June 1, 2014 by Craig Harris, Freelance writer
Could 2014 be the breakthrough year for cyber insurance? Clearly, the number and severity of data breaches have rebooted the interest level in cyber liability products. There is compelling evidence that several factors have come together for a turning point in the take-up rate of coverage.
High-profile individual cases – such as the Heartbleed Bug that shut down Canada Revenue Agency’s (CRA) website for four days in April or retailer Target’s hacking woes last December involving personal financial information of 70 million customers – garner mainstream media attention.
Target’s experience, in particular, spawned shareholder litigation that alleged the company’s directors and officers neglected their duty of care in managing privacy risks. “The Target breach stirred a lot of attention here,” says Brian Rosenbaum, national director, legal and research practice for Aon Risk Solutions in Canada. “Because this was such a high-profile case, a lot of directors and officers and risk managers were asking about how the D&O liability (insurance) would cover. This one really hit home,” Rosenbaum comments.
Class action litigation may be a far more effective means of jumpstarting cyber interest than broker or insurer presentations on the subject. These lawsuits have increasingly captured the attention of the “C-suite,” where decisions about serious company and organizational investments in risk protection get made.
“Whether we are talking about large U.S. retailers or the CRA in Canada, it raises the question of whether organizations should explore cyber insurance protection,” notes Michael Petersen, managing director and national leader, communications, media & technology practice for Marsh Canada. “Some of the cases in the U.S. have shown that IT security procedures were not adequate. So now, many of the directors, officers and boards of companies are very much engaged and wanting to understand,” Petersen says.
SALE OF RISK
The ramping up of cyber risks to the executive level is a positive sign for insurance companies keen to match coverage with exposures.
“The more high-profile data breaches out there, the more we get requests for proposals for coverage,” says Greg Irvine, national director, management solutions group for Zurich Insurance.
“As insurance companies, (we) are helping risk managers to understand those risks and help develop a product to respond. Definitely, we (have had) a lot of dialogue with our clients about their cyber-related liabilities over the last 12 to 24 months,” Irvine says.
“New privacy breaches on a worldwide basis appear in the media on a monthly, if not daily, basis, and contribute significantly to increased awareness among board members and business owners – they realize that if it can happen to their peers or competitors, then it can happen to them,” says Karen Gauthier, Toronto practice leader, cyber, media and professional liability for Chubb Insurance Company of Canada.
“Cyber security has grown to become an enterprise-wide issue and is being discussed at the executive, board or ownership levels of many businesses,” Gauthier reports.
“All companies face this increase in cyber and data privacy exposures, and the awareness is no longer sitting at the risk management level – it is coming from the C-suite,” observes Toby Merrill, division senior vice president, global cyber risk practice for ACE Group. “This creates much higher awareness and leads to the placement of more cyber policies,” Merrill says.
TAKE-UP RATE: TENTATIVE?
How much momentum cyber policies have made in terms of market penetration, however, is an open question. While early cyber insurance coverage studies pointed to 30% to 40% take-up in select industries, sources note that the overall level of policy purchasing is much lower than that.
“I’d suggest it is a lot less,” notes Geoff White, underwriting manager, cyber, technology and media at Lloyd’s syndicate, Barbican Insurance Group. “The U.S. market is estimated to hit $2 billion of an estimated $85 billion opportunity this year, so we maybe have 3% to 4% penetration at most. Outside of the U.S., penetration is much lower, though we are seeing an upturn in enquiries from countries such as Canada,” White says.
“Uneven” would be a good characterization of the actual take-up level of cyber coverage, particularly in Canada’s federal privacy environment that does not require mandatory notification of data breaches. Instead, brokers report that the process has involved sending a steady stream of proposals for coverage and seeing if clients are willing to take the next step to bind.
“If you talk to a lot of underwriters, they say we are doing a lot of quoting, but not a lot of binding,” says Michael Loeters, vice president and associate with BFL Canada Risk and Insurance Services, who likens the current state of cyber liability insurance to D&O liability a decade ago. “They want to write more, but I don’t think we are there yet,” Loeters suggests.
Sources note the key economic sectors purchasing cyber liability coverage include retail (particularly those that must be Payment Card Industry, or PCI, compliant), health care, education, utilities, financial institutions, technology companies and, increasingly, professional services firms such as accountants or lawyers. Among these groups, the take-up rate is significantly higher, as much as 40% to 60%.
