Welcome to The Betterley Report Blog on Specialty Insurance

Welcome to The Betterley Report Blog on Specialty Insurance Products.  In this blog, I hope to shed some light on the different specialty insurance products available to commercial insureds, and how individual products differ from one another.  With luck, we’ll be providing information that helps readers choose the right types of products for themselves and their clients.

If you are familiar with The Betterley Report, you know that I write about specialty insurance products designed for commercial insureds of all sizes.  I have been authoring these Reports since the mid-’90s (!), and am fortunate to have many of the leading insurance companies, agents and brokers, reinsurers, attorneys, and service providers, as well as Risk Managers and CFOs, as subscribers.

As I talk with my readers, they often ask me about new developments in the products I cover.  With each Report limited to an annual freshening, we have not had a way to provide interim updates.  I figure that this blog might solve that problem nicely, since I can report on new products and changes in existing products as they are hitting the market.  Since I don’t want to just be an outlet for press releases, I’ll be sure to offer some observations about those products as well.

These Reports are available only to subscribers, and each Report is updated annually.  Some of the products I research are Cyber Risk, Directors & Officers Liability, Technology Errors & Omissions, Employment Practices Liability, and Intellectual Property insurance.  There are 6 Reports each year.

I write The Betterley Report for insurance professionals that want to find out who has the most appropriate insurance product for their clients, and for insurance companies  looking for competitor intelligence.  To be candid, I also write because I believe that comparative information helps drive improvement in the product .  As an independent risk management consultant (which means I advise clients on the types of insurance they need and which insurers they should buy them from, as well as alternatives such as self insurance), improving the breed is a passion for me.

So, welcome – this is a work in progress, and I hope you will join me in moving the specialty insurance products business forward.

Note: just got my first comment on our October issue (covering Side A D&O products), so I’d better get blogging.

Snips from our Technology E&O Market Survey 2012

Today, we posted our update of our report on Technology Errors & Omissions insurance products.  This Report covers insurance that is purchased by providers of technology products and services, and includes our comparison of insurance products offered by 30 carriers.  The Report is here.

Some of the highlights from the Report:

• Rates are rising; not by a lot (5% or so), but after years of rate decline, this change is important.  The increasing premium base coupled with this rate increase means insureds will be seeing meaningful rises in their insurance costs.
• We don’t expect any onerous contraction in the market; it is healthy, and should remain so.
• However, the spate of data breaches, if considered to be the fault of service providers, has the potential to deteriorate loss ratios and, potentially, further drive up rates (and perhaps drive some carriers from the market).
• There is a great deal of disagreement between carriers as to whether  response costs for a breach of client data while within control of the insured, is covered if it is not the result of an error or omission.  We are concerned about this: we think that service providers would want to – and be expected to – cover a client’s costs of responding to the breach.  This response shouldn’t require the breach to be the result of E&O.  We predict that carriers will offer more explicit breach response coverage for breaches of client data if they don’t already.

Next issue: Intellectual Property and Media Liability Market Survey 2012 (April)

Poll results are in: thoughts and a summary on renaming Cyber Insurance

Little did I know when I created my simple LinkedIn poll on ideas for renaming Cyber Insurance that we would receive 122 votes and 27 comments.  Since it is now closed, here are the results:

The poll was limited in that it required the participants to choose from 5 names, and did not allow an answer of ‘none of the above.’  Happily, some of the comments included their own suggestion.

Summarizing the poll results:

• Information Security Insurance – 63 votes (52%)
• Network Security Insurance – 23 votes (19%)
• Privacy Insurance – 16 votes (13%)
• Data Breach Insurance – 14 (11%)
• Network Breach Insurance – 6 votes (5%)

There were several suggestions offered up; some of the more creative included:

• Complete Data Breach insurance (which tried to get at a description of all kinds of data, not just electronic, which is an important distinction; won’t fly with the insurance industry, but I like the attitude)
• Information (or Data) Wellness insurance (doing healthy things to better manage exposures)
• Information insurance (to simplify the name, similar to life insurance, auto insurance, fire insurance, etc.)

