CYBER/PRIVACY INSURANCE MARKET … INSURANCE MARKET SURVEY ... The Betterley Report provides insightful insurer analysis on these ... coverage for technology providers that support

June 2017

CYBER/PRIVACY INSURANCE MARKET SURVEY—2017

Rates Are Surprisingly Soft

Richard S. Betterley, LIAPresident

Betterley Risk Consultants, Inc.

Highlights of this Issue

■ Expanded Customer Coverage for Deceptive Funds Transfer (Social Engi-neering)—Coverage for Third Parties

■ Three New Insurers Added: HDI Specialty, Sovereign General, and TokioMarine HCC

■ Insurers Removed from Survey: AXIS and RSUI

■ Chubb and ACE Combined under Chubb Name

■ Is Cyber a $4 Billion Market Already?

Next Issue

AugustPrivate Company Management Liability Insurance Market Survey

Like What You See in this Executive Summary?

You won’t believe the value in the full reports.Now Available on IRMI® Online and ReferenceConnectTM

Each annual report provides a comprehensive review(50 to 175 pages) with numerous exhibits of the critical differ-ences in insurers’ coverage, market appetite, and capacity.You save valuable time because The Betterley Report has done the groundwork for you, providing practical information in a fully searchable online format. What do you think this dedicated research team and related market analysis is worth to you and your team? Well, you are going to be pleasantly surprised when you see how we’ve priced it for you.

Agents and Brokers—Sell more and grow revenue by pinpointing errors in competitors’ policies/proposals.

Risk Managers and Insurance Buyers—Identify, eliminate, or avoid coverage gaps with coverage comparison charts.

Underwriters—Research competitors with quick policy comparisons.

Attorneys—Keep up with year-to-year trends in policy form development.

Consultants—Identify markets and match them up to your clients’ needs.

See morebenefits and read

Executive Summaries

of each report at

www.IRMI.com/Go/3.

The Betterley Report provides insightful insurer analysis on these six markets and coverage lines:

• Cyber/Privacy Insurance Market Survey

• Technology Errors & Omissions

• Employment Practices Liability Insurance

• Side A D&O Liability Insurance

• Private Company Management Liability Insurance

• Intellectual Property and Media Liability Insurance

The Betterley Report

Editor’s Note: In this issue of The BetterleyReport, we present our annual review andevaluation of insurance products designed toprotect against the unique risks of data security fororganizations. Risks could include the breach ofsecurity by a hacker intent on stealing valuabledata or a simple release of data through thecarelessness of an employee or vendor.

We noted several broad trends in the cyber-insurance market and decided to dive deeper into

Information in this Report includes information provided by participating insurance companies. ProfesCopyright 2017 Betterley Risk Consultants, Inc. No part of this publication or its contents may be copied

than with the expressed written permission

Page

List of TablesContact and Product Information 16Product Description 23Market Information 35Limits, Deductibles, and Distribution Channel 46Data Privacy: Types of Coverage and Limits 48Data Privacy: Regulatory & Statutory Coverage

Provided 55Data Privacy: Payment Card Industry Coverage

Provided 58Data Privacy: Coverage Triggers 60Data Privacy: Types of Data Covered 62Data Privacy: Remediation Costs Covered 65Data Privacy: Remediation Coverage Services 68Media Liability Extensions 72Security Assessment Requirements 76First-Party Coverage 78State-Sponsored and Terrorism Coverage 82Theft Coverage 84Theft (Deceptive Funds Transfer) 88Bodily Injury and Property Damage Liability

Coverage 93Third-Party Liability Coverage 96Claims Reporting, ERP, Selection of Counsel,

Consent To Settle 118Prior Acts 124Territory 126Exclusions 128Risk Management Services 142

them in this summary and the accompanying tables.

In response to new challenges for theft losses resulting from deceptive funds transfer instructions to customers and clients (an increasingly common form of social engineering theft, becoming widely available), we modified our “Theft (first-party) Coverage—Deceptive Funds Transfer or Social Engineering” table. This table now includes information about coverage that insurers may offer for losses suffered by customers. These losses typically occur when an emailed invoice is altered to change payment instructions.

