The top 8 coverages businesses look for in cyber policies by Caitlin Bronson

13/07/2015 11:52

More than half of corporate risk managers in the United States are now purchasing stand-alone cyber insurance policies, according to a recent survey of RIMS members.

A reported 51% of respondents, representing organizations with more than $1 billion in revenue and a variety of industries, are currently covered by cyber insurance. Of those without coverage, 74% say they are considering obtaining a policy in the next one to two years.

The survey also reveals the forms of coverage businesses are buying – a useful insight for independent agents and brokers looking to increase their cyber sales.

According to the responses, the following eight cyber insurance coverages are most often purchased in cyber policies:

  • Breach notification costs – 91%
  • Cyber extortion – 80%
  • Network/business interruption – 80%
  • Data recovery – 75%
  • Fines and penalties – 75%
  • Reputational harm – 44%
  • Professional liability – 43%
  • Theft of trade secrets – 29%

Other respondents said they had some form of cyber liability coverage included in errors and omissions, commercial general liability, property damage, and directors and officers insurance policies.

While the increase in coverage is a good sign for corporate risk management, there are still a few concerns. Nearly 60% of firms with cyber insurance policies carry less than $20 million in cyber coverage – and while that will be enough to cover most breaches, there’s still a 5% chance a cyber attack could cost the company more than $20 million. This is especially true for larger companies with more recognizable brands.

One significant reason risk managers are not purchasing more coverage is because standard markets aren’t offering it, says Kevin Kalinich, leader of the global cyber risk practice for Aon Risk Solutions.

“We are working with alternative markets because the traditional cyberinsurance markets run out of capacity between $200 million and $300 million,” Kalinich said.

The limits of the admitted market’s capacity has been well canvassed by industry leaders. Earlier this year, AIG CEO Peter Hancock made headlines by suggesting the amount of cyber liability coverage offered by carriers will only cover a fraction of the damages that occur during and after a data breach.

“The largest coverage I’m aware of is for a bank that has about $400 million in coverage which is very small when you think about it,” said Hancock. “When you compare it to the amount of capacity that’s available for a complex chemical plant, refinery, offshore oil platform, the numbers are much, much higher.”

Hancock and others are hopeful, however, that as awareness of cyber risk increases, underwriters will start offering higher policy limits.

“The willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures,” Hancock said.

The RIMS survey included responses from 248 members of the association.