Cyber Insurance: An Update on the Market’s Hottest Product Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling, MA Independent Risk Management Consultants since 1932 Publishers of The Betterley Report at www.betterley.com Cyber Risk Insurance: What Does (or Should) it Cover? Liability for loss of personally identifiable information Not just electronic, but all types of data, including paper Corporate information, not just individuals All types of data, not just financial Some cover loss of data when in the possession of a 3rd party, such as a vendor Many think it covers all liability for all types of electronic activity, such as social media; it doesn’t Costs for responding to a data breach 7/26/2016 Public relations response Legal guidance Victim notification Credit monitoring 2 Coverage (cont’d.) Fines and penalties Defense costs Consumer Redress funds Civil money penalties (but not if unlawful to insure; look for most favored venue language) Penalties imposed by credit card issuing entities (Visa/MasterCard, etc.) Typically sub limited Value-added Services 7/26/2016 Discounted response services Network testing 3 Coverage Options 1st Party Loss of Data Business Interruption and Extra Expense Cyber Extortion Crisis Response Fund Theft 7/26/2016 Data $$$ Products or Services 4 Media Liability All media activities or just online media (including social media) Intellectual Property liability coverage: 7/26/2016 Copyright infringement – can be included Trade or Service Mark infringement – can be included Patent Infringement – cannot be included in most forms 5 Notable Exclusions Dishonest/Criminal/Intentional Acts (but severability generally applies) Contractual Liability Data Outside of Your Network This is in reference to cloud-type computing, which is often insurable Non-electronic data 7/26/2016 Such as paper documents; generally insurable 6 Prominent Carriers Carrier Capacity Available Deductible or SIR (Minimum & Maximum) Ace $25 million Minimum Retention $5,000 Data Breach Fund Retention $0 Allied World $25 million $5,000 minimum – no maximum Beazley $25 million Minimum normally $25,000 (3rd-party), $100,000 (1st party) CFC $10 million Minimum Retention $1.000 Chartis $25 million Minimum retention $5,000 Chubb $25 million Minimum Deductible Amount: $15,000 CNA $10 million Varies The Hartford $10 million (Primary or Excess) Minimum Deductible: $25,000 Hiscox $10 million for stand-alone Privacy Protection and Breach Costs coverage Minimum Retention: $2,500 Safeonline $20 million Minimum Deductible $2,500 Travelers $10 million for commercial accounts Minimum Deductible: $5,000 The Market Annual premium volume in the U.S. (GWP) = $800 million and growing (following tables from Betterley Risk Research’s “Understanding the Cyber Risk Insurance and Remediation Services Marketplace: A Report on the Experiences and Opinions of Middle Market CFOs” © 2010) Considering Purchasing Cyber Risk Insurance During Next 18 Months: All Respondents by Revenue (maximum $250 million) Market Penetration of Cyber Insurance: All Respondents by Revenue 100% 90% 100.00% 80% 90.00% 70% 60% 50% 40% 80.00% $10 million - $50 million 70.00% $50 million - $100 million 60.00% $100 million - $250 million $10 million - $50 million 50.00% $250 million - $500 million 30% 40.00% 20% 30.00% 10% 20.00% 0% 10.00% $50 million - $100 million $100 million - $250 million 0.00% Considering Purchasing During the Next 18 Months 7/26/2016 8 Objections to Buying Cyber Insurance Reasons Why Respondent Did Not Buy: All Respondents that Do Not Buy Cyber Risk Insurance I didn't realize this type of insurance was available Our brokers have advised our firm we don't need Cyber Risk insurance because the risk of a claim is remote Our IT department does not think we need insurance for this risk Our firm can handle Cyber Risk exposures ourselves without insurance Our firm has other insurance coverage that includes Cyber Risk insurance The coverage is too expensive Another reason 7/26/2016 9 Problem Areas Serious concern whether underwriting and pricing can keep up with the black hats 7/26/2016 Active hostiles operating outside the law and largely invisible Extensive cooperative network to share and improve tools Automated attacks Rapidly evolving tools and techniques 10 Technology-oriented coverage is not well understood by agents/brokers and insureds (and probably consultants) 7/26/2016 Confusion in the marketplace leading to bad buying decisions – or no buying decision Copycat carriers lack tools to understand and manage the risk Not enough knowledgeable underwriters and claims staff 11 Cloud computing – does it improve or degrade the risk for the user? Potential for improvement because centralized data services are easier to defend 7/26/2016 But when a breach occurs… Accumulation risk Users may focus on price and assume security 12 Opportunity Potential for rapid growth Add in for package policies and Management Liability products Declining cost of breach response services 7/26/2016 13 The Betterley Report A series of 6 annual evaluations of specialty commercial lines insurance products; including: Technology E&O (February) Intellectual Property and Media Liability (April) Cyber/Privacy (June) Private Company Management Liability (August) Side A D&O (October) EPLI (December) For more information, go to www.betterley.com 7/26/2016 14 Sources for this Presentation Betterley Risk Research “Understanding the Cyber Risk Insurance and Remediation Services Marketplace: A Report on the Experiences and Opinions of Middle Market CFOs” published September 2010 www.betterley.com The Betterley Report “Cyber Risk and Privacy Insurance Market Survey 2011” published June 2011 www.betterley.com 7/26/2016 15