The Evolution of Cyber Insurance – How we got here and where are we going?
Here is a link to our Presentation on the History of Cyber Insurance.
In the late 90’s as technology evolved so did risks related to technology. As technology companies grew they wanted to transfer some of this risk and the the first technology policies started to evolve. Many of the early technology companies also had growing media / content related exposure. As such, the first policies written to address this exposure were written to address online content or software. Over time technology and these policies have evolved extensively, and this should continue for the foreseeable future.
The first cyber / internet policies start to appear in the market in the late 90’s. Many people take credit for for writing the first cyber policy and most of the first policies varied in their basic coverages. Some were media policies that began covering online media & some EDP policies (errors in data processing). They generally evolved from professional liability policies for software and media risks.
In the early 2000’s the online media policies started to cover “unauthorized access”, “network security”, and “virus” related claims. These policies generally had a lot of exclusions that most professional liability policies would have for things like rogue employees, regulatory claims, fines and penalties, and there was no first party coverage.
In the Mid 2000’s polices evolved to add some 1st party coverages. These would include Cyber Business Interruption, Cyber Extortion, and Network Asset Damage. Some software related policies stated to evolve to add a sublimit for HIPAA Liability related to a software error.
The California Security Breach and Information Act became effective 7/1/03 and it had a real effect on exposure and insurance. The act required a business or agency that conducts business in CA to notify affected residents of CA of any breach if personal information was or is reasonably believed to have been accessed by an unauthorized person. Personal Information meant an individual’s first or last name in combination with a Social Security number, driver’s license number; or account, credit or debit card number in connection with an access code or password.
This act resulted in many other states adopting similar laws as well as new coverages being offered. New 1st Party Coverages included things like IT Forensics, PR, Credit Monitoring / Repair, and Customer Notification. New 3rd Party Coverages also became available for Regulatory Defense & Fines / Penalties, PCI Fines and Penalties.
In the late 2000’s many of the coverages being offered were only available with a small sub-limit as carriers and reinsurers were concerned about the new exposures and how to price for it. It was difficult for an insured to get the limits they desired for certain exposures and it made excess placements difficult as the excess markets were not comfortable with other carriers forms, pricing, sub-limit structure, and offering drop down limits over the sub-limits.
In the 2010’s the number of carriers with stand-alone products grew north of 50 and is now into the 60’s. Large claims and breaches became more commonplace. 2014 became the year of the Retail Breach (Target, Neiman Marcus, White Lodging, Michael’s, PF Changs, Albertsons, Dairy Queen, UPS, Home Depot, Jimmy John’s, Staples, etc.) and 2015 became the year of the Healthcare Breach (Excellus BlueCross BlueShield, Premera Blue Cross, OPM, Anthem, etc.).
In 2016 products and appetite continue to evolve as well as the services that come with the policy. Carriers are using technology as a tool to evaluate insured’s and carrier’s appetites continue to evolve rapidly in response to claims. The leading carriers are in a better position to take risk based on their experience and size of their books. Pricing is all over the map, with insured’s seeing one carrier provide a broad quote and another offer more limited terms at 3-4 times the premium. A carrier that aggressively quoted a risk last year will decline the risk this year.
For each company there is a big difference in which markets may be the best fit, and they may not be the best market for that risk by next year. The right fit will vary not only by industry, but by size, the markets that are most competitive on small retail are not the best for for larger retailers as is the same for healthcare, professional service firms, etc. The application process will also vary greatly by market and size of the risk. You will see some applications that ask 5 questions and others have 100 questions and require a conference call with a 3rd party risk assessment firm. You will also see policies and add on coverage that does not really cover that much, combined with clients that may not think they have much exposure.
For the foreseeable future expect to see more of the same. Changing appetite, a wide variety of forms, large differences in pricing, carriers leveraging technology to assist in underwriting, new risk management services being added to policies. Cyber Insurance is not a coverage that can be ignored, it should be addressed with every client. Cyber Insurance is a volatile market so plan to work with someone with real expertise that has a wide range of market relationships. Whoever that expert is, they should be able to dissect differences in the forms and help you explain the coverage and exposure to your client, selling the coverage for you.