“When Chubb Canada first launched its CyberSecurity product in 2009, market interest focused primarily around large corporations, particularly those with a great deal of private customer information like retail, large hospitality and financial institutions,” says Gauthier. “We now see a diverse range of industries, including mid-market and small private companies, showing interest in, and embracing the addition of, cyber security coverage to their insurance portfolio,” she notes.
“The insurance market for cyber has expanded greatly over the last five years,” Merrill agrees. “While most of that growth has been in the United States, we are now seeing a considerable uptick in Canada and internationally.”
Some sources say cyber insurance is moving into the mid-sized and smaller markets, where arguably the risk management expertise of brokers is most needed. One reason is that government agencies and larger companies are requiring proof of cyber coverage as part of contractual arrangements.
“More organizations realize this is not just a large company issue, particularly with respect to personally identifiable information,” comments Kevin Kalinich, global practice leader, network risk/cyber insurance for Aon Risk Solutions. “It could affect supply chains, it could affect business interruption, it could affect revenues. I think the awareness is translating into action for more prudent companies to take a look at their existing policies, and some are taking the step of a standalone cyber product,” Kalinich reports.
Whatever the need or awareness, some argue cyber insurance is still a hard sell in the small- to mid-market. “I find a lot of people haven’t contemplated coverage for cyber losses, period,” Loeters reports.
“Many organizations still don’t seem to have the appreciation for all the ways security network breaches happen. And a lot of organizations don’t think they maintain a lot of data of value. We are still at the very early stages and there is still a lot of education needed on cyber risk,” he contends.
One potential limitation of increased take-up is the existing cyber insurance product itself, which has largely been mapped from foreign markets such as the U.S., London, Europe or Bermuda over to Canada with some minor modifications.
“When you really look at the guts of the policy in Canada, the modifications are not that significant,” Loeters suggests. “That could be one of the problems. There is not a huge depth of cyber underwriting expertise in Canada. Any of the larger risks that are quite
complex, a lot of the underwriting authority still resides in the U.S. or overseas,” he says.
Peter Zaffino, president and CEO of Marsh, pointed out some of the limitations of standard cyber coverage products at an industry luncheon this past April in Toronto.
“We have to come up with a cyber product that responds to all the different types of losses in one form,” Zaffino said. “Traditional insurance is not as responsive as it needs to be. Is it an extension of property? Is it third party? Is it professional? What else is it?”
One thing most brokers and insurers agree on is that traditional commercial general liability (CGL) and umbrella liability policies offer very limited, if any, coverage for cyber risk.
Recently, the U.S.-based Insurance Services Office (ISO) introduced a series of endorsements designed for CGL and umbrella policies to specifically exclude cyber-related losses, effective May 1.
And in February, a justice of the New York Supreme Court ruled that the personal and advertising provisions of Sony’s CGL policy do not cover the theft by hackers of confidential information belonging to users of the company’s PlayStation Network.
While the court judgments are not uniform, what is emerging is acknowledgement of a significant gap between traditional commercial insurance policies and cyber exposures.
For cyber coverage, however, there is no standard solution to fill this gap. “There is no real commonality between products, which is, from a broker’s perspective, very challenging, especially for those brokers who don’t deal with this on a day-to-day basis,” Loeters suggests. “When you get terms from three different insurance companies, you really have to spend the time comparing each and every one of those forms,” he says.
Loeters cites the example of Canada’s anti-spam legislation, which is set to take effect July 1.
“Let’s say your client is conducting a social media or e-mail marketing campaign, you better make sure your cyber policy has spam coverage built into it – a lot of them don’t,” he cautions. “You have to know the questions to ask to really assess what coverage the client needs,” Loeters advises.
“There is still a lack of consistency in product offerings and premiums,” Petersen observes. “That can be a good thing for clients in that we are seeing an evolution of insurance products, better wordings, more coverage options,” he says.
“The term ‘cyber coverage’ is quite broader than most people think,” Bobbie Goldie, vice president, professional risk for ACE Canada, adds. “There are eight different insuring agreements available within ‘cyber coverage.’ The coverage has evolved over the years to address online media, cyber extortion and, most notably, data privacy, regardless of whether the data is in digital form.”
Petersen notes some innovation has already taken place in cyber coverage, including contingent business interruption coverage for downtime from cloud service providers, enhanced coverage for regulatory fines and penalties, and the addition of “cyber supplements” to E&O policies at limited cost.
