Cyber Insurance Blog

Evolution of Cyber Insurance: How We Got Here and Where We’re Headed

Evolution of Cyber Insurance: How We Got Here and Where We’re Headed

Learn How Cyber Insurance Has Evolved with Technology

As technology evolved in the late 1990s, technology-related risks evolved with it. Growing technology companies wanted to transfer some of this risk, leading to the development of the first cyber insurance technology coverages. Many of the early technology companies also had growing media and content-related exposure. As such, the first cyber insurance policies were written to address this exposure and focused on online content or software. Over time, the technology and accompanying policies have evolved extensively, and this should continue for the foreseeable future.

The first cyber and internet cyber insurance policies started to appear in the market in the late 1990s. Many have taken credit for writing the first cyber policy, and most of the first policies varied in their basic coverages. Some were media policies that began covering online media, while others were errors in data processing (EDM) policies. Early cyber insurance coverages generally evolved from professional liability policies for software and media risks.

In the early 2000’s, online media policies started to cover unauthorized access, network security, and virus-related claims. Similar to most professional liability policies, these policies generally had a lot of exclusions for line items including:

  • Rogue Employees
  • Regulatory Claims
  • Fines and Penalties

In addition, these policies usually did not include first-party coverage. In the mid-2000’s, these policies evolved to include some first party coverages. Updated policies began to cover things like:

  • Cyber Business Interruption
  • Cyber Extortion
  • Network Asset Damage

At the same time, some software related policies also started to evolve and added sub-limits for HIPAA liability related software errors.

cyber insuranceDuring this period, the California Security Breach and Information Act came into effect in 2003. This greatly affected exposure and insurance as it required any companies conducting business in the state to notify affected residents of any breach of personal information by an unauthorized party. This included an individual’s first or last name in combination with a Social Security number driver’s license number. It also covered any credit, debit, or account numbers exposed in connection with an access code or password.

Following California’s lead, many other states passed similar laws. Cyber insurance companies adapted, offering new first-party coverages such as IT forensics, public relations, credit monitoring and repair, and customer notification. New third-party coverages were also introduced for regulatory defense and fines and penalties.

In the late 2000’s, many of the coverages being offered were only available with a small sub-limit. This is because carriers and reinsurers were concerned about pricing for new exposures. All of this made it difficult for people to get the limits they wanted for certain exposures. It also made excess placements difficult, as the markets were not comfortable with other carriers’ forms, pricing, sub-limit structure, and the fact they offered drop-down limits over the sub-limits.

In the 2010’s, the number of carriers with stand-alone products grew to over 50; today it is more than 60. Large claims and breaches became more commonplace. 2014 became known as “The Year of the Retail Breach” with major breaches at retailers including:

  • Target
  • Neiman Marcus
  • White Lodging
  • Michael’s
  • P.F. Chang’s
  • Albertsons
  • Dairy Queen
  • UPS
  • Home Depot
  • Jimmy John’s
  • Staples

The following year, 2015, became “The Year of the Healthcare Breach” with major healthcare providers being breached, including:

  • Excellus BlueCross BlueShield
  • Premera Blue Cross
  • OPM
  • Anthem

Today, products and appetite have continued to evolve along with the services included with the policies. The leading carriers are in a better position to take a risk based on their experience and size of their books. The range of pricing is wide; it’s not uncommon to see one carrier provide a broad quote and another offer more limited one at three to four times the premium. It’s also constantly shifting; a the same carrier that aggressively quoted a risk last year could decline the risk this year.

There are large differences between companies in terms of which cyber insurance markets are the best fit. The right fit will vary not only by industry but by size as well. The markets that are most competitive for small retail are not the best for larger retailers. The same is true for healthcare, professional service firms, etc.

The application process will also vary greatly by market and size of the risk. You will see some applications with just five questions while others will have 100 questions and require a conference call with a third party risk assessment firm. You will also see policies and add-on coverage that does not really cover that much, combined with clients that may not think they have much exposure.

For the foreseeable future, you can expect to see more of the same. Changing appetite, a wide variety of forms, large differences in pricing, carriers leveraging technology to assist in underwriting, and new risk management services being added to policies are the norm in cyber insurance.

Cyber insurance coverages cannot be ignored; in fact, it should be addressed with every client. Cyber insurance is a volatile market, so we recommend planning to work with someone who has real expertise that has a wide range of market relationships. Whoever that expert is, they should be able to dissect differences in the forms and help you explain the coverage and exposure to your client, selling the coverage for you. To learn more, check out our Presentation on the History of Cyber Insurance or schedule a call with a ProWriters expert today.