Cyber attacks are escalating in their frequency and intensity and pose a growing threat to the business community as well as the national security of countries. High-profile cyber incidents in 2014 reflected the expanding spectrum of cyber threats, from point-of-sale (POS) breaches against customer accounts to targeted denial-of-service (DoS) attacks meant to disable a company’s network. Businesses in ever-greater numbers sought financial protection through insurance, buying coverage for losses from data breaches and business outages.
Boost in Cyber Insurance Demand Drives Insurers’ Response
Health care facilities, universities and schools continue to be on cybercriminals’ radar, but attacks in the hospitality and gaming, power and utilities and other sectors reveal that no organization is immune to a cyber attack or failure of technology.
Health care and education clients had the highest cyber insurance take-up rates in 2014, followed by hospitality and gaming and services. Universities and schools present attractive targets because they house a vast array of personal information of students, parents, employees, alumni and others: Social Security numbers, health care information, financial data and research papers can all be compromised.
The broader scope of hacktivists contributed to the increase in cyber insurance purchases in 2014. Sectors that again showed notable year-over-year increases in the number of clients purchasing cyber coverage included hospitality and gaming and education. Other areas that stood out in 2014 included the power and utilities sector, with more clients buying standalone cyber coverage. Power and utilities companies frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition networks—which control remote equipment—and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.
The reasons for purchasing cyber coverage vary from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations. Insurers responded to this demand by offering broader cyber insurance coverage in 2014, including coverage for contingent business interruption and cyber-induced bodily injury and property damages. They also expanded availability of loss-control services, including risk-assessment tools, breach counseling and event response assistance.
Cyber Limits Rise
Companies with revenues of more than $1 billion have increased their cyber insurance limits worldwide by 42 percent on average since 2012, according to Marsh Global Analytics estimates. Over the same time period, health care companies have bought 178 percent more cyber insurance and power and utilities firms have expanded their coverage by 98 percent.
Rising spending on cyber insurance
Cyber Rates and Coverage
Increases in the frequency and severity of losses and near-constant headlines about attacks and outages kept cyber insurance premiums generally volatile in 2014. Average rate increases at renewal for both primary layers and total programs were lower in the fourth quarter than in the first. The increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose 5 percent on average and as much as 10 percent for some clients.
Market capacity also varied according to industry. Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market.
Insureds also face heightened due diligence from underwriters seeking to drill down beyond simple reviews of the company’s general information security policies. For example, insureds in the retail sector are being asked about their deployment of encryption and EMV (credit card) technology. And all insureds are now routinely asked whether they have formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.
A Growing Concern
In 2015, managing cyber risk is clearly a top priority for organizations. For example, business interruption (BI) drew a lot of attention in 2014, a trend likely to continue throughout 2015. While BI has historically been thought of as the aftereffect of a critical system going down for an extended period of time, technology failures and cyber attacks can create far-reaching outages affecting secondary systems, clients and even vendors. Such events can also lead to higher recovery costs, which are becoming a concern for boards of directors and senior management.
There is also concern stemming from the expansion of regulation and litigation. Regulators were active in policing cyber risks in 2014, and oversight is likely to expand significantly in coming years. With cyber risk seen as a critical issue on both sides of the aisle in Washington, D.C., companies will face regulatory challenges in 2015 and beyond.
Sectors that have already seen significant regulatory activity—for example, health care, financial services and education—will likely face more stringent regulations and larger fines. All industries should pay attention to existing and impending regulations, tighten controls and prepare to present and defend their compliance regime. Civil litigation in the wake of a breach or disclosure of a cyber event also escalated in 2014, with class actions at times following the disclosure of a breach by mere hours.
As demand for cyber insurance grows, it’s important to remember that risk transfer is only part of the solution. Enhanced information sharing between industry and government is another step toward having a comprehensive risk-mitigation strategy. Insurers and brokers are expanding the availability of loss-prevention and risk-mitigation services such as risk-assessment tools, breach preparation counseling and breach response assistance. The expanded roster of services and enhanced coverage can provide additional value from policies, usually without a specific added premium.