And there were some great comments, such as:

• The term Cyber focuses insureds too much on technology risk, and may encourage investments in technology solutions while ignoring risks that arise from non-tech risk
• And from one commentator, although he didn’t originally like the term ‘cyber’, he has warmed to it, because:

- It means nothing (which means we can apply the definition we want to it)
- It is catchy (true)
- Some people actually know what it generally means

What does all of this say about the product term Cyber Insurance?

I took away the following:

• There’s a lot of unease about the accuracy of the product term Cyber, which seems to emanate from the idea that this line of insurance (should) cover a lot more than cyber-related risks
• Suggestions seem to focus on Information instead of Cyber.  I like that idea, since (as noted) cyber-based data is only one source of claims.  Claims can result from loss of data that occurs not only through network breaches but also through other  channels, such as lost or stolen laptops, thumb drives, disks, tapes, and paper records.  I believe that Information includes cyber but is not restricted to cyber, so is a more accurate term.
• But, before we go about changing names (not that I have that kind of influence), cyber has been the term for some time now, and many users know what it means.  We might change it to a more current (accurate?) term, but will it really be understood any better?

I promised a free copy of The Betterley Report Cyber Insurance Market Survey 2011 and our Middle Market Purchasing Opinions on Cyber Insurance Study to the best suggestion.  Although there were many good ones I thought Erich Bublitz of ThinkRisk showed great insight when he commented:

“It is difficult naming the coverage in part because the coverage varies so much from market to market and what is a good description for one policy is not a good description for another policy. However, keeping the term Cyber is doing a disservice to the industry and to the insureds. When people hear cyber, they assume IT which often makes the IT leader assume this coverage is being bought to cover IT and they then want to make the case they could better spend the money on a firewall or IDS. Additionally, we as an industry want, and the data security industry want, clients to start thinking about enterprise risk management, rather than IT risk management. The term cyber is not helping make the transition to ERM.”

I’d like to thank the 122 participants in the poll and the many others that read the comments, even if they didn’t offer any themselves.

Snips from EPLI Market Survey 2011

Posted our 2011 EPL Insurance Market Survey 2011 last week; here are some of our observations:

• Rate adequacy and expense control continues to be the story, with carriers finally convinced of the need to obtain higher rates.  (Note: I could probably have said that better; carriers have been convinced for years – now they are executing, and the intermediaries and consultants are willing to accept it).
• 34 carrier products included – we added Zurich after some years away (Zurich/Steadfast was in our original survey of 5 carriers way back in 1993) and Arch.
• Carriers removed from the Survey this year: CoverX/First Mercury (sold to Crum & Forster) and Evanston, which hasn’t responded to information requests for 2 years running.  Evanston promises to provide information for the 2012 Survey.
• More carriers bringing out industry-specific products, especially for health care.
• Established EPLI carriers extending the product to their Business Owner Package-type products.
• Value-added Risk Management services continue to be added and improved.
• And lastly, but not surprisingly – real wage & hour coverage remains scarce.   We wish it were otherwise.

Poll results for ‘Does Cyber insurance need a new name?’

If you recall, I created a poll on LinkedIn, asking for suggestions and comments.

The results are here, although there may still be additional comments in the next couple of weeks.

Looking at those results, there is a clear preference for Information Security Insurance, which I rather like (and admittedly proposed – although I randomized the poll questions, I did make my vote public, which probably biased the results).

There have been requests to broaden the choices; I had restricted them to 5 in the interest of clarity, but maybe I need to rethink this.

Anyway – go take a look at the results for some interesting insight into how some very knowledgeable people in the cyber insurance arena see the product and its role.

Does Cyber Insurance need a new name? Please consider taking the poll I have created below

Cyber Insurance may benefit from a new name (or at least so goes the chatter).

Although I don’t make the decisions when it comes to naming lines of insurance, I think we all would benefit from considering some alternatives.

I have created a simple poll here.  If you would, please take a look at it and make a selection.  I’ll report back.

(and, if you don’t like the 5 choices, please provide your choices in a comment to this post)

I’ll provide a free copy of The Betterley Report Cyber Insurance Market Survey 2011 and our Middle Market Purchasing Opinions on Cyber Insurance Study to the best suggestion.  Tie goes to the first respondent and I am the sole judge.

Thanks!

