As recently as two years ago, only half of the top 10 carriers writing cyber insurance had purchased cyber coverage themselves, a broker specialist said recently.

During an interview at the Standard & Poor’s 2015 Insurance Conference, Kevin Kalinich, the global practice leader for cyber insurance at Aon, told Carrier Management that these days the number buying cyber insurance for their own companies is up to seven of the top 10 carriers, and that two more are in the process of purchasing insurance. (Kalinich defined the top carriers as the 10 that write the most premium volume in the cyber insurance market, noting that Aon is the broker for a number of the top carriers.)

“Now it’s over a majority, but it’s still not unanimous that they all buy cyber insurance, the same product they’re selling,” he said.

On the sales side, Kalinich also reported that 67 different insurance companies write some form of standalone cyber insurance today. Among market participants, “the appetite has changed but not necessarily expanded,” he said when asked if a soft market for commercial insurance generally has broadened carrier appetites or prompted price declines.

“After the large data breaches, what has happened is that many of the insurance companies that jumped in with both feet suffered their first cyber losses and are reevaluating their commitment to cyber insurance. They have either contracted, reducing the limits that they’ll offer from a particular risk—from $20 million to $10 million or from $10 million to $5 million. Or they have moved from the large risks of retail, hospitality, financial institutions and health care into more middle-market risks that they view as [having] a smaller probability of a catastrophic loss.”

In terms of pricing, Kalinich separates the larger, higher-risk classes from the lower-risk, middle-market categories, noting that “there’s actually quite a bit of competition” in the middle market right now. “Insurance carriers realize that they can make money as long as they have a diversified portfolio of risk and that the insured meets minimum standards.”

In the larger, high-risk categories, some carriers have pulled out from being primary, resulting in less competition.

Kalinich reports that there is a greater focus on retention than on pricing among carriers, with retentions that were once $1 million rising to $5 million or $10 million. “Some of the exclusions have expanded and restrictions [have increased]. Unencrypted laptops—we’re not going to cover that,” carriers say. Or “we might cover business interruption for an entity, but we’re not going to cover business interruption if it’s a third party that is disrupted and now it affects your business interruption. Those are the types of coverage issues that are being introduced into the larger risks,” he said.

How Do Carriers Price Cyber Insurance?

Standard & Poor’s released a report at the conference applauding insurers for their restraint in offering cyber coverage—a positive from a credit ratings perspective. “Even insurers with a larger market share are guarded enough to use low limits and a whole slew of exclusions (such as excluding damages resulting from data handled by an external contractor), which we believe is sensible. The need for risk-averse underwriting is heightened considering the lack of actuarial data, potential systemic consequences, loss creep and clash risk,” rating agency analysts wrote in a report titled “Look Before They Leap: U.S. Insurers Dip Their Toes Into the Cyber Risk Pool.”

Still, the report also highlights the fact that providing cyber risk coverage presents “a huge area of opportunity” for insurers, with a $10 billion potential market size seen as a real possibility within the next five to 10 years. It also notes the challenges inherent in pricing a coverage for which reliable actuarial data is not yet available and probabilistic models are suspect (mainly because of “the unpredictable behaviors associated with cyber attacks”).

So how are insurers pricing the coverage today?

Kalinich said insurers rely on a combination of methods. “Initially, they were using a number of personal identifiable information records and then multiplying it by a number—somewhere between $175 and $225 per record.” But insurers ultimately realized that “there was differentiation depending on the type of information.” In other words, “Social Security number and patient information in health care is worth more than credit card information from a retailer.”

In addition, “as you increase the number of records, the cost per record goes down dramatically to be below $5 per record.”

He said that in addition to getting better at bifurcating the risks related to PII, insurers are getting better at differentiating risks beyond PII exposures. “An entity that is dependent on manufacturing, on transportation, on logistics, they’re looking at those types of risks now compared to what losses they’ve seen, doing modeling based on what they want to get for their return on the capital and adjusting as they get more claims and adjusting as they see more entities.”

“The second thing they’re doing different is partnering with modeling companies and rating companies—not rating agencies like the S&P but the equivalent of S&P for cyber risks.”

“In the cyber assessment arena, they have these entities now that can assess their cyber exposures and give them ratings in various categories to determine both the frequency and severity of a potential loss. The insurance companies reward those companies that embrace those assessments and make changes and mitigate, remediate vulnerabilities,” Kalinich said.

“Four or five years ago, the insured may have paid for an IT security assessment. Now, the insurance companies are not only including some of those as part of their service offering in addition to the insurance, but they’re actually demanding that you take on this particular type of antivirus software or this type of intrusion detection or the equivalent. They still let you do the equivalent.”

“It’s actually a tremendous benefit, more so for the small and middle-market companies that might not have that expertise,” he said, distinguishing them from larger insureds who want to have direct relationships with the third-party vendor partners instead of having those controlled by the insurance company.

Asked whether pricing differentials between carriers are decreasing as the use of these assessments becomes more widespread, Kalinich reported that this is not the case. “You would think that they would converge and come closer together based on their assessments. We have seen tremendous divergence in pricing and retention,” he said, going on to give a range of quotes Aon received for a pharmaceutical company that recently went to market. Even though Aon dictated 24 essential coverage elements that had to be in the quote, the pricing differential was 300 percent on the primary insurance quotes for the same coverage,” he said, stressing that Aon did not ask insurers to deliver their best terms but instead spelled out the coverage elements required.

More typically, there are coverage variations among carriers. “Cyber insurance is not a homogeneous product,” S&P analysts said in their report—a situation that is not bothersome to Kalinich.

“I think it’s okay to have the nuances in the policies to differentiate the coverages,” he said, when asked if a more standardized offering might benefit insurers. “But where I think there needs to be more commonality is all the carriers looking at some of the same type of factors that go into the risk,” he added, reasoning that “if they start taking into account the important factors on a more macro level, then that will improve the risk management in totality.”

“So you can’t have an organization use adverse selection to go to a carrier that doesn’t understand the [right] questions [to ask]. It actually would improve the whole risk management if they have a baseline of the factors that they consider,” he said.

Topics Cyber Carriers Aon