Cyber Liability Insurance. It is concerning how many businesses do not currently carry this coverage. This type of insurance has been in existence since the 1990s. Unlike auto insurance or property insurance, there was not a common policy type/form that is an industry standard.
Back in the 1990s, the first cyber/internet policies became available to business owners. Many of the carriers out there try to take credit for writing the first cyber policy, although it is unknown who the first carrier to write a cyber/internet policy was. Most of the first stand-alone cyber policies only covered liability from a third-party hack. In fact, most policies written today contain coverages for things that did not exist in the 1990s. For example, cryptojacking is a coverage that can be sought after through a Cyber Liability Policy. Cryptocurrencies did not exist until 2010, which marks the year that Bitcoin was first able to be sold and traded on online exchanges. As technology continues to advance, new exposures will continue to pop up, creating a need for new coverages under Cyber Liability policies.
Fast forward to the early 2000s. Cyber Liability policies began including coverage for instances that occur on site. These policies contained exclusions for rogue employees, fines/penalties, and any cost associated with regulation. Unfortunately, there was no first party coverage available yet. First party coverage provides coverage for the business itself. It started to be added to policies shortly hereafter, which included coverage for business interruption, cyber extortion or ransomware, and network asset damage.
In 2003, California passed the California Security Breach Information Act. In short, this act created a safeguard to citizens in the state of California. It required any business who was involved in some sort of data breach to notify the affected customers/parties if it is reasonable to believe the personal information was accessed by an unauthorized person. This could be a social security number (SSN), driver’s license number, debit/credit card information, etc. As a result of this legislation, other states started to follow suit enacting their own regulations regarding breaches and cyber liability.
It was at this time that Cyber Liability insurance carriers started to expand coverage to encompass coverages like credit monitoring costs, services such as credit rating repair, customer notification, public relation help, and IT Forensics.
In 2009, the Massachusetts Office of Consumer Affairs and Business Regulation passed regulation 201 CMR 17.00: Standards for the protection of personal information of residents of the Commonwealth. This regulation contains the requirements that a business must abide by in the event of a breach.
Entering the next decade, the number of carriers offering stand-alone cyber products has grown into 60+ carriers. The product continued to evolve, and carriers started to create/change appetites in response to breaches that have occurred across the country. Two years were historically noted during this decade. First, you have 2014 – Year of the Retail Breach. Retail data breaches dominated news articles as companies like Target, Neiman Marcus, and Macy’s had all experienced breaches that involved millions of people’s credit card information being stolen. Second, you have 2015 – Year of the Healthcare Breach, where over 112 million records were compromised just from breaches that occurred to healthcare organizations.
Due to an overwhelming amount of uncertainty, pricing for cyber liability insurance around this time was very volatile. Coverage terms still differed greatly when comparing different products. This time is also when policies began moving towards providing more Risk Management Services with the policy, as it became an easy way to mitigate losses.
It became increasingly obvious that there were many variables when it came to quoting and writing Cyber Liability Insurance. Small businesses and large businesses have two completely different needs. It was difficult for carriers to create a product that fit perfectly for all business types. A chiropractor with one office employee is a much different risk than say an online retailer with thousands of vendors and millions of customers who are entering personal information over the internet. Companies didn’t want the policy they created to have too broad of coverage, but they also feared that they would give businesses a policy that provides too narrow of coverage.
Moving forward to 2017-2020, the Cyber Liability Insurance market began to see a significant growth in both the product, and the number of policies they were issuing. Larger businesses were finally able to expand coverage enough to obtain limits appropriate for their business. Smaller businesses were able to buy a Cyber Liability Insurance product with limits that were appropriate to the size of their business. For example, that same chiropractor may not require $5,000,000 in coverage, as a loss of that size is very unlikely due to the number of records kept on file. Who is to say that a healthcare facility with hundreds of employees and tens of thousands of patients could not suffer a loss north of $5,000,000?
Along with more variability between products, came new markets who were eager to take on risks within the Cyber Liability space. Several insuretechs began to launch and offer products to businesses.
2021-Present: insurance markets of all kinds begin to harden. Reinsurance rates are skyrocketing, carriers are focusing on mandatory controls, while new services, automations, and security scans are prevalent in rating and writing Cyber Liability Insurance.
Takeaways: clients need to find someone with real expertise and good relationships with various cyber liability insurance markets. The devil is in the details. The forms, coverages, and exposures are extremely important. Make sure you talk to an agent who understands all of them, and can explain to you where you may have gaps in coverage.