NASA’s IT Security offical interviewed – corrected title

IQPC’s upcoming conference on Cyber Risk and Data Breach has an interesting speaker scheduled, the Assessment and Accreditation Official for the Kennedy Space Center in Florida. (note: we had misstated Ann Marie’s title in the original post, which she has kindly corrected for us).

Ann Marie Keim will speak about looming cyber-security risks of the moment and what defenses organizations are putting in place to counteract and anticipate these threats.  Since I believe the most advanced active cyber defense research is (I believe) being conducted by and for governmental organizations, I thought this brief article should be of interest to many of you.

You can get a copy of the Q&A article here.

Will cloud computing be the death of cyber insurance – or it’s salvation?

 

Cloud computing is generally understood to mean the provision of applications and services offered over the Internet. These services are offered from data centers all over the world, which collectively are referred to as the “cloud.” This metaphor represents the intangible, yet universal nature of the Internet (thanks to TechTerms for this definition).  Cloud services include the hosting of data on the provider’s servers.

As many cyber commentators are noting, this movement of data from the insured to the cloud service provider is a material change in the exposure to loss; data are now held (and we hope protected) by a third-party.  Data in the hands of third-party service providers isn’t actually a new concept, but hosting the data on a large-scale basis is new(er).

Does this increase the risk of data breach?  Decrease it?  What are the implication for insureds, cyber insurers, and reinsurers?

Increased risk to insureds and their insurers:

• The data are out of your control; you are vulnerable to the data protection standards and execution of another party.  Will their standards be as strong as yours? Executed as well as yours?  If the standards and execution change, will you be informed?  If so, what if the changes aren’t to your liking?  What are your options?  It may not be as simple as changing providers.
• Not only is another company now holding your data, the fact that it is now concentrated in a more public (cyber) location may make it more of a target.  Hackers may not know that your data exist, but they may target the holder of your data for reasons beyond you (maybe the service provider has angered the activist hacker community, or another one of their clients becomes a target, and your data get caught up in the attack).
• What happens to your data if the service provider goes out of business?

I acknowledge that there can be contractual protections against these types of problems, but are they foolproof?  I doubt it.

• For insurers, the concentration of risk should be a worry; there is little reinsurance purchased for cyber policies, and insurers should be very concerned about a single breach that affects numerous insureds now that they are in the cloud.  Accumulation risk has always been a concern; it seems as though the cloud makes that risk exponentially greater.

Decrease in risk to insureds and insurers

• Cloud computing is often described by commentators as a one-way change in risk, but we aren’t so sure.  Many cloud users are smaller organizations, including many start-ups.  These users may not have the resources, insight, and patience to construct and maintain strong security measures.  For them, maybe the cloud is actually a safer environment.
• If an organization uses the cloud, and the vendor(s) have strong data protections that are known to underwriters, maybe it will make the job of underwriting easier and more successful?  Sometimes protecting a single point of risk can be more effective than protecting many points.

Implications for reinsurers:

• We spoke above about accumulation risk; this worry should extend to reinsurers to the extent cyber is being reinsured – but it also presents an opportunity for creative reinsurance products to protect primary insurers from a single breach/many insureds loss.

So, I think that the increased use of cloud computing brings increased risk, but also increased opportunity, for insurers and reinsurers.  Cloud risk can be managed, data protection investments can be spread over more data, and active defense (see my earlier post ‘I am growing increasingly worried…”) may be available to beat back the bad guys.

And finally – might cyber risk insurance distribution be changed from data holders buying insurance individually to it being provided by the cloud service provider?

What do you think?

Premium volume estimates for Management Liability policies

In The Betterley Report, I try to estimate the written premium for the line I am covering; for our Private Company Management Liability Report, I have a challenge making an estimate, as many carriers keep the premiums by line, not by the bundled policy.

I had several readers ask me to try harder, so I have.  Recently, I asked the participating carriers directly for their estimate of the market size; I received numerous answers.  Here are the ones that I thought were most useful:

• $2 billion (this is from 2 major carriers + 1 reinsurer)
• $2.5 billion (from 2 carriers)

I believe about 1/2 of this premium is written by the 4 largest writers of MLI products.

So, there you have our estimate – $2-2.5 billion in gross written premium for U.S.-based Private Company Management Liability products.  I’d be interested in your estimates (or comments).

