Skip Ribbon Commands
Skip to main content

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

 

‭(Hidden)‬ Catalog-Item Reuse

4 Coverage Developments to Monitor for Cyber Clients

As more small business clients begin waking up to the need for cyber insurance, keep an eye on cybercrime, canned programs, small business distinctions and disappearing sublimits.
Sponsored by
4-coverage-developments-to-monitor-for-cyber-clients

Like drones, cyber insurance is infiltrating every commercial market you sell, from D&O to hotels/motels.

As more small business clients begin to wake up to the need for this type of insurance and continue to enjoy competitive pricing in 2016, here are four cyber coverage developments to keep an eye on:

Cybercrime. These activities continue to pick up steam, presenting new exposures for businesses of all sizes. “We’re definitely seeing an increase in both those types of claims and the number of insureds that are looking for that coverage,” says Brian Thornton, president of ProWriters. “There’s a lot of confusion as to the gap between a crime policy and a cyber policy and where those coverages may meet on certain claims.”

A standard crime policy, for example, might include coverage for computer and funds transfer fraud—what Thornton calls “non-voluntary parting with your own assets,” such as when a hacker illegally obtains a business’s username and password and wires money to the hacker’s account.

By contrast, coverage for cyber deception—also known as impersonation and “social engineering fraud,” depending on the carrier—involves “voluntary parting with your own assets,” Thornton says: A company might be tricked into wiring money to a fraudster’s account, usually through an online phishing event.

But “a lot of cyber markets can also offer that on a cyber policy,” Thornton explains. “We’re seeing a lot of demand from companies to have the deception coverage and make sure they’re protected. Some cyber markets are well ahead of the curve and some are way behind in terms of being able to address that in a cyber policy.”

Canned programs. Alex Wayne, president of A.J. Wayne & Associates, Inc., has noticed these cropping up for cyber liability in what he calls “homogenous types of exposures,” such as accountants or even insurance agents. “What I’ve seen for certain classes of business is that they get an extremely competitive pricing for those programs,” he says.

Many companies include these inexpensive cyber programs as add-ons to a different type of policy they’re really trying to push, such as E&O or D&O, to “sweeten the deal,” Wayne says. And although they tend to be “stripped down” from a coverage standpoint—“you’re not going to get the full range of coverage that you might see from a standalone policy,” Wayne says—the limited coverage they provide may be adequate for some clients.

“If the insured only has a low amount of records, it’s not going to be as much of an issue if they have a lower coverage level on some of those sublimits or sub-coverages,” Wayne explains.

Small business distinction. As more small businesses begin to realize cyber is not just necessary for Target and Home Depot, pay attention to the growing distinctions between the cyber coverage needs of small vs. large businesses.

“In our experience, large accounts—companies with revenues greater than $1 billion, with established data privacy protocols—typically understand the way cyber policies work,” says Matt Prevost, vice president, cyber product manager, financial lines, Chubb. These companies, which “have their own incident response team and incident response lawyers, value the risk transfer more than the post-incident services that accompany a policy.”

For a large client, “it’s higher limits, higher deductibles, higher price and often the larger accounts have many carriers on their program, whereas a small business might have one,” Thornton says. “Security expectations go up with size as well. And a lot of larger companies are also doing business outside of the United States, where they might have different regulations they need to comply with.”

By contrast, in most instances, “small businesses don’t have nearly as many records,” Wayne says. “A business with 40 million records obviously has a lot more exposure than a company that might have 100,000. The severity can be much worse with more records.”

In the small space, “understanding how the policy works and the services that come with the policy tend to support that small business buyer’s decision,” Prevost explains. “The buyer’s sophistication level is a lot different.”

Disappearing sublimits. Prevost says sublimits are “seismically changing” in cyber liability—and that it’s warranted. Compared to even five years ago, “carriers are more inclined to provide full limits instead of sublimits for certain cyber coverages,” Wayne says.

“They’re disappearing to a degree—certainly sublimits have gone a lot higher toward the full limits within the policy,” Thornton agrees. “And there are a lot of updated policy forms in the market. We’re still seeing changes in coverages and endorsements that are available.”

In areas like incident response and reputational harm in particular, “we haven’t necessarily seen a lot of companies take full advantage of available limits, such as public relations expenses,” Prevost says. “That will likely start to change when customers want to avoid the reputational impact of an incident  or at least understand how to control the impact.”

Want to know what’s on the horizon for cyber liability? Keep an eye on IAmagazine.com and upcoming editions of the Markets Pulse e-newsletter.

Jacquelyn Connelly is IA senior editor.

13032
Tuesday, June 2, 2020
Cyber Liability