Cybersecurity Insurance Explosion Poses Challenges

By Stephen Joyce

Dec. 22 — Cybersecurity insurers may see premiums gross income rise by 300 percent or more in the next five years, even as the product's pricing and composition continue to evolve, insurance specialists and others told Bloomberg BNA.

It took about 15 years, or until about 2012, for cybersecurity insurance to increase from the first cybersecurity policies ever written in the U.S. to about $1 billion in gross written premiums, the specialists said. 

(Click image to enlarge.)

PSLR image 0104

A combination of high-profile breaches, increased state and federal statutes and guidance and continued efforts to educate brokers and potential insureds may drive premium revenue to $2.75 billion by the end of 2015 and perhaps $7.5 billion by 2020, they predict. Tracy Dolin, Standard & Poor's Ratings Services analyst, estimated the market could reach $10 billion by 2025.

“Our organization is looking to grow this portfolio significantly over the next two to three years. We see opportunity in additional industries such as associations. We see opportunities in law firms. We see opportunities in life science companies. There are a lot of other organizations that we're now seeing buy this cover,” Toby Merrill, ACE Group global cybersecurity risk practice division senior vice president, said.

That expected rapid sales growth is occurring as the cybersecurity insurance market is still viewed by many specialists as a product in its nascent stages with no real standardization surrounding its pricing, terms and conditions, and even the language used in policies, which could lead to uncertainty regarding just what policy holders are buying.

Wild West or Stabilizing?

The specialists' thinking on the development of the cybersecurity product somewhat differed, with some saying the market is moving toward uniform pricing and products while others offered a different view.

Deloitte & Touche LLP Principal Adam Thomas said in some ways, the cybersecurity insurance market still resembles “the Wild, Wild West,” with companies hoping to buy protection against infrastructure intrusions or privacy liability but could end up with policies offering no protection against either risk, providing little more than a false sense of security.

Others tended to agree. “The market is immature, pricing is all over the place,” Howard Mills, a former New York insurance department superintendent and now Deloitte LLP global insurance regulatory leader, said. “Clearly there is a need, so you're going to see a very high degree of effort expended on the part of the industry to try to commercialize this opportunity as much as they can. But they've got to do so at a reasonable risk,” he said.

Robert Hartwig, Insurance Information Institute president, said cybersecurity insurance “has a very, very bright future for insurers certainly, but more importantly it fills a gap, a void, that virtually every business in America has.”

“The product essentially advertises itself, given that almost every week there is another announcement of another major corporation having been breached,” he said.

Beazley Plc Focus Group Leader Paul Bantick said it is “very rare in an insurance person's career that a new product not only takes off but provides real benefit and value to the insureds, that's seen as a must-have product. And that's what this has become.”

Underwriting Challenges 

Demand for cybersecurity insurance at times outstrips carriers' willingness to write specific policies, meaning some companies simply go without adequate coverage. Meantime, the largest U.S. companies sometimes can't find coverage exceeding $100 million, exposing them to uninsured costs associated with the largest breach incidents.

Target Corp. for example said in a Securities and Exchange Commission filing that during the first 11 months of 2014 it realized $248 million in cumulative expenses due to the breach of its payment card systems and received $90 million in insurance payouts, leaving the firm to absorb a $158 million loss.

Despite the uptick in demand for cybersecurity insurance, many carriers are hesitant to offer the product aggressively because they neither have robust historical data to construct adequate risk models nor have a solid understanding of the risks associated with providing the coverage, Standard & Poor's Credit Services Analyst Sridhar Manyem said.

Buyers and sellers are adjusting to the fluid situation. Catherine Mulligan, Zurich North American Insurance Co. senior vice president (speciality products) said that “one of the things that is evolving is the underwriting process. Attack vectors are changing, technologies are evolving, so as underwriters we are always working to understand the full scope of the exposures and what the controls might need to be.”

“We will see a lot of product evolution. Clearly there is a need, so you're going to see a very high degree of effort expended on the part of the industry to try to commercialize this opportunity as much as they can, But they've got to do so at a reasonable risk,” Deloitte's Mills said.

Bespoke Policies 

Many policies continue to be bespoke, written specifically for an individual entity, John Lucker, Deloitte Consulting LLP principal who leads Deloitte’s advanced analytics & modeling practice, said. “There is not really a standard cybersecurity risk policy at this point in time. The industry is really trying to figure this out,” he said.

“Very simply, many in the industry believe they don't really have a firm grasp of the risk and the revenue they can get from premium for writing cybersecurity because the potential damages are so great. So while there are cybersecurity coverages available, there is not as much choice in the market right now,” Mills said. Companies that simply got the risk analysis wrong, or their pricing wrong, have exited the market. While about 60 carriers offered cybersecurity insurance a few years ago, that number has shrunk to about 50, with fewer than a dozen holding significant market share in the U.S., a June report issued by Standard and Poor's Ratings Services said.

Although it is true that cybersecurity-incident historical data isn't as robust as say, data on automobile loss ratios, insurance professionals can nevertheless assess a company's risks. “You're not just looking at systems security, but also at some of the indirect aspects of the business: is there a culture of risk management, do they do employee background checks,” Tim Francis, enterprise lead for cybersecurity insurance at Travelers, said.

“The stand-alone cybersecurity insurance policy will continue to evolve but development will bring challenges, with many concepts and wordings yet to be tested, potentially resulting in litigation. This is not unusual with new products and can improve risk knowledge,” a September 2015 Allianz Global Corporate & Specialty SE report said.

To contact the reporter on this story: Stephen Joyce in New York at sjoyce@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

  


Request Bloomberg Law: Privacy & Data Security now