Cyber Insurance: How We Got Here and Where We’re Headed
As technology evolved in the late 1990s, technology-related risks evolved with it. The first cyber risk insurance policy was written to address these exposures and focused on online content or software. Over time, the technology and accompanying policies have evolved extensively into a vibrant and volatile cyber insurance market. With that, the top cyber insurance companies have had to advance at a rapid pace to keep up with ongoing threats.
The history of cyber security insurance policies in the United States began in the late 1990s. Some were policies that covered online media, while others were errors in data processing (EDM) policies. An early cyber risk insurance policy’s coverages generally evolved from professional liability policies for software and media risks.
In the early 2000s, online media policies started to cover unauthorized access, network security, data loss, and computer worm or computer virus-related claims. Similar to most professional liability policies, these policies generally had many exclusions including:
- Rogue Employees
- Regulatory Claims
- Fines and Penalties
In addition, writing a cyber risk insurance policy usually did not include first-party coverage. In the mid-2000s, these policies evolved in response to cyber threats to include some first-party coverages. Updated policies began to cover things like:
- Cyber Business Interruption
- Cyber Extortion
- Network Asset Damage
At the same time, some software-related policies started to evolve, adding sub-limits for HIPAA liability related software errors.
During this period in the history of cyber security, the California Security Breach and Information Act came into effect in 2003. This greatly affected exposure and insurance. Companies conducting business in the state now had to provide breach notifications to any affected residents of a personal data breach by an unauthorized party.
Following California’s lead, many other states passed similar laws. This had profound effects on the private sector. Cyber insurance companies adapted, offering new first-party coverages such as IT forensics and information security, public relations, credit monitoring, and customer notification. New third-party coverages were also introduced for regulatory defense as well as fines and penalties.
In the late 2000s, many coverages only had a small sub-limit. This is because carriers and reinsurers were concerned about pricing for new exposures related to cyber risk. All of this made getting higher limits and placing excess exposures more difficult. The markets were simply not comfortable with other carriers’ forms, pricing, and sub-limit structure.
In the 2010s, the number of carriers with stand-alone products grew to more than 50. Today, it is more than 60, and large claims and breaches have become more common. 2014 became known as “The Year of the Retail Breach” with major cyber attacks at retailers including:
- Neiman Marcus
- White Lodging
- P.F. Chang’s
- Dairy Queen
- Home Depot
- Jimmy John’s
The following year, 2015, became “The Year of the Healthcare Breach” with major healthcare providers affected, including:
- Excellus BlueCross BlueShield
- Premera Blue Cross
The industry is constantly shifting and the range of pricing is wide as a cyber risk insurance policy has to rapidly adapt to the market. One carrier may offer a broad quote while another offers a more limited one at three to four times the premium. Furthermore, the same carrier that aggressively quoted a risk last year could later decline the risk.
There are large differences between companies in terms of which cyber insurance markets are the best fit. The right fit with the top cyber insurance companies will vary not only by industry but by size as well. For example, the markets that are most competitive for small retail are not the best for larger retailers. The same is true for healthcare, professional service firms, etc.
The application process will also vary greatly by market and size of the risk. Some applications have just five questions, while others have 100 and require a call with a third-party risk assessment firm. You will also see policies and add-on coverage that claims to be comprehensive but in reality, covers very little.
For the foreseeable future, you can expect to see more of the same. The norm in cyber insurance includes changing appetites and top cyber insurance companies leveraging underwriting technology and cyber insurance software. Expect to see a wide variety of forms, large differences in pricing, and new risk management services being added to policies.
Cyber insurance coverages cannot be ignored; in fact, it should be addressed with every client. It’s important to understand what to look for from top cyber insurance companies. Cyber insurance is a volatile market, so we recommend working with someone who has real expertise. They should be able to dissect differences in the forms and help you explain the coverage and exposure to your client. They should also be able to make the distinction between general liability insurance and cyber liability coverage.
Ready to learn more? For both small businesses and large enterprises, a cyber risk insurance policy is a must in the digital age. Check out our Presentation on the History of Cyber Insurance or schedule a call with a ProWriters expert today.