Cyber liability insurance premiums increased by double digits in 2019, but the business may not be growing as fast as it could because it still has the profile of a niche product that customers, and even some agents, do not understand well.
Premiums for stand-alone cyber policies rose 13.5% industrywide last year, according to S&P Global Market Intelligence data. Experts and a recent survey suggest that the relatively young sector is balancing steadily growing commercial appetite for coverage against technical challenges that can make it difficult for customers to understand and for agents to sell.
A Deloitte survey of middle-market businesses that recently turned down cyber coverage found that a third of respondents recently had cyber policies. Those results indicate a sizable portion of businesses that does not think the policies are worth the price. Dissatisfaction among former buyers risks spreading a negative reputation for the sector, according to Sam Friedman, a Deloitte senior manager and insurance leader.
Insurers and regulators have made it a point to move cyber liability into standalone policies to clarify coverage and eliminate so-called "silent cyber" claims arising from standard commercial policies that do not contemplate those specific risks one way or another. Even so, one of the top reasons given among nonbuyers for declining standalone cyber coverage is that cyber risk is covered as part of larger policies.
"Insurers and their intermediaries, therefore, face a major educational challenge to convince policyholders they need standalone coverage," Julie Bernard, a Deloitte principal and insurance sector leader, wrote in a report.
Most buyers of standalone cyber coverage in the Deloitte survey were happy with the price and limits of their coverage. But it also found that expansion in the sector is relatively modest and slowing despite the higher cyber indemnification demands being placed on small and middle-market companies and the rising costs of ransomware attacks.
One way to address potential growth troubles would be to differentiate cyber coverage according to industry because threats to intellectual property and customer data vary so widely, Bernard said in an interview.
"Maybe those things should be priced differently because the response and the impact of those things are different," she said.
To grow premiums in the sector, carriers should not only emphasize pricing and limits, but also stress the added value of comprehensive cybersecurity service, Bernard wrote.
The industry should be less transactional in selling cyber insurance as commoditized coverage, Friedman said in an interview.
"You may need to widen the lens a bit and expand this into a broader sell rather than just another policy being sold on a price basis," he said.
Cyber insurance is not standardized like other commercial policies, and feedback from previous Deloitte studies showed agents have a hard time coming up with apples-to-apples comparisons, Friedman said during a webinar presentation.
Agents who have seen their cyber liability sales climb emphasize the need for education and for differentiating expertise in sales or consultation that smooth over the complexities.
Brian Thornton, president of cyber-specialist agency ProWriters, said he has seen steady growth in demand for cyber coverage. It is not necessarily an easy sell for standard agencies though. Pricing and terms change regularly, making it hard even for those familiar with the market to keep up with trends, Thornton said in an interview.
Echoing the Deloitte study, Thornton said agent education is a "massive part" of cyber sales. Deloitte found that, among survey respondents who declined cyber coverage, more than one-fifth said their broker actually advised them against buying a policy.
Several factors could discourage brokers for small and mid-sized businesses from trying to sell cyber liability insurance, Thornton said. To place cyber coverage, agents who usually sell large, standardized policies have to pivot to a more narrow and complicated product, he said. Those who are not technologically astute might not be comfortable offering a product they do not understand, Thornton said.
Willis Towers Watson PLC has also seen robust growth in cyber insurance demand and kept retention rates strong, said David Hau, head of middle market cyber broking. More companies in the sector are buying standalone polices, and existing customers have been asking for higher limits, Hau said in an interview.
Business interruption from cyber breaches and ransomware have grown in profile in recent years, and clients in his part of the market see the value in outside expertise available with standalone cyber coverage, Hau said.
"One of the ways to address that is having an insurance policy in place that responds not only from an indemnification standpoint, but also from the breach response standpoint," Hau said. Middle-market and small businesses tend to not have the technical capability to respond to hacks, he said.
Willis' cyber business emphasizes data and analytics with insurance and cybersecurity as part of overall cyber risk management that often includes third-party security assessments, he said.
"Understanding what you can do to improve vulnerabilities prior to having discussions with underwriters has certainly been a value add," Hau said.