The ever-shifting cyberscape of laptops, cell phones, and cloud computing has made cyber liability a fast-emerging exposure in the 21st century business world, and insurers are stepping up with coverages. At the Casualty Actuarial Society’s Seminar on Reinsurance, held June 4-5 in Boston, actuaries learned what cyber liability insurance covers, who is buying it and, in a general way, how insurers and reinsurers estimate its price.
The coverage, which most insurers have only recently started offering, covers two distinct risks, said Jane Taylor, a consulting actuary at Huggins Actuarial Services.
Most companies don’t fully recognize the risk, she said. A recent Towers Watson survey indicated that 72 percent of large U.S. companies do not have cyber liability insurance. Two-thirds believe they don’t have significant data exposure, since they believe their internal controls are adequate.
“I think that might be hubris,” Taylor said.
But the business is growing, said Michael L. McCarthy, a vice president of professional liability treaty reinsurance at Axis Capital. He estimated the market at about $500 million in premium per year, most of it in the United States, and growing at 10 percent to 25 percent per year. More than 30 companies write the business.
Typical buyers include educators, health care companies, financial institutions, internet providers, and communication firms. Originally large companies were the main buyers, but that has shifted, McCarthy said, as smaller and mid-sized companies are picking up the coverage.
John Merchant, a director and underwriter at Freedom Specialty Insurance Company – part of the Nationwide Group – divided coverage into five broad categories:
– Liability coverage, which covers damages from loss or compromise of sensitive third party data, like patient medical records. It also covers liability arising from damage to a third party’s network because the insured’s network caused a data breach, such as if a virus traceable to the insured’s network infects another network. And it covers e-media issues, like libel or slander or misuse of a company’s trademark.
– Expense coverage, which covers the cost to notify every person whose privacy has been breached. Often that includes providing the victim services like credit monitoring, identification theft monitoring or restoration of a stolen identity.
– Regulatory coverage, which covers the company’s costs if the breach triggers investigation by state or federal authorities.
– Industry group coverage, which handles fines assessed by industry associations for data breaches. For example, Visa, MasterCard and Discover have established a Payment Card Industry-Data Security Standard. If a credit card issuer fails to adhere to the standard, it can be fined. The coverage handles the fine.
– First party coverage, which handles loss of revenue from network interruptions caused by a security breach, or the cost of restoring lost data.
Of course, insurers offering the coverage have to underwrite the policy and set a price for it. In the early days of the coverage, around a decade ago, rates were based on a company’s revenues, Merchant said. That didn’t work too well, because the risk doesn’t depend on what the company sells; it depends on how many records of private information it holds.
He compared a manufacturer of clothes hangers, with $1 billion in revenues, but few employees and little in the way of sensitive information, with a radiology clinic. The clinic might only have $20 million revenues, but it sees hundreds of patients a month, and it keeps records going back seven or eight years.
“They are amassing quite a stockpile of sensitive information,” Merchant said.
Clearly the radiology clinic has more cyber liability exposure. But if rates were based on revenues, the manufacturer would pay a higher premium.
Underwriters look at the number of sensitive records; what the records contain; how much regulatory exposure the company has; what IT security controls are in place; and how many outside vendors have access to the network. (Many breaches come from a vendor, not the company itself.)
They also like to see companies that use a ‘holistic approach’ to data issues. If the underwriter asks a non-IT person about tech security, Merchant said, “the answer isn’t, ‘The tech guys take care of that.’” Underwriters generally prefer that a committee across all business disciplines monitor cyber-security.
New insureds typically fill out a long application – 15 to 20 pages. Underwriters also scrutinize public filings. (The Securities and Exchange Commission encourages companies to disclose their cyber risk.) They also look at loss runs and third-party security assessments, in which companies pay for an independent review of their network security.
Claims are generally handled in-house, Merchant said. Risk managers are often quite interested in how the insurer handles cyber liability claims. Once there is a claim, the claimant is upset; the risk manager is working in a new realm of insurance, so the insurer’s expertise is important.
Cyber claims management includes tracking legal bills, which can mount quickly, and rapidly assessing what steps are needed. They act as “breach coaches,” and they often talk the insured “off a cliff,” Merchant said, reminding them that if a lost computer is properly encrypted, they do not need to spend $1 million notifying people whose names may be on the computer.
The challenge for actuaries, of course, is how to determine the price. Usually actuaries use a body of claims from the past to project to the future, while taking into account trends in claim size and frequency. But cyber coverage is so new, few claims exist.
Some companies base the rates on miscellaneous errors and omissions rates, McCarthy said. Others attempt more sophisticated analysis. Lately, he said, rates have been falling as new entrants try to break into the market, but he predicted rates would stabilize as more companies enter the market and the number of claims grows, making the future easier to predict.