1st Team Insurance Agency in Baton Rouge owner Harold Williams says he’s getting more inquiries from local companies about cyber liability insurance as an increasing number of U.S. businesses are falling victim to cyberattacks. Photography by Collin Richie
Any business that stores data electronically could become the victim of a cyberattack. In fact, it’s possible that your business has already been attacked and you don’t even know it.
Louisiana Commissioner of Insurance Jim Donelon says there are three kinds of businesses: Those that have experienced a data breach and know about it, those that have been breached but don’t realize it, and those that haven’t been breached yet but will.
Donelon has been urging business owners, first and foremost, to do everything they can to protect themselves from cyberattacks. But he also stresses that preventive security doesn’t eliminate 100% of the risk, so businesses should consider buying insurance that would mitigate the damage for themselves and their customers. Thanks to breaches at high-profile companies like Target and the health insurer Anthem, that message is starting to sink in, Donelon says.
Cyber liability insurance is perhaps the fastest-growing type of insurance in America today. International consulting firm PricewaterhouseCoopers estimates that annual gross written premiums will increase from about $2.5 billion in 2015 to about $7.5 billion by the end of the decade. The economic opportunity in this space for insurance companies, agents and brokers appears to be tremendous.
But many insurers are wary, PwC says. There isn’t much publicly available data on the scale and financial impact of cyberattacks, the nature of the threat is constantly changing and breaches can remain undetected for months or even years. Determining how much exposure a client has and how to price that risk can be a challenge.
“Agents have had to get up to speed. I think they’re getting there.” —Jeff Albright, CEO, Independent Insurance Agents & Brokers of Louisiana
Harold Williams, owner of 1st Team Insurance Agency in Baton Rouge, says he’s been selling cyber liability insurance for several years, so it’s not a new concept for him. He says he has been getting more inquiries about it recently. Business owners should keep in mind not only the monetary value of their information, but also the public relations hit they would take in the event of a data breach, Williams says.
“If you have customers’ personal information, you will want that protected,” he says. “Nobody will want to do business with you if they think their personal information is not protected.”
Coverage from cyberattacks normally isn’t included in a general liability or property policy. Even “business owner package” policies usually don’t have meaningful cyber liability coverage because the risk varies so much from business to business, says Jeff Albright, CEO of the Independent Insurance Agents & Brokers of Louisiana.
A company with 3,000 customer accounts and 3,000 sets of credit card information has a very different level of exposure than one with 10,000, or a Target or Walmart that has millions, Albright explains. So if you have a claim, what might that policy actually pay for?
“What they typically do is they figure, ‘In the event of a data breach, what are the things that we’re going to need to do?’” he says. “Most data breach policies spell this out, and you can buy different categories of coverage.”
Business owners might need to hire forensic accountants to determine the nature of the breach. How much information was exposed? What is the risk of that information being used to the detriment of the policyholder and its customers?
They’ll also want to think about what they would have to do to notify customers. The business might want to provide a year of credit monitoring to customers whose information was compromised.
But while cyber coverage has gained a higher profile, some agents and brokers still don’t know much about it. A man who answered the phone at one Baton Rouge insurance agency said he had never heard of such a thing, even though it was mentioned on his company’s website. But during the past year or two, agents have worked to educate themselves on the risks associated with cyber attacks and the coverage that’s available, so they can in turn educate their customers, Albright says.
“Agents have had to get up to speed,” he says. “I think they’re getting there.”
For those who are not quite there yet, many resources are available, Albright says. He says his association has done a number of seminars and webinars about cyber insurance for its members.
Donelon says cyber liability is considered part of the “surplus market.” As such, insurers don’t have to file rates or forms with his department for approval, and they can craft those policies as they see fit. Along with figuring out their own risk, he says business owners should look into the strength of the company offering the coverage.
He notes the National Association of Insurance Commissioners has created a cyber liability task force and in December it outlined a “Cybersecurity Bill of Rights” for consumers. NAIC hopes to draft public policy recommendations to govern this area of insurance by the end of the year, Donelon says.
At both the national and state levels, Donelon says, regulators’ primary concern is making sure companies offering cyber liability products are solvent and can deliver what they have promised.