Cyber Insurance: A Guide for Retailers

Timothy Reilly, RPS Insurance

A Pervasive Threat

With cyber breaches more prevalent than ever, whether it’s Sony, Yahoo, a community college, or your local bakery, it is abundantly clear that cyber threats affect us all.

In the ever-evolving world of digitalization and the expanding reach of the internet, the risk of a cyber breach is higher than ever. According to Symantec, there are 25 connected devices per 100 people in the United States. In 2016, there were over 6.4 billion connected devices, and by 2020 this number is expected to rise to 20.8 billion.

As I sat at home considering the risks our clients face on a daily basis, I looked around my apartment and within seconds identified four separate devices that would be considered exposures: my laptop, my smart TV, my Google Home, and my iPhone. Comparing my personal exposures with the number of exposures and entry points our clients face on a daily basis is alarming. For example, in the healthcare industry, hackers may have the ability to tap into a wide variety of medical devices. According to Homeland Security “approximately 300,000 Americans receive implantable medical devices each year such as cardiac pacemakers, defibrillators, cochlear implants, neuro-stimulators and insulin pumps,” and all of these devices are vulnerable to a hack.

Moreover, according to PricewaterhouseCoopers (PwC), 79% of banking CEOs, 71% of insurance CEOs, and 61% of business leaders across other industries see cyber attacks as the number one threat to growth, ranking higher than common threats like shifts in consumer behavior, the speed of technological change, and supply chain disruption.

State of the Market

Nothing is predictable. The Cyber insurance market is experiencing double-digit growth year over year, with about $3.25 billion in gross written premium in 2016, a number that PwC projects could reach $7.5 billion by 2020. That said, it is a constantly moving target. Cyber insurance has been around for less than 20 years, which by insurance standards makes it relatively new. Therefore, the process is far from standardized. Insurance carriers are trying to become as innovative as possible to keep up with the evolving cyber world, which is why it’s important to work with an educated broker and underwriter to make sure the coverage you are providing meets your clients’ needs.

The most important thing underwriters are looking for are the type of loss control mechanisms your client has in place. Bob Barker, Chief Strategy Officer at Cybernance Corporation, categorizes underwriting cyber risks using 3 Ps: Perimeters, People, and Partners. When referencing Perimeter controls, underwriters are essentially looking at the type of technology the client uses to protect a network itself. While this is an important aspect of underwriting the risk, implementing controls for the People and Partners presents a much more challenging task.

“In the majority of the cyber breaches, the employee or Partner in the employee supply chain has been the root cause of the breach,” says Barker.

This is the moving target I alluded to earlier. Every company and organization is different in terms of internal loss controls, making Cyber a hard coverage to standardize. As new loss controls and Perimeter controls are implemented, new breach tactics are devised, making it hard for risk managers to keep up. The Norse attack map is an invaluable resource, showing the number of attempted attacks going out daily to networks around the world. This is a great reference tool to show potential clients when explaining why Cyber coverage is essential.

What All This Means

Everyone is at risk. According to Symantec, consumers account for 57% of ransomware attacks and businesses come in around 43%. The services sector is the most targeted area for breaches followed by manufacturing, finance, insurance, real estate and public administration.

When selecting Cyber coverage for your client, there are a number of important things to consider:

• How much coverage your client needs (using a tool like a data breach calculator is a great way to determine the appropriate level of coverage)
• How the coverage applies to both first and third-parties
• Does the policy cover social engineering as well as attacks on the network?
• Does the policy cover non-malicious actions taken by an employee?
• Does the policy have retroactive coverage for prior reaches that may be unknown at the time?

The type of breach response vendors and legal counsel available These are just some of the considerations when choosing the appropriate policy for your client.

The Cyber market looks like it will be on a steady rise for the foreseeable future, and my best piece of advice is to continue to educate yourself on emerging developments for this line. Advisen’s 2016 Survey of Cyber Insurance Market Trends found that 70% of producers and underwriters stated that their biggest obstacle with Cyber insurance stems from a lack of fully understanding exposures, followed by a lack of understanding the coverages. Hence, it is critical to work with a knowledgeable broker and underwriter when placing Cyber coverage for your clients.

Download the Report