5 Insights Test Cyber Insurance Policies – What Do Your Policies Say? (Part 1)
Is it time to update your cyber insurance product? This is a compelling question for many companies today. Cyber insurance products continue to evolve at a rapid pace.
Two recent reports highlight areas where we can expect more attention from policyholders, agents and insurers.
The reports come from Beazley and NetDiligence, two leaders in the big Cyber marketplace. Both seek to inform insurers currently writing or contemplating a new Cyber insurance offering.
1. Ransomware attacks soar: Beazley reports some startling statistics in its October Insights report. In July and August of 2016 alone, Beazley responded to more ransomware (extortion) attacks than it did in all of 2015. The good news is that the demands average just $1,000. The worrying news is that Beazley projects that it will respond to 400% more ransomware breaches in 2016 than it did last year. Is your policy covering extortion payments to unlock the data and protecting against criminal misuse of the data?
2. Breach response costs /forensics dominate: Breach crisis costs, which are comprised of Forensic, Legal, Notification, Call Center, Monitoring, ID Assistance and Public Relations costs, represent 75% of all Cyber payments. Forensic costs are the highest. The median Forensic cost was $35,450 for all size companies in the NetDiligence sample. Even assuming a lower cost for small business breaches, the number raises a concern about coverage adequacy. Do sub-limits on the most important element of a breach response program potentially shift costs back to your insureds?
3. PCI fines are more frequent than regulatory penalties: 5% of the claims in the NetDiligence study included Payment Card Industry (PCI) fines compared to 1% with costs from Regulatory actions. This finding surprised us, and we suspect the small sample size offers some explanation. Still, PCI fines are important for any book of retail business. Does your policy pick up these costs?
4. Hacking, malware and virus drive claims: Both studies reported that hacking, malware and virus attacks are the most common causes of data breaches. NetDiligence attributed 44% (31% for Beazley) of all breaches to these combined causes. Both organizations said these findings were consistent with 2015 experience. Some policies include sub-limit virus/malware losses. Others may exclude virus/malware that impact multiple networks or are named by Cyber watchdogs because they are widespread. Does your form exclude or limit coverage for broader attacks that happen to catch your insured in the net?
5. Small business breach costs rise: NetDiligence found that the median cost of a breach to a "nano-revenue company" (under $50 million) in its 2016 sample was $49,000 - up 34% from $32,500 one year ago. For the next size tier of businesses with over $50 million in revenues, the median cost is close to $88,000. These numbers can help insurers evaluate what limits to offer to the risks in their book.
Do you have options for risks now and as they grow in size?
Another great test of policy forms is to apply them to actual events. Have you checked how your Cyber policy and competitor products respond to the major distributed denial of service (DDoS) attack that affected Twitter, Airbnb and many more websites on October 21, 2016? You are likely to find a variety of provisions and answers. Are you satisfied with those answers? Watch for our next Cyber blog for more on how insurance forms fare in this test.
You can find many valuable insights in these 2016 studies. And of course, we are always available to discuss our observations or any aspect of Cyber insurance.
With thanks to my former colleague, Wendy Woolf, who contributed to this article.
For more information, see the following: