Five years ago, not many U.S. companies were buying cyber insurance. Part of the problem was they had a hard time quantifying how large a risk they faced. And the cost-benefit associated with transferring the exposure to insurers wasn’t clear.
Apparently, though, many have finally decided it might be worth the expense — at least judging by numbers released by Marsh on Thursday.
The number of all Marsh U.S. clients buying cyber insurance doubled to 38% in 2018 from 19% in 2014, according to the firm’s Cyber Insurance Trends report.
Marsh’s customers are also purchasing policies with higher limits — average limits purchased by its U.S. clients rose 11% in 2018, to $20.9 million. Among companies with more than $1 billion in revenue, the average limit increased by more than 25%, to $62.4 million.
Why are more organizations buying coverage? For one, Marsh says, insurers are more carefully circumscribing property, casualty, and cyber insurance policies. “Property insurers, for example, are generally no longer willing to provide coverage for business interruptions caused by network intrusions,” according to the Marsh report. “Those losses are increasingly expected to be covered under cyber policies.”
Second, according to Marsh, industries like manufacturing and logistics are finally getting onboard, in the wake of the severe economic and operational disruptions caused by the 2017 WannaCry and NotPetya malware attacks. Those threats, coupled with high-profile ransomware incidents “have made clear that cyber threats have evolved … to now include business and supply chain disruption,” Marsh said.
However, the fastest-growing segment of cyber insurance clients has been those industries most at risk of data breaches and thefts. Purchases grew the most among hospitality and gaming (67%) and education (34%) organizations in 2018.
“Recent events have demonstrated that the significant amount of [personally identifiable information] held by these companies makes them attractive targets for cyber-attackers, and thus vulnerable to significant losses and liability costs,” according to Marsh.
A Buyer’s Market?
Cyber policies definitely represent an increased cost of doing business for companies. The good news is that pricing is staying close to flat.
“Pricing … remains competitive thanks to a commensurate increase in supply,” according to Marsh. In the fourth quarter of 2018, average pricing for cyber insurance coverage actually fell by 0.6%, the insurer said.
While the cyber insurance purchasing trends suggest organizations are finally recognizing the need to view cyber as a critical enterprise risk and to understand the scope and value of their cyber-risk exposures, there is still plenty of uncertainty in cyber coverage.
For example, Mondelez, the maker of Oreo cookies, announced in January that it was suing its insurance company, Zurich, for $100 million in damages suffered during the NotPetya cyberattack. The United States and the United Kingdom attributed the attack to Russia. Zurich, therefore, has said that the NotPetya claim by Mondelez falls under a policy exclusion for “hostile or warlike action in time of peace or war.”
Buyers and carriers also face the “continuous evolution of risks that undermine exposures’ predictability,” according to a 2018 Deloitte report. Cyber underwriting can also be challenging because organizations aren’t required to disclose all hacks and breaches.