The target market for cyber liability insurance is expanding beyond the largest financial, healthcare and retail companies to local contractors that work with those big names and may represent an outsized level of risk.

Indemnification for cyber breaches is becoming part of the requirement for doing business with larger companies, said Ari Vared, vice president at broker CyberPolicy.com. More of those larger companies are requiring their third-party contractors to buy policies as part of their own cyber liability protection, Vared said in an interview.

"Anytime they have a third party that is connecting into their system, there's this massive element of risk that they have no ability to control through their own cybersecurity measures," he said.

Previously, bigger companies could not practically require vendors and contractors to buy cyber insurance because the earliest iterations of coverage did not suit small companies, Vared said. "You're not going to ask some small business for a 15-page audit of their cybersecurity" practices, the executive said.

CoverHound Inc. founded CyberPolicy in 2016 as part of an effort to diversify its offering with a broker aimed at helping small businesses navigate cybersecurity and insurance. CyberPolicy, which acts as a managing general agent, sells policies by BCS Financial Group, Beazley Insurance Co. Inc., Chubb Ltd. and other companies that were among the largest writers of cyber insurance in 2018 by direct premiums written.

Axa was the largest writer of such stand-alone policies for the year, while Chubb was the biggest writer of packaged cyber policies, according to S&P Global Market Intelligence data.

No one immune to cyber threat

Vared's company has found the strongest demand among healthcare and financial services companies that have large repositories of information, as well as technology companies. The fourth bucket of business CyberPolicy serves are third-party contractors. Heating and cooling companies that install commercial air conditioning units are part of the new customer base for cyber policies, Vared said. The 2013 breach of Target Corp., in which millions of customers' credit card information was stolen, originated from the theft of login credentials from the retailer's HVAC contractor.

"We are reliant on everyone else. There's no one type of business that's immune," Vared said.

Real estate and related companies on home-purchase transaction chains have become targets of social engineering attacks, in which a hacker tries to fool people into directing payments to the wrong bank accounts, Vared said. Tricking people into routing money to hackers' accounts has become the most common type of breach, he said.

Allied World Assurance Co. Ltd., a subsidiary of Fairfax Financial Holdings Ltd., has seen an uptick in nation-state attacks on companies, said James Reed, assistant vice president of the company's cyber and errors-and-omissions division for the West region.

"In the past, the general feeling was that the government would take care of these issues," Reed said during an April 23 webinar on cyber catastrophes. Organizations need to be diligent in protecting valuable information and having plans to remain in operation after a breach, he said.

Premiums up double digits

Insurance underwriters continue to grow their books of cyber liability coverage even as they face the challenge of a dearth of loss data that they need to price risk. Across the industry, direct premiums written for stand-alone policies grew by 11.6% in 2018. Complicating the issue of gathering loss data is the fact that companies are still reluctant to disclose breaches publicly and tend to do so without the detail needed for actuarial models, said Joshua Pyle, actuarial director for Cybercube Analytics Inc.

"We have these problems even with attacks that have been reported," Pyle said during the webinar.

Fairfax Financial grew its book of cybersecurity insurance by more than 23% in 2018 and was one of five companies on the list of the largest stand-alone cyber insurance writers to post double-digit or better percentage increases in direct premium written. Tokio Marine more than doubled its premium for stand-alone cyber coverage to $34.9 million.

Beazley PLC announced in February that it would be separating its cyber business from specialty lines to a cyber and executive risk unit. Part of the reason for the reorganization is that the insurer's breach and hacking coverage was getting so large, Adrian Cox, the company's chief underwriting officer, said during a February earnings call. Boards tend to oversee directors and officers risk, and they often purchase that insurance in packages with cyber, Cox said, according to a transcript of his remarks.

Demand for cyber grew internationally at a faster clip than in the U.S., though that may be the result of the international base being much smaller. Cyber liability will grow in a similar manner to D&O, which grew internationally after taking off in the U.S., Cox said.

"Ultimately, the international D&O market is bigger than the U.S. market, and fundamentally, that's what we expect to happen to cyber in the fullness of time," Cox said.

Click here for a downloadable template showing cybersecurity and identity theft market share for P&C groups and individual companies, based on the supplemental data contained in statutory filings.