Category Archives: Cyber Risk Insurance

Rick’s Keynote Presentation at the PLUS Cyber Symposium (September 17, 2015)

PLUS was kind enough to invite me to speak at this year’s Cyber Symposium, a not-to-be missed gathering of leaders in the Cyber insurance and risk community.

Unfortunately, I was unable to attend due to a scheduling conflict but PLUS asked me to pre-record a keynote address. Done in the form of an interview, it was presented during the opening breakfast and can be watched here: PLUS Cyber Symposium 2015 Betterley Keynote

My thanks to PLUS for allowing me to share some of my current thinking about product, market conditions, and what’s on the horizon for Cyber.


Cyber Insurance – a Market in Turmoil for Larger Insureds, but Very Competitive for the SME

We recently published our 2015 Cyber/Privacy Insurance Market Survey.  The free 20 page summary article can be read here: Cyber/Privacy Insurance Market Survey 2015 Summary.  To purchase the entire 147 page Report, which includes specific information about carriers, products, capacity, market focus, click here: Cyber/Privacy Insurance Market Survey 2015 Full Report.

This year’s Report includes products offered by 31 carriers, up from 28 in 2014.  Newly added  were ANV, Berkshire Hathaway, and Hanover.  The Report estimates a current annual rate of Cyber insurance sales at $2.75 billion, up from $2.0 billion last year.

The Report notes that coverage for larger organizations, especially those involved in extensive retail and health care operations, are finding it more difficult to buy adequate limits at a reasonable price.  Insurers are increasingly strict about adherence to cyber security and Payment Card Industry standards.

And yet, the small- to mid-sized insured has many insurance products competing for its business.  Brokers are actively selling Cyber policies to their insureds, and more are buying than ever before.

This year’s Report included several new questions that have taken on increasing importance in Cyber coverage:

  • In order to better understand whether the product is oriented toward U.S. insureds, non-U.S insureds, or global insureds, we add the question “Is Product Primarily Targeting Insureds Based in the United States, non-United States, or Both?”
  • We more specifically asked about coverage availability for Consumer Redress Funds in the Data Privacy: Regulatory and Statutory Coverage Provided table.
  • Because of the importance of PCI coverage and its increasing complexity, we added a new table to “Data Privacy: Payment Card Industry Coverage Provided” to ask about payment card industry (PCI) fines and penalties and whether fraud charges and/or card reissuance costs could be included.
  • “Data Privacy: Remediation Costs Covered” now includes a question as to whether the costs of credit repair can be covered.
  • The increasing interest and availability of Cyber-related Bodily Injury and Property Damage  inspired a new table addressing “Third-Party Coverage: Bodily Injury and Property Damage.”  Coverage for both direct and indirect causes of loss is described.
  • Concerned that some cyber insurers exclude claims arising out of the insured’s alleged failure to maintain security standards, we added a question to our Exclusions tables.

A new feature in this year’s Report is insight by Cyber underwriters on market conditions for healthcare insureds.  This confidential commentary is much appreciated and gives good insight into their current thinking.  See the Report for further information.

Cyber Insurance for the Small- to Mid-sized Organization – can it be profitable?

Part 2 of my recent WRIN.TV interview focuses on concerns about insuring SMEs on a cost-effective basis.  I comment on:

  • The various sources of Cyber coverages for the SME, including standalone, package, and professional liability policies
  • How  insurers can continue to offer these products at a reasonable cost
  • Challenges in helping more SME’s buy coverage

The interview is here.  It runs about 4 minutes.

Cyber Insurance and the SME Market – How SME’s are the Soft Underbelly of the Cyber Security World

WRIN.TV interviewed me recently about the Small- to Mid-sized enterprise and its place in the Cyber security and insurance worlds.  Note that I used the plural, as the two are still way too separate.

This is a topic that is really interesting, as the interconnections of our global economy create exposures where none existed before.  It is my contention that large enterprises need to tighten up their vendor security to have any hope of being secure themselves.

The 1st part of my interview is here:

Part two will focus on the Cyber insurance market for SMEs and should be available later in February; when it is, I will post the link here.


A Briefing on Cyber Insurance for the Compliance Office

Nymity, a global research company specializing in compliance tools for the privacy office, asked me to offer my thoughts on Cyber insurance from the perspective of the Chief Compliance Officer.  The idea was to provide the non-insurance professional with key information about:

  • The coverages available,
  • The risks of not buying coverage,
  • Why so many organizations don’t buy coverage,
  • Coverage traps to avoid,
  • Value-added risk management services, and
  • Five recommendations for buying coverage

Nymity allowed me to publish it in this blog, so here it is: What is Cyber Insurance Interview

I’d like to thank Nymity for making this information available to the Compliance Officer profession.  There are many parties interested in the purchase of a Cyber policy; helping get the word out to all of them is vital.

Please click here for more information about Nymity.

RIMS Cyber Insurance Session Tuesday 9-11 AM – Cyber 3.0: Cutting-Edge Advancements in Insurance Coverage for Cyber Risk and Reality

I’ll be on the panel at this Innovative Level session on advanced Cyber insurance, addressing our vision of what Cyber needs to be, both for the benefit of insureds and of insurers. If you are attending, please feel free to come up to the podium after the session to say ‘hi’.
Here is the session description:

Category: Insurance and Contract Management
Level: Innovative
Date: Tuesday, April 29, 2014
Time: 9:00 AM – 11:00 AM
Room: 607

Cyber attacks are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and borders. Network security alone cannot fully address the issue-no security system is impenetrable. Every organization is at cyber risk, but not all understand the vital role that insurance can play. Some mistakenly assume that cyber insurance is primarily for financial, health care or retail institutions. Yet, the U.S. Securities and Exchange Commission advises that all disclosures should include a description of “relevant insurance coverage” for cyber risk. This session is hosted by RIMS Pittsburgh Chapter.
Learning Objective:

Explore the newest cyber insurance products.

Assemble a best practices checklist to facilitate successful placement.
Know how to enhance off-the-shelf insurance forms through negotiation.


Ellen Holland, Chief Risk Officer, Oregon University System
Roberta Anderson, Partner, K&L GATES LLP
Roberta Anderson, Partner, K&L GATES LLP
Richard Betterley, President, Betterley Risk Consultants, Inc.
Mark Camillo, Head of Network Security & Privacy Products, Americas, AIG
Risk Manager
Debra Samuel, Manager, Insurance Risk Management, Alcoa Inc.

Contingent Business Interruption and Cyber Events

Recently it was reported that conventioneers attending 2 different Boston conferences are believed to have suffered credit card thefts.  The convention center and various local establishments (hotels, restaurants, etc.) denied that they were the source.

But what got my attention was the comments from attendees that they might think twice about coming to Boston-based on these thefts.  Silly? Yes. It could (and does) happen anywhere.

And it reminded me – when it comes to cyber security, we are all part of one big community.  The losses of one can affect the businesses (and security and contentedness) of other members of their community.

How should (or can) cyber insurers help their insureds protect against the cyber losses of others in which the insured isn’t even involved?  This goes beyond ‘traditional’ contingent cyber interruption.

Your comments are welcomed.