplus lines paper), it is no wonder that many eligible buyers are cautious to part with premium dollars when the benefit of buying coverage is questionable in their eyes. In addition, while large private and governmental organizations have been the focus of the major carriers for many years and many have been able to buy manuscript policy forms, small and medium enterprises (SMEs) are offered coverage that often seems quite limited in comparison. Also coverages continue to evolve, as many carriers in their quest for market share are broadening coverages in their policy forms to better help an insured with post-breach costs.
Meanwhile, property/casualty insurers reported $1.35 billion in premium for cyber insurance in 2016. This was a 35% increase from 2015 according to Fitch Ratings. A.M. Best reported that direct loss ratio in cyber decreased from 51.4% in 2015 to 46.9% in 2016. Further, while many buyers are mystified by the premiums, interestingly, recent news indicates that despite the high number of publicized breaches, in most industries, premiums are on the decrease, including in regulated industries such as healthcare and social services, and financial services. A few sectors have seen rate increases, most particularly information companies and for arts, entertainment and recreation. Thus, many buyers are benefitting by the competition for market share among the insurance carriers.
At the same time, many SME buyers question the premiums charged by carriers when they see their risks as minimal or only partially covered by the coverage offered to them. Even some larger organizations are dubious about if the premium is worth paying if the likely loss is such a small percentage of their revenues.
Nevertheless, recent reports from the National Small Business Association (NSBA) for 2015 showed that 42% of small businesses had fallen victim to a cyber-attack. Of small businesses, most who lack significant IT and security resources, only 15% offered cyber training to employees, according to a 2016 Better Business Bureau report. The NSBA also found that the average loss was $32,021. This is often more than many small businesses can afford. Larger accounts have seen many pay millions of dollars to resolve their cyber incidents (Anthem, for example, recently announced the largest known settlement for a cyber breach agreeing to pay $115 million to consumers).
For larger accounts (and SMEs that buy the appropriate coverage), having quick access to public relations, breach response services, and forensic services at a pre-event negotiated rate is a major benefit of buying cyber liability coverage even if the limits bought are not adequate in some cases to cover possible losses in full.
Thus, when 12/31 and 1/1, two of the busiest dates for new business and renewals in the specialty lines business roll around, will many buyers be happy with the coverage they buy and the premiums they pay? If recent surveys are accurate, many organizations will not be satisfied and either view themselves as partially covered or will feel that they are paying premium for little value in return despite a softening cyber liability market and the continued broadening of coverage by insurance carriers. Others, will not buy at all given their concerns and the mysteries of the cyber liability market. Further, many of the SMEs who buy cyber liability will not understand the coverage they buy nor how they can use it in the event of a covered event or buy such small limits as to be insufficient for any real situation.
Would standardization of policy forms help reduce the mystery? Undoubtedly, for some. The Insurance Services Office (ISO) has recently announced its cyber liability form which it offers to carriers for use. If some carriers, most likely smaller and newer to market ones, decide to use the ISO forms and rates, there could be some standardization seen. However, the speed of change in the cyber world and competition between carriers seems likely to make standardization slow to occur in the near term particularly given the expense and efforts made by many of the carriers to offer differential or “unique” levels of coverage to gain advantage in the market. With the speed of change in the cyber world, it may be foolish to think that the changing risks will be able to be standardized any time soon.
Thus, it is increasing important, for many SMEs and even larger organizations to have independent counsel who is familiar with the carriers, the state of the market, how claims work, and how to evaluate the insurance coverages offered to ensure that they are buying efficiently and effectively for their specific risk exposures. Relying on a package policy or on considering only one or two options is not likely to be in an organization’s best interest. For those organizations served by the largest and most sophisticated brokers and buying manuscript coverage, they are already sophisticated buyers. But, for many of the rest, as long as the cyber world keeps evolving, it will be prudent for them to get as much knowledge as possible on their side of the table.
Keith B. Daniels, Jr., J.D. is a graduate of the University of Wisconsin Law School and has worked as coverage counsel handling cyber liability claims, as an underwriter and developer of cyber products for Lloyds of London and US carriers. He is the founder of CyberCounsel and provides independent advice to carriers in the development of new products and the assessment of market opportunities and to entities interested in an independent evaluation of the adequacy and scope of coverage for cyber and other specialty lines of coverage. He is also available to provide expert witness services. He can be reached at 715-379-6511 or at email@example.com.
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Tower Selects EIS Group’s Insurance Platform to Drive Transformation
- NTUC Income Selects Majesco Distribution Management and Majesco Digital Solutions to Advance its Distribution Management Operation
- Emerson Reid Modernizes Its Business Processes With VUE Software
- Octo Telematics Powers CAA MyPace™ Pay-As-You-Go Program
- Announcing the Solartis Insure Microservice Hackathon
- DataCubes Completes Plug and Play Tech Accelerator Program
- Medical Mutual of Ohio Implements One Inc Digital Payments
- SUNZ Insurance in Production with Sapiens’ Workers’ Compensation CompSuite® Policy System
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
It has become a common refrain over the past few years to view the practice of enterprise architecture (EA) as something that time has passed by, much... READ MORE
One important trend in society over the past decade is our increasing ability to create and consume a seemingly unlimited amount of digital content... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Fraud detection has always been and will continue to be a critical component of claims management. Learning the lessons from current claims Straight... READ MORE
- Vendor Views