As data breach costs continue to rise — averaging $7.35 million this year — the cybersecurity insurance market is growing and evolving.
It was worth $2.5 billion in 2016, according to a report to the National Association of Insurance Commissioners.
Companies are more interested in cyber liability coverage because they are more aware of vulnerabilities to hacking, and the havoc it can wreak on any business, longtime cyber liability insurance advocate Brendan Monaghan of Little Rock told Arkansas Business.
Cyber liability coverage can cover costs associated with a breach, including the expense of investigating the breach, notifying individuals whose information was compromised, hiring a public relations team or crisis management firm to repair the insured’s reputation, expenses associated with a halt in business operations and ransom demanded for records that are held hostage by hackers.
Those expenses are increasing too. The average cost of a breach in the United States rose by 5 percent from February 2016 to March 2017, according to the Ponemon Institute’s 2017 Cost of Data Breach Study, sponsored by IBM Security of Cambridge, Massachusetts.
A breach can be devastating, and that’s why Monaghan, vice president of BancorpSouth Insurance Services Inc. in Little Rock, has been speaking to groups about cyber liability for years.
“Four years ago, a lot of what I was doing was education because the number of known data breaches was much smaller back then, and it was really more about raising awareness,” he said.
Get the Lists
• The Largest Property & Casualty Insurance Companies in Arkansas
(Spreadsheet | PDF)
• The Largest Arkansas Insurance Agencies
(Spreadsheet | PDF)
Data Breaches Soar
A record 1,093 data breaches hit U.S. companies and government agencies last year, up 40 percent from 2015, according to the Identity Theft Resource Center, a nonprofit based in San Diego. One caveat to that statistic: Breaches have been underreported in the past and new state laws are helping to make them public knowledge.
“Cyber [insurance] has actually come down in cost substantially from what it was five to 10 years ago,” Monaghan said. “So we’ve had this decrease in pricing, which of course has made it more attractive to more business owners, along with an increase in the level of awareness.” He said small businesses generally pay less than $1,500 a year for the coverage, and often the premiums are less than $1,000.
The annual premium for larger businesses can vary, Monaghan said.
Premiums depend on the type and size of the business and how many records it has. The larger it is and the more records it has, the more expensive insurance will be. Higher-risk businesses will also pay more. Those include companies in more regulated industries, like health care and financial services.
Health care entities, for example, must comply with cybersecurity regulations surrounding the Health Insurance Portability & Accountability Act of 1996, which can be more stringent than state laws. They could also be fined after a breach if their cybersecurity protocols and procedures don’t meet standards. A claim from a health care entity will often cost the insurance company more than a claim from a business that doesn’t have to comply with federal law.
“For a larger business in the greater Little Rock area, depending on what they do, it could be $20,000. It could hit $50,000 if they’re large and have lots of records, particularly if they’re in the medical space,” Monaghan said. “It’s really hard for me to put a number on the top end.”
Options here include Arkansas Mutual Insurance Co. of Little Rock, which has teamed up with NAS Insurance of Los Angeles to offer cyber liability insurance on all of the medical malpractice policies that AMIC writes. The firm has been providing cyber liability at no charge for two years, according to Joyce Wilson, director of customer service.
“The limit that we provide depends on the type and size of an account. Increased limits are offered for a price which also depends on the type and size of an account … but it is not expensive when written in conjunction with our medical malpractice policies. Claims service has been excellent. We have not had any large cyber liability claims paid, but our cyber liability team has provided useful information when incidents could result in a claim,” Wilson wrote in an email to Arkansas Business.
Arkansas Mutual policies include $100,000 in coverage with no deductible for each of the following: multimedia liability, security and privacy liability, privacy regulatory defense and penalties, breach response costs, network asset protection, cyber extortion and cyber terrorism. Their insured can qualify to purchase up to $10 million in coverage.
Arkansas Blue Cross & Blue Shield agents also offer cyber liability insurance. Limits are $250,000, $500,000, $1 million or $2 million per claim.
Other Arkansas entities that help connect businesses to cyber insurance include Central Arkansas Insurance Associates of North Little Rock; Brown & Brown of Arkansas Inc., which has offices in Little Rock, Russellville and Springdale; Campbell & Campbell Insurance of Camden; and First Arkansas Insurance of Pine Bluff.
There are also two types of coverage for businesses to buy, Monaghan said: first-party and third-party. First-party coverage protects the insured business when it is the victim of a data breach.
Third-party coverage protects the insured business from a class-action suit or other fallout from affected companies that the insured does business with. Monaghan said there is not yet a widely-adopted standard cyber liability policy.
But Insurance Services Office Inc. launched a program in July that offers projections of how much money an insurer will have to pay to cover cyber insurance claims, plus the cost of administering and investigating the claims.
ISO, a subsidiary of Verisk Analytics of Jersey City, New Jersey, uses 17 different rating variables to provide those projections across various industries.
Its plan uses predictive analytics applied to more than 32,000 breach cases, and ISO says it can help insurers refine pricing by examining overlooked risk factors and providing cyber-specific rating factors for best practices. Risk factors include years in business and revenue per employee; rating factors include data encryption and employee training.
The ISO program also features new coverage options for small and midsize businesses, large commercial enterprises, government and nonprofit organizations and financial services and media companies. ISO says its products are flexible so that insurers can tailor coverages, limits, waiting periods and deductibles to the needs of their insured.
Monaghan noted that some carriers mimic a unique offering from Beazley Insurance Co. of Farmington, Connecticut, which has the largest market share of cyber liability insurance.
Beazley gives the insured a dollar limit for coverage and a separate limit per notified individual, so that the cost of offering credit monitoring and notifying customers or clients whose information has been compromised doesn’t erode the insured’s coverage limit.
Methods of Sale Vary
Policies also vary in how they are sold.
More than 500 insurers offered cybersecurity insurance last year, and three-fourths offered it as part of a package, according to the report insurers filed with the National Association of Insurance Commissioners, a standard-setting and regulatory support organization.
But standalone policies are on the rise. Written premium for those rose by 90 percent from 2015 to $921 million in 2016, according to the report. Monaghan favors the standalone policies.
For one thing, he said, limits tend to be lower when carriers offer the coverage as an add-on.
Another reason is that “particularly for professional services companies, law firms, etc., you don’t want to have a data breach impacting your professional loss history because now you’re starting conversations with insurance companies from a point of explanation and defense,” Monaghan said. The insured wouldn’t want insurance companies to think their business is a greater risk to insure because of a data breach that wasn’t the insured’s fault, he said.
Monaghan also said a business could end up with one limit for both cyber claims and other types of claims, such as employment practices claims.
That’s not desirable either, he said. It could result in the insured using up all or part of the insurance money after a data breach and not having enough insurance money to cover something else, like an employment discrimination suit.
Monaghan said transferring the risk is cleaner and makes it easier for businesses to shop around. Perhaps the best insurance company to provide a business with employment practices liability coverage isn’t the best insurance company to provide it with cyber liability insurance, for example.
Regardless of what an insurer offers and how, cyber liability insurance is “a potentially huge, but still largely untapped, opportunity for insurers and reinsurers,” according to global professional services network PwC, which has predicted that annual gross written premiums will increase from almost $2.5 billion in 2016 to $7.5 billion by the end of 2020.