Cyber Insurance Blog

The Evolution of Cyber Insurance

The Evolution of Cyber Insurance

Cyber Insurance: How We Got Here and Where We’re Headed

As technology and the internet evolved in the late 1990s, technology-related risks evolved as well. More and more organizations were conducting their business online, so internet hackers began to look for ways to benefit financially from this new online world. The first cyber risk insurance policy was written to address these exposures and focused on online content or software. Over the years, the technology and accompanying policies have evolved extensively into a vibrant and volatile cyber insurance market.

Today, internet-based technology is involved in nearly every aspect of life, from healthcare to home security. With that, the top cyber insurance companies have had to advance at a rapid pace to keep up with ongoing threats.

In the United States, the cyber security insurance policies of the 1990s were policies that covered online media, while others were errors in data processing (EDP) policies. An early cyber liability insurance policy’s coverages generally evolved from professional liability policies for software and media risks.

In the early 2000s, online media policies started to cover unauthorized access, network security, data loss, and computer worm or computer virus-related claims. Similar to most professional liability policies, a cyber insurance policy generally had many exclusions, including:

  • Rogue Employees
  • Regulatory Claims
  • Fines and Penalties

In addition, writing a cyber risk insurance policy usually did not include both first-party and third-party coverage. It wasn’t until the mid-2000s, that these policies evolved in response to cyber threats to include some first-party coverages to protect the organization itself and potential intellectual property. Updated policies began to cover things like:

  • Cyber Business Interruption Coverage
  • Cyber Extortion
  • Network Asset Damage

At the same time, some software-related policies started to evolve, adding sub-limits for HIPAA liability-related software errors.

During this period in the history of cyber security, the 2003 California Security Breach and Information Act came into effect. This greatly affected both exposure and insurance. Companies or organizations who were conducting business in the state now had to provide breach notifications to any affected residents of a personal data breach by an unauthorized party.


Before you continue reading, follow us on LinkedIn so you don’t miss any important cyber updates:

Following California’s lead, many other states passed similar laws. This had profound effects on the private sector. Cyber insurance companies quickly adapted, offering new first-party coverages such as IT forensics and information security, public relations, credit monitoring, and customer notification. New third-party coverages were also introduced for regulatory defense as well as fines and penalties that could be related to notifying the affected parties.

In the late 2000s, many coverages only had a small sub-limit. This is because carriers and reinsurers were concerned about pricing for new exposures related to cyber risk. All of this made getting higher limits and placing excess exposures more difficult. The markets were simply not comfortable with other carriers’ forms, pricing, and sub-limit structure.

In the 2010s, the number of carriers with stand-alone products grew to more than 50. Today, it is more than 100, and large claims and breaches have become more common. 2014 became known as “The Year of the Retail Breach” with major cyber attacks at retailers including:

  • A man in a suit sits at a table with his open laptop and a cup of coffee while he scrolls through information on this phone.Target
  • Neiman Marcus
  • White Lodging
  • Michael’s
  • P.F. Chang’s
  • Albertsons
  • Dairy Queen
  • UPS
  • Home Depot
  • Jimmy John’s
  • Staples

The following year, 2015, became “The Year of the Healthcare Breach” with major healthcare providers affected, including:

  • Excellus BlueCross BlueShield
  • Premera Blue Cross
  • OPM
  • Anthem

Rather than slowing down, these attacks are continuing to increase with more than 4.1 billion records exposed in the first half of 2019 alone. Many companies and organizations are increasing their cyber security budgets to prepare for even more attacks in the future.

The industry is constantly shifting and the range of pricing is wide since cyber risk insurance policies have to rapidly adapt to the market. In addition, cyber events are constantly evolving, so the risks that this type of insurance covers are forced to adapt as well. One carrier may offer a broad quote while another offers a more limited one at three to four times the premium. Furthermore, the same carrier that aggressively quoted a risk last year could later decline the risk.

There are large differences between companies in terms of which cyber insurance markets are the best fit. The right fit with the top cyber insurance companies will vary not only by industry, but by size as well. For example, the markets that are most competitive for small retailers are not the best for larger retailers. The same is true for healthcare, professional service firms, etc.

The application process will also vary greatly by market and the size of the risk. Some applications have just five questions, while others have 100 and require a call with a third-party risk assessment firm. You will also see policies and add-on coverage that claims to be comprehensive but in reality, covers very little.

For the foreseeable future, you can expect to see more of the same. The norm in cyber insurance includes changing appetites and top cyber insurance companies leveraging underwriting technology and cyber insurance software. Expect to see a wide variety of forms, large differences in pricing, and new risk management services being added to policies.

Cyber insurance coverage cannot be ignored; in fact, it should be addressed with every client. It’s important to understand what to look for from top cyber insurance companies. Cyber insurance is a volatile market, so we recommend working with someone who has real expertise. They should be able to dissect differences in the forms and help you explain the coverage and exposure to your clients, as business owners. They should also be able to make the distinction between general liability insurance and cyber liability coverage.

Ready to learn more? For both small businesses and large enterprises, a cyber risk insurance policy is a must in the digital age. Check out our presentation on the History of Cyber Insurance.

For more information on cyber insurance and how to best protect your clients in this digital age, check out our FREE downloadable guide, The Six-Step Guide to Becoming Your Clients’ Cyber Expert.

Contact us to get started or call 484-321-2335 to speak with a ProWriters expert today.

Subscribe to Our Monthly Newsletter!

    Comprehensive Cyber Risk Management Plan

    Your Guide to Cyber Security

    Download Now