Category Archives: Insurance Companies

Will cloud computing be the death of cyber insurance – or it’s salvation?

 

Cloud computing is generally understood to mean the provision of applications and services offered over the Internet. These services are offered from data centers all over the world, which collectively are referred to as the “cloud.” This metaphor represents the intangible, yet universal nature of the Internet (thanks to TechTerms for this definition).  Cloud services include the hosting of data on the provider’s servers.

As many cyber commentators are noting, this movement of data from the insured to the cloud service provider is a material change in the exposure to loss; data are now held (and we hope protected) by a third-party.  Data in the hands of third-party service providers isn’t actually a new concept, but hosting the data on a large-scale basis is new(er).

Does this increase the risk of data breach?  Decrease it?  What are the implication for insureds, cyber insurers, and reinsurers?

Increased risk to insureds and their insurers:

  • The data are out of your control; you are vulnerable to the data protection standards and execution of another party.  Will their standards be as strong as yours? Executed as well as yours?  If the standards and execution change, will you be informed?  If so, what if the changes aren’t to your liking?  What are your options?  It may not be as simple as changing providers.
  • Not only is another company now holding your data, the fact that it is now concentrated in a more public (cyber) location may make it more of a target.  Hackers may not know that your data exist, but they may target the holder of your data for reasons beyond you (maybe the service provider has angered the activist hacker community, or another one of their clients becomes a target, and your data get caught up in the attack).
  • What happens to your data if the service provider goes out of business?

I acknowledge that there can be contractual protections against these types of problems, but are they foolproof?  I doubt it.

  • For insurers, the concentration of risk should be a worry; there is little reinsurance purchased for cyber policies, and insurers should be very concerned about a single breach that affects numerous insureds now that they are in the cloud.  Accumulation risk has always been a concern; it seems as though the cloud makes that risk exponentially greater.

Decrease in risk to insureds and insurers

  • Cloud computing is often described by commentators as a one-way change in risk, but we aren’t so sure.  Many cloud users are smaller organizations, including many start-ups.  These users may not have the resources, insight, and patience to construct and maintain strong security measures.  For them, maybe the cloud is actually a safer environment.
  • If an organization uses the cloud, and the vendor(s) have strong data protections that are known to underwriters, maybe it will make the job of underwriting easier and more successful?  Sometimes protecting a single point of risk can be more effective than protecting many points.

Implications for reinsurers:

  • We spoke above about accumulation risk; this worry should extend to reinsurers to the extent cyber is being reinsured – but it also presents an opportunity for creative reinsurance products to protect primary insurers from a single breach/many insureds loss.

So, I think that the increased use of cloud computing brings increased risk, but also increased opportunity, for insurers and reinsurers.  Cloud risk can be managed, data protection investments can be spread over more data, and active defense (see my earlier post ‘I am growing increasingly worried…”) may be available to beat back the bad guys.

And finally – might cyber risk insurance distribution be changed from data holders buying insurance individually to it being provided by the cloud service provider?

What do you think?

Advertisements

Cyber Insurance – I am Growing Increasingly Concerned that Insurers Won’t be Able to Keep Up with the Threat

I have been doing a lot of thinking about the ability of the insurance industry to profitably underwrite cyber risk insurance.  As I try to gain a deep understanding of the cyber industry from insurers, pre- and post-loss service providers, attorneys, and technology experts, it is becoming increasingly apparent to me that cyber is unlike any other type of insurance that I can think of – and I question whether it will remain insurable.

I can’t think of another line of insurance where the exposure to loss is created (in large part) by a hostile, active, and motivated opponent – the for-profit hacker.  Cyber insureds are under constantly evolving, widely dispersed, attack, and cyber insurers are going to pay for the results of those attacks.

What other lines of insurance protect against risk that is actively generated by persons primarily from outside the organization?  Not many come to mind, other than Kidnap & Ransom and portions of a Blanket Bond (financial institutions, jewelry stores, etc.), cargo theft, and high seas piracy.  While each of these lines of insurance cover losses caused by some very capable opponents, they are pretty well understood and I would say manageable from a security standpoint.

When it comes to liability insurance and Workers Compensation, we have always worried about the ability of the plaintiff’s bar to create new theories of liability, but these tend to evolve slowly, giving insureds and insurers time to evolve and adapt.

But what about cyber?  Here we have a constantly changing source of threats, some of them quite sophisticated, and they can be tweaked almost instantly to counter potential defenses.  Techniques and tools can be updated quickly and shared with other black hats.  Deployment is rapid, widely dispersed, and adaptable.

Now, compare this with an industry that has to essentially rely on the insured to manage its own defense, relies on an annual process of applications that provides only a snapshot of the exposure at the time it is completed, and which is admittedly challenged at identifying the true risk of loss.

I am immensely impressed with the best of the cyber underwriters, but I am worried that they are outgunned.  Underwriting tools may never be able to keep up with the bad guys.