Others, however, hold that there is room for further growth in cyber product development. “What if your company is not just reliant on personally identifiable information? What if it’s your supply chain, your distribution chain?” Kalinich asks.
“What if you had to shut down a manufacturing plant from malware or a virus? It is in the area of intangible perils where there is a tangible property damage or bodily injury that we need to make bigger steps in coverage,” he argues.
Aon Risk Solutions’ Brian Rosenbaum says the protection of corporate information has become a key discussion point for clients. “While a lot of the discussion about privacy centers around the personal information of individuals, some of these insurance policies now provide a module that protects organizations against theft of intellectual property,” he points out.
“For business-to-business operations that have a lot of employees, this can be an important cover,” he suggests.
Zurich Insurance’s Greg Irvine agrees “business interruption and intellectual property rights are major concerns for many companies. Intellectual property… is becoming a topic that clients want to discuss to transfer that risk.”
The more difficult challenge for insurers is keeping pace with the constantly changing cyber world.
“What is different today is how quickly the exposures are evolving,” suggests Irvine, who reports Zurich is now in the midst of updating its cyber forms with respect to privacy breach costs and health care ID restoration and investigation.
“For example, a property policy might be refreshed once every five to 10 years. However, with cyber risk, it is every 12 months that you are looking at new and evolving exposures,” he says.
PRICING AND CYBER CLAIMS
The speed of cyber changes and exposures can catch underwriters and claims managers off guard when it comes to frequency and severity of cyber losses. Several sources say that there has been enough litigation and claims experience to accurately rate cyber exposures, even if it may seem more art than science at this stage of product development.
“We are drawing from the claims experience in Canada. So we feel we have a comprehensive rating model in Canada. There is certainly some frequency (of claims) in Canada that will drive prices,” Irvine says.
“The (industry) has now aggregated the information over a five-10 year period with respect to privacy and security breaches, so the actuarial data is better,” Kalinich suggests. “They don’t pretend it is an exact science, with a mathematical actuarial formula like they can with property. However, the underwriters are getting smarter – instead of asking a company about their revenues, they are asking how many personally identifiable records and what types of information they store,” he says.
Petersen says that much of the claims data is U.S.-based. NetDiligence, a cyber risk assessment firm, releases reports on actual cyber claims.
In a 2013 study, the company examined 145 data breach insurance claims. In those claims, heath care was the sector most frequently breached (29.3%), followed by financial services (15%).
The most frequent cause of loss was a lost or stolen laptop/personal device (20.7%), followed by hacking (18.6%). Typical claims amounts ranged from $2,500 to $40,000, with a highpoint of $20 million.
Other international studies of cyber privacy, such as those by the Ponemon Institute, show the cost of data breaches is increasing. In a study released in May, the research group found the average cost of a data breach to a company was US$3.5 million, or 15% more than what it cost last year.
“Relative to other lines of insurance coverage, underwriters are still learning about what their losses are in cyber risk,” Petersen observes. “When we obtain insurance proposals on behalf of our clients, pricing is pretty scattered. The fact that the premiums are all over the place shows there is still some uncertainty in how to rate the exposure.”
BREACH RESPONSE SERVICES
One of the key features emerging from insurance company cyber coverage is the provision of breach response services. “Policyholders today now have access to loss prevention portals and services to help them mitigate their cyber and data privacy exposures,” says ACE Canada’s Bobbie Goldie. “They also have access to data breach response teams in case their organization sustains a data breach event. There is significant value to the cyber coverage that is available today,” Goldie suggests.
“This is, of course, beneficial to our clients and the insurers, because we are trying to control the reputational risks to our clients. It also can minimize the costs of a security breach,” Petersen says.
But breach response planning is also a two-way street, notes Rosenbaum. Given the cost of services an
d the potential amount of the claim, insurers want to know what level of preparation prospective clients have in place.
“We have had situations where our client was not co-ordinated in their breach response plan, and the terms we have got back from the underwriter were not favourable,” Rosenbaum says. “That is where a lot of the money is spent on these policies – in first response. The better the companies are at dealing with that, the better risks they will be.”
Sources say that the ensuing focus for companies has to be on enterprise-wide risk management.
“Companies should create an incident response plan to provide a road map of how an organization will manage and co-ordinate with risk management, legal, financial, the board, and any other vendors that may be retained,” Gauthier suggests. “As cyber security is no longer just an IT-related issue, co-ordination between multiple departments as well as senior management and the board, is increasingly important.”