Recall that this report does not focus on coverage for technology providers that support e-commerce, such as Internet service providers, technology consultants, and software developers. That market is reviewed in our February issue, “Technology Errors & Omissions Market Survey.”

One thing we would like to point out is the difficulty in separating technology products from cyber-risk products; for many insurers, the same base product is used, then adapted to fit the technology service provider insured or the cyber-risk insured. Where the insurer has a separate product, we reviewed their cyber-risk product; if it is a common base product, we included information about both.

In looking at our information, if you see that a certain insurer’s policy does not include, for example, errors and omissions (E&O) coverage, keep in mind that this coverage is most important to a service provider and that the same insurer might have a separate product for those insureds. You will probably find that product reviewed in our February issue.

sional counsel should be sought before any action or decision is made in the use of this material. , downloaded, stored in a retrieval system, further transmitted or otherwise used in any form other of Betterley Risk Consultants, Inc.

2

https://www.irmi.com/online/betterley-report/br6/technology-errors-and-omissions-2017.pdf

Information in this Report includes information provided by participating insurance companies. Professional counsel should be sought before any action or decision is made in the use of this material.Copyright 2017 Betterley Risk Consultants, Inc. No part of this publication or its contents may be copied, downloaded, stored in a retrieval system, further transmitted, or otherwise used in any form

other than with the expressed written permission of Betterley Risk Consultants, Inc.

Page 3


The types of coverage offered by cyber-riskinsurers vary dramatically. Some offer coveragefor a wide range of exposures, while others aremore limited. For the insured (or its advisers)looking for proper coverage, choosing the rightproduct can be a challenge.

Most insurers offer multiple cyber-riskproducts, so crafting the coverage for each insuredrequires the best in risk identification andknowledge of the individual covers. More thanmost other insurance policies, cyber-risk requiresexperienced risk professionals to craft the propercoverage. The insurance industry continues to helpbrokers understand the exposures, coverage, andservices of cyber-risk so that they can better servetheir clients. The products are complicated,making these educational efforts a worthwhile andnecessary investment.

We have tried to present a variety of coveragesto illustrate what is available in the market.Thirty-one sources of insurance are included inthis survey. These insurers (and, in a fewinstances, managing general underwriters)represent the core of the cyber-risk insurancemarket.

As with last year’s survey, we include 31insurers; Axis and RSUI have been removed, andAce and Chubb are now combined under theChubb banner. HDI Specialty, Sovereign General(a Canadian company), and Tokio Marine HCC(Houston Casualty) have been added.

Please remember that, while each insurer wascontacted to obtain this information, we havetested their responses against our own experienceand knowledge. Where they conflict, we havereviewed the inconsistencies with the insurers.

However, the evaluation and conclusions are ourown.

Rather than reproduce the insurers’ exactpolicy wording (which of course can bevoluminous), we in some cases have paraphrasedtheir wording in the interest of space andsimplicity. Of course, the insurance policiesgovern the coverage provided, and the insurersare not responsible for our summary of theirpolicies or survey responses.

In the use of this information, the reader shouldunderstand that the information applies to thestandard products of the insurers and that specialarrangements of coverage, cost, and othervariables may be available on a negotiated basis.

For updated information on this and otherBetterley Report coverage of specialty insuranceproducts, please see our blog, The BetterleyReport on Specialty Insurance Products, which canbe found at www.betterley.com/blog.

Companies in this Survey

The full report includes a list of 31 mar-kets for this coverage, along with under-writer contact information, and gives youa detailed analysis of distinctive featuresof each carrier’s offerings. Learn moreabout The Betterley Report, and sub-scribe on IRMI.com.

http://www.irmi.com/plans-and-pricing/betterley-reports-package

Information in this Report includes information provided by participating insurance companies. Professional counsel should be sought before any action or decision is made in the use of this material.Copyright 2017 Betterley Risk Consultants, Inc. No part of this publication or its contents may be copied, downloaded, stored in a retrieval system, further transmitted or otherwise used in any form


Page 4


IntroductionAs with all of our market surveys, cyber-risk

coverage represents a new, recently developed orrapidly evolving form of coverage designed toaddress the needs of new risks confrontingorganizations. Cyber-risk coverage epitomizesnew insurance products, presenting insuranceproduct managers with challenges as they learnwhat their insured’s need and what the insurers canprudently cover.