What the industry will increasingly need to rely on is not a passive Maginot Line of defenses, but active defense.  Wouldn’t it be great if an underwriter could require insureds to be subscribers to an active defense services provider and enjoy the confidence that the insured is being protected on an ongoing basis.  Is such a service even available?

More later…

Snips from our Private Company Management Liability Insurance Market Survey 2011

We are pleased to let you know that our Private Company Management Liability survey was posted recently at betterley.com.  This Report reviews bundled products that can included D&O, EPLI, Fiduciary Liability, and other executive liability products.  The target market is generally middle market and smaller insureds.

We have selected twenty-three carriers for this year’s Survey, up from twenty in 2010. Newly added carriers include Argo and Zurich; Starr is back after a one year absence.

2011 looks to be similar to 2010, but with a definite firming of rates indicated as the year develops.  While we do not expect any significant increase in rates, discounts are disappearing, and small (5% or so) increases are more common.

The volume of business (gross written premium) is rising a bit, with most carriers reporting total premium growth in the 0-10% range; markets reporting flat or down premiums tend to be the smaller companies, as continuing softness in rates combined with cutbacks in coverage made for an environment in which a carrier was happy just to get as much premium as they did from the expiring policy.  We see support, though, for premiums to resume their climb as insureds recover from the recession.

Based on confidential conversations, we found:

  • Premium growth (2011 projected versus 2010) is rising slightly, accelerating as we get further into the year.
  • Rates are flat or up 5 to 10 percent for good insureds, a bit more (10 to 20 percent?) for the less attractive insureds
  • Deductibles are flat
  • Reinsurance support is stable.

Although carriers continue to broaden the types of coverages they offer the middle market, we believe they are missing a golden opportunity by not offering more coverage options.

Adding more coverage options can be a successful product strategy because MLI policies are an easy sell to insureds and their brokers – most insureds need at least a couple of the core coverages (EPL and Fiduciary).  Adding additional coverages to an existing policy is an easier buy (or sell?) for many insureds, who find it easier to add an option than to buy an entirely new policy.

Many insureds and brokers have told us over the years that they can get internal support for an added coverage option that would have encountered resistance as a new policy purchase.  This was especially true during the recent soft market, when premium reductions freed up budget for additional insurance purchases.

More about lines of coverage soon (or, read the full Report at www.betterley.com).

 

Cyber Risk Insurance Market Survey 2011 – snips from our new Report UPDATED

Cyber Risk Insurance Market Survey 2011 was posted on our site June 30th, just making deadline – and did that ever surprise me, as the Report has grown from an already lengthy 100 pages to 185 pages.  Adding 10 new carriers will do that to you, as will adding a new section on Media Liability coverages.

The increase in the number of new carriers was driven by the land rush of insurers to the new big thing in specialty insurance – privacy coverage (which while not new is getting much more mind share from agents and brokers).  Subscribers were asking about carriers that we weren’t covering which, on investigation, had products worthy of inclusion.

Next year we are going to try to whittle the size back down, probably by unwinding some of the Tech E&O coverages that have found their way into the Cyber report (we cover Tech E&O in a separate report each February).

More later (I said on July 7th); later has finally arrived.

Here are some more snips from our Cyber Report:

Annual premium volume information about the U.S. Cyber Risk market is hard to come by, but in reviewing the market, we have concluded that the annual gross written premium is in the $800 million range (up from $600 million in last year’s Report).  We suspect that the market will continue to grow, as protection against privacy breaches and the growing importance of post-breach response (also known as remediation) services drives the market.

Privacy coverage is clearly driving the market; Cyber Risk seminars and conferences are packed with prospective customers, carriers, brokers, and attorneys interested in privacy risk, coverage, and services.  Interest is translating into purchases, which we (and many others) have been predicting.  Management may still be thinking ‘it can’t happen here’ but as more events occur that would be covered, more Cyber Risk insurance is being bought.

Many carriers are reporting strong growth in premium.  Although we must maintain confidentiality about the details, carriers that have been significant players in the Cyber Risk market for at least several years indicate premium growth ranged from flat to over 100%.  More than one of these carriers reports growth of over 100%, while several others report between 50% and 100%.  A few were in the 10-25% range, and the others were under 10%.  This is remarkable, considering how difficult it has been for commercial property and casualty insurers to grow their top line revenue in the severe economic downturn.

Rates for Cyber Risk insurance, like the traditional commercial insurance lines, are still showing signs of softness.  Some of the smaller carriers report plans to reduce rates on the order of 5-10%, while the larger carriers indicate that rates will stay flat or perhaps down a bit (5%).  Several reported that they expect their competitors will reduce rates even further, a sure sign of a soft market.

  • Note: I am increasingly concerned that the frequency of breaches is higher (perhaps far higher) than anticipated, and that current coverage arrangements may be hard to sustain.  Carriers may react to this frequency by increasing retentions, and worse, restricting limits.  I don’t think that higher rates will be the answer (though we may see those as well).

EPLI Market Survey 2010 posted at www.betterley.com – some snips

Carriers new to this issue of The Betterley Report include Allied World, Argo (both Group and Re), and USLI.

