Major retailers should expect higher rates and retentions and lower coverage limits for their cyber insurance following several major data breaches since spring 2013, but much depends on persuading underwriters about the effectiveness of retailers' cyber defenses.
At the same time, data breaches affecting The Home Depot Inc. and Target Corp. have increased demand for the coverage, while many retailers are seeking increased coverage limits with mixed success, experts say.
“The capacity has certainly shrunk, and the marketplace is significantly tightening,” said L. Spencer Timmel, network security and privacy liability product leader at brokerage Hylant Group Inc. in Cincinnati. Should there be a significant increase in data breaches, that “will dramatically hurt the market,” he said.
In response, underwriters are asking more in-depth questions before agreeing to bind policies, which generally exclude retroactive coverage. While some insurers have stopped writing the coverage for big retailers, major cyber insurers generally remain in the business, experts say.
Home Depot had $105 million of cyber insurance, when it confirmed on Sept. 8 that cyber thieves hacked its payment cards systems pilfering 56 million credit card numbers. Target said in August it maxed out $90 million of cyber coverage to pay expenses related to its breach of 40 million credit card numbers last December.
Others have stepped in to replace the few insurers that have tightened their cyber coverage for retailers, said Robert Parisi, managing director and national cyber risk practice leader at Marsh L.L.C. in New York.
While insurer scrutiny has increased, “we can place coverage for pretty much anyone out there that's looking for it,” he said.
Insurers “have decided it is going to be their pricing or they're not going to do it, so it's getting very hard, and I would anticipate a real problem of getting the capacity” retailers previously could get, said Peter Taffae, managing director of Los Angeles-based Executive Perils Insurance Services.
“There is hesitancy” to provide coverage to retailers with a large “physical footprint,” said John O'Donnell, New York-based senior broker at FINEX North America, a unit of Willis North America Inc.
“Even primary markets that have large capacity are decreasing their capacity” or are not renewing large accounts, said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions. He said capacity, which was $150 million to $200 million in 2012, increased in 2013 to $300 million before the Target and Home Depot data breaches. Now, capacity is more in the range of $200 million to $250 million, he said.
“You can get beyond $100 million in capacity. I just believe the cost of that capacity on an excess basis, particularly, is not going to be as inexpensive as it used to be now because you're looking at catastrophic losses,” said Adam Cottini, area senior vice president at Arthur J. Gallagher & Co. in New York.
Early this year, cyber rates for major retailers were increasing 10% to 15%, fell to zero to 5% through the second quarter, but jumped 10% to 20% after the Home Depot breach was announced. Although rates can be negotiated closer to a zero to 5% increase, Mr. O'Donnell said, the price per million in coverage is higher for smaller towers than it is for large ones.
However, “for a risk that is just absolutely pristine, the carriers will compete aggressively” Mr. Parisi said.
Experts say retailers with a self-insured retention of $500,000 to $1 million a year ago may now face retentions of $5 million or more.
Sublimits may be a factor. If a policyholder has a $1 million retention, then an insurer may provide a sublimit of $1 million for event management issues, such as forensic investigations. But if a buyer moves to a $5 million to $10 million retention, it can negotiate full limits for event management, Mr. Kalinich said.
Meanwhile, demand for the coverage has increased.
Retailers that had $3 million in cyber coverage are seeking to increase it to $5 million or $10 million, and those with $5 million are seeking to increase it to $10 million, said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C.
“We're getting a lot of requests to increase policy limits,” he said.
Those who already have the coverage and are seeking higher limits may encounter difficulties in obtaining additional excess coverage with the same price structure, Mr. O'Donnell said.
Kevin Baughn, cyber/privacy risk senior underwriting manager at San Francisco-based Safehold Special Risks Inc., a unit of Wells Fargo Insurance Services USA Inc., said officials at one drugstore chain told him that, in hindsight, they regret not patenting their effective system for protecting against breaches.
Other firms are “very standoffish” and seek higher limits without committing to improving their data security, he said.
Meanwhile, the demand for cyber insurance coverage “is going to continue to be pretty high until the retailers can at least come up with solutions for the way credit card transactions are being processed in the United States,” Mr. Cottini said.