CANADA’S E-PRIVACY REGULATORY RECORD
Under federal privacy legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA) – there is no mandatory breach notification requiring organizations to disclose information to affected individuals.
In Canada, Alberta is the only private sector jurisdiction that requires notification of breaches to the privacy commissioner, who can prescribe fines of as much as $100,000 for businesses.
Manitoba is set to introduce privacy legislation this year that will have mandatory breach provisions requiring organizations to notify affected individuals.
Bill S-4, the Digital Privacy Act, currently before the Senate, would mark the first federal law for mandatory data breach reporting if passed into legislation. Several previous attempts to update or amend PIPEDA have failed.
Canada lags other jurisdictions, such as the U.S., where 47 states have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.
In August 2013, the European Union introduced breach notification regulations for electronic communication service providers. It is expected that a broader proposed General Data Protection Regulation will come into force soon for all companies operating in the EU.
“One of the reasons we speculated that organizations have not purchased cyber insurance is because there is no mandatory reporting provision in Canada,” says Petersen. “(Bill S-4) will change that, but there are also several clauses in the act that will allow the privacy commissioner to fine or penalize organizations. This is a big step for awareness in the Canadian environment.”
Another growing compliance issue is the prevalence of regulatory tests or audits for cyber exposures. “We are also seeing regulators like OSFI (Office of the Superintendent of Financial Institutions) come out with guidelines for banks and federally regulated financial institutions with respect to cyber risk,” Rosenbaum says. “That is absolutely going to force awareness. It will also lead to changes in protocols and procedures with respect to the publicity around data breaches,” he adds.
WORLD OF SYSTEMIC RISK
Beyond regulatory compliance, the emerging term for global cyber liability exposures is “systemic risk.” This points to both the near-total reliance of various industries and sectors of the economy on the Internet and related technology, as well as the interdependency and interconnectivity of networks and devices among companies, vendors, supply chains and customers.
In April, Zurich Insurance Group released the Zurich Cyber Risk Report in collaboration with the Atlantic Council. In the study, the Swiss insurance group identified seven interconnected risks, including internal IT enterprise, counterparties and partners, outsourced and contract, supply chain, disruptive technologies, upstream infrastructure, and external shocks.
“While our society’s reliance on the Internet grows exponentially, our control of it only grows linearly, limited by outdated government procedures and ineffective governance,” the report notes. “Yet modern cyber risk management does not give much thought to ‘distant digital perfection,’ the aggregations of cyber risk, which lie sometimes far outside an organization’s own server and firewalls,” it adds.
Other sources concur on the notion of systemic risks facing organizations in today’s cyber world. “I think people are getting a better understanding of their exposures and how (these) are changing,” Irvine says. “There is a shift there in clients’ understanding that their exposures are much broader than network breach and financial loss,” he adds.
“There’s still a gap in knowledge around systemic loss, as many companies feel they have passed their liability onto their data hoster or cloud provider, which is not the case,” notes Geoff White of Barbican Insurance Group. “You, as the data controller, are responsible for the data, and most contracts still limit the data hoster’s liability to the annual fees paid by the customer.”
White adds that the education level of clients is just as uneven as the take-up rate of cyber coverage. “Some companies are treating the risk seriously; many are still putting their heads in the sand on this issue,” he maintains.
“There are a lot of companies that are doing a great job managing their cyber risks, but there are also a lot that are lagging behind,” Goldie concurs. “The hackers can find those lagging behind and access those systems quite easily. You don’t want to be the last one in line,” she cautions.
The laggards may become more exposed in the bigger picture of systemic risk, sources suggest. “What has happened over the last few years is a very strong awareness that technology is now core for virtually all industries. It is increasingly difficult to stay on top of the technology risks,” Petersen suggests.
“People are talking about the Internet of things, where you can turn your washing machine on or check your house lights with your smartphone,” says Kalinich. “These are great developments, but it is unknown what new exposures this will be creating in the next few years. You can imagine what kind of havoc cyber criminals could cause if they get access to that type of information,” he adds.
Class action litigation, systemic risk, regulatory compliance, reputational exposure – these are threats that brokers and insurers argue require a thorough discussion at organizations about cyber risk management solutions. The risks are real, as is the potential for insurance risk transfer.
How many organizations make the next step to incorporate cyber insurance into their risk programs will represent the evolving next phase of online risk protection. Will it be a cyber big bang breakthrough or the continuing grind to raise client awareness?