Cyber Insurance – I am Growing Increasingly Concerned that Insurers Won’t be Able to Keep Up with the Threat

I have been doing a lot of thinking about the ability of the insurance industry to profitably underwrite cyber risk insurance.  As I try to gain a deep understanding of the cyber industry from insurers, pre- and post-loss service providers, attorneys, and technology experts, it is becoming increasingly apparent to me that cyber is unlike any other type of insurance that I can think of – and I question whether it will remain insurable.

I can’t think of another line of insurance where the exposure to loss is created (in large part) by a hostile, active, and motivated opponent – the for-profit hacker.  Cyber insureds are under constantly evolving, widely dispersed, attack, and cyber insurers are going to pay for the results of those attacks.

What other lines of insurance protect against risk that is actively generated by persons primarily from outside the organization?  Not many come to mind, other than Kidnap & Ransom and portions of a Blanket Bond (financial institutions, jewelry stores, etc.), cargo theft, and high seas piracy.  While each of these lines of insurance cover losses caused by some very capable opponents, they are pretty well understood and I would say manageable from a security standpoint.

When it comes to liability insurance and Workers Compensation, we have always worried about the ability of the plaintiff’s bar to create new theories of liability, but these tend to evolve slowly, giving insureds and insurers time to evolve and adapt.

But what about cyber?  Here we have a constantly changing source of threats, some of them quite sophisticated, and they can be tweaked almost instantly to counter potential defenses.  Techniques and tools can be updated quickly and shared with other black hats.  Deployment is rapid, widely dispersed, and adaptable.

Now, compare this with an industry that has to essentially rely on the insured to manage its own defense, relies on an annual process of applications that provides only a snapshot of the exposure at the time it is completed, and which is admittedly challenged at identifying the true risk of loss.

I am immensely impressed with the best of the cyber underwriters, but I am worried that they are outgunned.  Underwriting tools may never be able to keep up with the bad guys.

What the industry will increasingly need to rely on is not a passive Maginot Line of defenses, but active defense.  Wouldn’t it be great if an underwriter could require insureds to be subscribers to an active defense services provider and enjoy the confidence that the insured is being protected on an ongoing basis.  Is such a service even available?

More later…

Snips from our Private Company Management Liability Insurance Market Survey 2011

We are pleased to let you know that our Private Company Management Liability survey was posted recently at betterley.com.  This Report reviews bundled products that can included D&O, EPLI, Fiduciary Liability, and other executive liability products.  The target market is generally middle market and smaller insureds.

We have selected twenty-three carriers for this year’s Survey, up from twenty in 2010. Newly added carriers include Argo and Zurich; Starr is back after a one year absence.

2011 looks to be similar to 2010, but with a definite firming of rates indicated as the year develops.  While we do not expect any significant increase in rates, discounts are disappearing, and small (5% or so) increases are more common.

The volume of business (gross written premium) is rising a bit, with most carriers reporting total premium growth in the 0-10% range; markets reporting flat or down premiums tend to be the smaller companies, as continuing softness in rates combined with cutbacks in coverage made for an environment in which a carrier was happy just to get as much premium as they did from the expiring policy.  We see support, though, for premiums to resume their climb as insureds recover from the recession.

Based on confidential conversations, we found:

• Premium growth (2011 projected versus 2010) is rising slightly, accelerating as we get further into the year.
• Rates are flat or up 5 to 10 percent for good insureds, a bit more (10 to 20 percent?) for the less attractive insureds
• Deductibles are flat
• Reinsurance support is stable.

Although carriers continue to broaden the types of coverages they offer the middle market, we believe they are missing a golden opportunity by not offering more coverage options.

Adding more coverage options can be a successful product strategy because MLI policies are an easy sell to insureds and their brokers – most insureds need at least a couple of the core coverages (EPL and Fiduciary).  Adding additional coverages to an existing policy is an easier buy (or sell?) for many insureds, who find it easier to add an option than to buy an entirely new policy.

Many insureds and brokers have told us over the years that they can get internal support for an added coverage option that would have encountered resistance as a new policy purchase.  This was especially true during the recent soft market, when premium reductions freed up budget for additional insurance purchases.

More about lines of coverage soon (or, read the full Report at www.betterley.com).