Sapiens TL
Follow Us



At Year End 2017, Will Your Organization Be Protected from Cyber Risks?

We are approaching one of the busiest seasons, not just for the Holidays, but for new business and renewals in the specialty lines insurance business.  With the approaching dates of 12/31 and 1/1, I wonder if despite the broad knowledge of data breaches and cybercrime if the markets have still not persuaded enough people of the value in buying cyberliability insurance.  Recent surveys seem to indicate not.  In other cases, it seems that many who are persuaded to buy, may be confident enough to state that they know that they are buying the best coverage for themselves or how to utilize the coverage they buy in the event of an incident. 


The past year has seen many major new data breaches making headlines, Experian with over 143 million accounts breached and Uber with 57 million announced more recently, are just a few of the many organizations big and small who have failed to protect private data (and private health information in some cases) from hackers.


In addition, thousands of organizations have been victimized by ransomware holding their systems hostage and while the payments made by many are individually rather small (most historically resolved for about $300 or less), the time that systems are off line has cost businesses millions more in lost income. 

Cyber criminals have also been busy.  According to FBI data more than $5 billion in losses due to Business E-mail Compromise scams has happened in the past few years.  These scams are carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.   The scam has evolved to include the compromising of legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds.  The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another.  Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries.   The FBI has tracked fraudulent transfers to 103 countries.

Nevertheless, numerous surveys, report that close to 40% of US entities are still not buying cyber liability insurance.  They seem to believe that insurance coverage is either not broad enough or too expensive in comparison with their expected losses  (   

Another recent survey conducted by Ovum and FICO, found that of 350 companies polled, less than 50% of US companies purchased cyber liability insurance.  The 350 companies ranged in size from fewer than 1,000 employees (30 percent) to over 10,000 (25 percent) with nearly half of them (45 percent) somewhere in between.

Half of U.S. businesses reported having cyber insurance, although only about a third of those (16 percent of the whole sample) were confident that it covers all their risks. Just under a quarter more (23 percent) reported plans to buy insurance in the coming year. The U.S. lags the U.K., where 69 percent report having at least some cyber insurance and 28 percent say it covers all risks.  It also trails Canada and Sweden in the percentage who buy and believe it covers all their risks. 

Lagging even more — health care. None of the U.S. health care firms questioned in the survey said they had insurance that covers all their risk, while 74 percent reported no cybersecurity insurance at all.   (  

Given this backdrop, with more than 80 insurance companies offering cyber liability policies at different price levels in the USA and using quite different policy forms (some on admitted paper and some on surplus lines paper), it is no wonder that many eligible buyers are cautious to part with premium dollars when the benefit of buying coverage is questionable in their eyes.  In addition, while large private and governmental organizations have been the focus of the major carriers for many years and many have been able to buy manuscript policy forms, small and medium enterprises (SMEs) are offered coverage that often seems quite limited in comparison.  Also coverages continue to evolve, as many carriers in their quest for market share are broadening coverages in their policy forms to better help an insured with post-breach costs.

Meanwhile, property/casualty insurers reported $1.35 billion in premium for cyber insurance in 2016.  This was a 35% increase from 2015 according to Fitch Ratings.  A.M. Best reported that direct loss ratio in cyber decreased from 51.4% in 2015 to 46.9% in 2016.  Further, while many buyers are mystified by the premiums, interestingly, recent news indicates that despite the high number of publicized breaches, in most industries, premiums are on the decrease, including in regulated industries such as healthcare and social services, and financial services.  A few sectors have seen rate increases, most particularly information companies and for arts, entertainment and recreation.   Thus, many buyers are benefitting by the competition for market share among the insurance carriers. 

At the same time, many SME buyers question the premiums charged by carriers when they see their risks as minimal or only partially covered by the coverage offered to them.   Even some larger organizations are dubious about if the premium is worth paying if the likely loss is such a small percentage of their revenues.  

Nevertheless, recent reports from the National Small Business Association (NSBA) for 2015 showed that 42% of small businesses had fallen victim to a cyber-attack.  Of small businesses, most who lack significant IT and security resources, only 15% offered cyber training to employees, according to a 2016 Better Business Bureau report.    The NSBA also found that the average loss was $32,021.  This is often more than many small businesses can afford.   Larger accounts have seen many pay millions of dollars to resolve their cyber incidents (Anthem, for example, recently announced the largest known settlement for a cyber breach agreeing to pay $115 million to consumers). 

For larger accounts (and SMEs that buy the appropriate coverage), having quick access to public relations, breach response services, and forensic services at a pre-event negotiated rate is a major benefit of buying cyber liability coverage even if the limits bought are not adequate in some cases to cover possible losses in full.

Thus, when 12/31 and 1/1, two of the busiest dates for new business and renewals in the specialty lines business roll around, will many buyers be happy with the coverage they buy and the premiums they pay?  If recent surveys are accurate, many organizations will not be satisfied and either view themselves as partially covered or will feel that they are paying premium for little value in return despite a softening cyber liability market and the continued broadening of coverage by insurance carriers.  Others, will not buy at all given their concerns and the mysteries of the cyber liability market.  Further, many of the SMEs who buy cyber liability will not understand the coverage they buy nor how they can use it in the event of a covered event or buy such small limits as to be insufficient for any real situation.   

 Would standardization of policy forms help reduce the mystery?  Undoubtedly, for some.  The Insurance Services Office (ISO) has recently announced its cyber liability form which it offers to carriers for use.  If some carriers, most likely smaller and newer to market ones, decide to use the ISO forms and rates, there could be some standardization seen.   However, the speed of change in the cyber world and competition between carriers seems likely to make standardization slow to occur in the near term particularly given the expense and efforts made by many of the carriers to offer differential or “unique” levels of coverage to gain advantage in the market.  With the speed of change in the cyber world, it may be foolish to think that the changing risks will be able to be standardized any time soon.

Thus, it is increasing important, for many SMEs and even larger organizations to have independent counsel who is familiar with the carriers, the state of the market, how claims work, and how to evaluate the insurance coverages offered to ensure that they are buying efficiently and effectively for their specific risk exposures.  Relying on a package policy or on considering only one or two options is not likely to be in an organization’s best interest.   For those organizations served by the largest and most sophisticated brokers and buying manuscript coverage, they are already sophisticated buyers.  But, for many of the rest, as long as the cyber world keeps evolving, it will be prudent for them to get as much knowledge as possible on their side of the table.  

Keith B. Daniels, Jr., J.D. is a graduate of the University of Wisconsin Law School and has worked as coverage counsel handling cyber liability claims, as an underwriter and developer of cyber products for Lloyds of London and US carriers.  He is the founder of CyberCounsel and provides independent advice to carriers in the development of new products and the assessment of market opportunities and to entities interested in an independent evaluation of the adequacy and scope of coverage for cyber and other specialty lines of coverage.  He is also available to provide expert witness services.  He can be reached at 715-379-6511 or at

Featured articles

Guidewire MR



The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.


April 5th – 7th, 2020
The Diplomat Resort
Hollywood, FL
Become a member today to receive updates –


only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News