Here are some comments from the Report, now up to 103 pages.

About the market:

  • As we participate in industry conferences focused on EPLI, there is a strong undercurrent of discomfort with underwriting results.  Attributable mostly to increased claims activity emanating from the Great Recession supplemented by increasing costs of defense, carrier product leadership seems poised to insist on some relief.
  • We think this relief will take the form of increased deductibles, and perhaps a bit of rate increase.  Deductibles are the preferred route, as insureds will typically be more willing to accept a possible increase in potential cost (if there aren’t any claims for an insured, their cost doesn’t increase).

About Wage and Hour:

  • Wage and Hour should be insurable for small- to mid-sized employers.  We think there are many instances where the violation was unintentional, not caused by an employer trying to deny its employees a just compensation.  While we do not believe that insurance should step in to pay for compensation found to be owed to the employees, nor to pay for related governmental fines, multiplied damages and attorney’s fees could be covered.

Your comments are encouraged.

The Middle-market’s Opinion of the Value of an Underwriter’s Knowledge in Cyber/Privacy Insurance

In our recent study of the market for cyber/privacy insurance and services, we asked insureds and prospective insureds about their opinion of the value of a knowledgeable underwriter.  This is an important question in a complex, evolving product like Cyber.

We were surprised, though we probably shouldn’t have been, that the respondents were not all that concerned with the expertise of the underwriter.

Why is this important?  Not only can a knowledgeable underwriter help an insured or a prospective insured understand the risks that are being evaluated, they are also more likely to be a more stable market.  I believe that an expert underwriter who understands the risks is less likely to be surprised when claims arise, as they inevitably do.  A surprised underwriter might react by restricting coverage, dramatically raising rates, or even withdrawing from the market

Naive capacity is not good for insureds, brokers, or insurers.  We’d like to see these middle-market companies place more value on the knowledge of their underwriter, as well as on the knowledge of their broker, when considering cyber insurance.

Here’s the question and the results, as well as more of my comments:Value of Underwriter’s Knowledge

What do you think?

§ Market Penetration and Product Awareness – 9 charts

% of respondents that carry Cyber Risk insurance

Reasons why they don’t buy this insurance

Do they intend to buy it in the next 18 months?

How they learned of Cyber Risk insurance

§ Opinions on Product Features – 27 charts

Opinions about specific product features for both coverage and services

Satisfaction with premium cost

Willingness to pay more premium for key product features

Satisfaction with limits and deductible options

The value of underwriter and broker knowledge

§ Opinions about Cyber Risk Insurers, Brokers, and Service Providers – 7 charts

Which insurers and brokers are insureds and prospective insureds familiar with?

Satisfaction with current insurer?  Broker?

Which service providers are insureds and prospective insureds familiar with?

Number of respondents that have had a claim?  How satisfied are they with claims handling?

Cyber Risk Middle Market Study – Perceptions of Insurance Companies, Brokers, and Risk Management Service Providers

We wanted to know more about how senior executives in middle-market companies in the U.S. felt about the cyber and privacy-related products.  In particular, we were interested in their experiences with the performance and services of the insurance companies, brokers, and service providers they had contact with.

We asked about:

  • Awareness of various insurance companies, brokers, and service providers
  • Satisfaction with those organizations
  • Claims experiences and satisfaction

Insurance companies in the Cyber Risk and Privacy area are not widely known; respondents listed a limited number of carriers compared with the many that are in this space.  Understandably middle market executives that are responsible for insurance on a part-time basis (none reported that they employed a Risk Manager) are not astute about who is in the market.

Current insureds knew of more carriers than the prospective insureds.  This is perhaps because they had been introduced to some of the companies through the application and proposal process.

Most of the insured companies were satisfied or very satisfied with their carrier.  This speaks well of the cyber risk product design and especially of the performance of the service providers, which are likely to have more contact with the insured than any party expect the broker.

There were no brokers dominant in their cyber risk presence; respondents were likely to stay with their current broker when considering the purchase of cyber coverage.  Middle markets also expected to remain with their current broker when renewing their coverage.

Service providers can be an important component in a cyber risk policy, both in the risk avoidance and mitigation value they bring and in their potential to sway a prospective insured to buy a policy (or particular policy) because of the service provider involved.

Existing insureds knew of a number of different providers, but there was no dominant name.  Many did not know a single provider’s name.

Prospective insureds were even less likely to know of specific providers.  This indicates to us that there is much to be done about educating and influencing insureds and especially prospective insureds about the presence and value brought by the service providers.  Service providers need to greatly elevate their profile amongst cyber risk insurance prospects in the middle market.

Finally, we asked about claims experience of the companies.  Not surprisingly, quite a few had experienced a claim.  Of those willing to speak about their claims experience, all were either very or somewhat satisfied.  This is probably higher than in most lines of insurance, and speaks well toward the expectations they have of the coverage and of the performance of the claims personnel of the insurance company.  We need to be cautious, though, as this very small group of insureds may not be representative.

To view the Executive Summary, please click here.  To purchase the full Report, click here.