A recent report showing that cyber insurance premiums will grow globally from $2 billion annually to more than $20 billion over the next 10 years reinforces what most in the insurance industry already know: cyber risks are a big deal and will only get bigger.
According to the report by Allianz Global Corporate & Specialty, global cyber exposures cost $445 billion per year, with almost a fourth of that amount, or $108 billion, occurring in the United States alone.
Faced with this knowledge, the best thing insurance agents can do is educate themselves and their business clients in this rapidly evolving line, say a group of professionals who specialize in coverages for cyber risks.
For clients, “it’s really, really important to have an educated broker, who’s taking the time to read the words in the policies. Unlike more established lines, there’s not one standard form. There can be really important nuances,” says London-based Sarah Stephens, partner and head of Cyber, Technology, and Media E&O at JLT Specialty Limited.
But not all agents are comfortable with the topic.
Some agents are reluctant to engage in a discussion about IT or information security, according to Graeme Newman, a director at CFC Underwriting in London.
“It’s something that they’re uncertain about and unwilling to engage in. But I don’t think it’s any different than any other type of insurance,” he said.
For instance, “to sell property insurance, you don’t have to know how the alarm system works to understand that if there’s a fire or there’s a flood, you’re going to have to rebuild a building. The same is true of cyber,” he said.
Essentially, cyber risks “are the same risks that insurance agents have been dealing with for hundreds of years. It’s just they present themselves in a slightly different way,” Newman said.
Over the past couple of decades, for example, there’s been a huge shift in the way businesses are valued. Value has largely transitioned from “tangible assets to intangible assets. It’s gone from plants and machinery to being all about data, information, and intellectual property,” he said.
But “the risks themselves are still the same. They’re still talking about property risks, but the damage is to your data now, rather than your physical equipment. We’re still talking about business interruption risks, but this is not about your building being unavailable. It’s about your computer systems being unavailable.”
One of the most important things an agent can do with a client is to talk about potential loss due to cyber exposure, according to Michael Palotay, senior vice president with NAS Insurance in Encino, Calif.
“Many times, the insureds don’t understand what the potential loss is,” he said. And they don’t purchase the coverage because they don’t understand how much they can lose as a result of a data breach.
Now, however, big, well-publicized breaches, such as those that struck Target, Home Depot, Sony and the health insurer, Anthem, are forcing the issue with insureds. The numbers are huge and “people are starting to really wake up” to the possibility of losses, Palotay said.
Building awareness of just how much cyber intrusions can cost has to start with the interaction between the agent and the insured.
With retailers or other businesses that use credit transactions or store personal identification, “it’s really important to … get a feel for how many credit card transactions they have, how many identities they store. Because that really is directly proportional to how much” they could lose, he said.
It comes down to asking lots and lots of questions, according to Kirstin Simonson, 2VP, Global Technology for Travelers Insurance.
“You have to rethink the framework. You have to start asking some very difficult questions,” she said.
An agent may be reluctant to ask too many questions out of concern that the client will move on to another agent who’s not going investigate as thoroughly, Simonson said.
But while a client may feel that too many questions are being asked and fear they may not be giving the right answers, “agents can’t be afraid to keep pushing and keep asking those questions,” she said.
Simonson also advised agents to be aware of coverage gaps.
“One of the challenges I see is a lot of times, the agent who’s placing the cyber coverage may not be the same agent who’s placing the product’s liability or the property. When you think about the product’s liability or the software failure, they need to be talking. They need to be trying to fill those gaps and understand, ‘OK, here’s what we’re going to cover on this side. Here’s what’s being covered over on the cyber side. Now, where are the gaps? How do we fill those?’”
A common obstacle that agents, insureds and underwriters all face is that when it comes to cyber coverage, it’s all negotiable and policy terminology is constantly in flux.
“You have all sorts of ‘gotchas’ in some standard forms. You have major material differences in the main insuring agreements in some forms,” said JLT Specialty’s Stephens.
So “it’s really, really important to know what you’re getting, and also when you’re approaching the market, to know what you need,” she said.
Much of the language in cyber policies comes from traditional property and casualty policies, according to Christopher Keegan, cyber and tech national leader at Beecher Carlson in New York.
“Some of the wording doesn’t fit,” he said. So changes are constantly being made to policies; they’re always being adapted for the particular insured.
“It’s working out what fits and what doesn’t fit over a period of time in order to allow us, hopefully, at the end of the day, and in maybe two, three, or five years down the road, that we will have policies that those distinctions that maybe were made in the property world or the casualty world that are inappropriate for the cyber world, we will have gotten those out of the policies. We’ll have a much more robust, broad, appropriate product,” he said.
Note: This report was based on interviews with Keegan, Palotay, Simonson and Stephens at the PLUS Cyber Liability Symposium in Chicago in September. Video excerpts of those interviews may be viewed at www.insurancejournal.tv.