It could be argued that cyber-insurance israpidly maturing, and there is some truth to that.Cyber is not so new, at least in terms of itsavailability (we started writing about cyber in2000). But it is “new” in terms of its recognition asa key component of most commercial insuranceportfolios and in terms of its evolution of coveragewordings, which continue.

But most importantly, cyber is “new” in termsof the exposures being underwritten. These areevolving so rapidly that insurers are forced tocontinually look at their underwriting and claimsmanagement approaches. To protect themselves(and their insureds) against this rapid evolution,insurers must invest more time and attention—andespecially creative attention—than they might fora typical product.

Most insurers were convinced that their bestopportunities are to sell cyber-risk coverage tomainstream companies that have significant cyber-risk exposures. Many of those prospective insuredsare already the insurer’s customers, looking forcoverage not present in traditional policies. Theexperience of a distressingly large number oforganizations—both large and small—in the pastfew years is perhaps only the tip of the icebergrepresenting the threat of data and intellectual

property theft facing businesses worldwide.Insurance protection to backstop informationtechnology (IT) security safeguards must becarefully considered for businesses andinstitutions, such as hospitals, educationalinstitutions, and public entities.

As the small and midsized insureds become amore important market opportunity, insurers arelearning how to offer products at a lower pricepoint. Not all insureds can afford the highest levelsof protection, and perhaps don’t need it (althoughthis last point can be debated). But, they do needproper protection.

Sometimes “proper protection” includesprotection that meets the requirements of thecustomers and clients (and sometimes theirsuppliers and lenders). More and more, we hear ofsmall and midsized insureds buying coveragebecause they are required to if they want to dobusiness with other parties. These coveragerequirements unfortunately range from thereasonable (which most insureds ought to have andare available on a commercially reasonable basis)to unreasonable, where the limits are much higherthan can be reasonably afforded.

Worse, we are seeing business agreements thatmake the small and midsized insureds responsiblefor unlimited losses. These agreements ask theinsureds to bet their company every time they signone of them. With no hope of securing coveragelimits equal to the risk assumed, it is questionablewhether the agreement should be signed.

As vendor agreements more often includerequirements for cyber-insurance, we hope thatthey will be written with commercially reasonableterms. These agreements are a major driver in thedecision to purchase cyber; written properly, they



Page 5


will make the market more efficient and healthywhile still providing appropriate levels ofprotection.

Cyber-insurers have developed very differentproducts to address what they think cyber-riskcompanies need; we have provided a “ProductDescription” table that lets the insurer describe inits own words the coverage it is offering. Thistable is vital to the reader’s understanding of thevarious—and varied—products offered.

Specialized cyber-risk insurance comes in avariety of forms, but we find it most helpful todivide coverage into property, theft, or liability forsurveying purposes. Some insurers offer liability-only products, while others offer a combination ofproperty, theft, and liability coverages.

Interestingly, it seems that more of the productspreviously limited to liability and breach responsecoverages are expanding to include property (andless so, theft) product options. This indicates to usthat customer demand is increasing for theseproduct options.

We are also seeing insureds becomingconcerned about losses that may result fromhacked invoices; when the customer pays theinvoice to the wrong party (usually because thepayment instructions were altered), they blame iton the vendor (i.e., the cyber-insured) and don’twant to attempt recovery from their own crimeinsurance (and often the victim is a smallerorganization that may not have proper crimecoverage).

If there is a resulting lawsuit, it is true thatliability coverage may apply, but who wants torequire their customers to sue? Instead, a fewinsurers are now offering coverage for first-party

losses experienced by the customers of theirinsureds. Others flatly refuse, and the rest aretaking a watchful waiting approach.

Insurers are offering cyber-risk enhancementsto existing policies, such as business owners,management liability, and other policies. Theseproducts take the form of a services-only product(no risk transfer), services plus breach responsecoverage, and services plus breach response plusliability. Limits are typically low, and options arefew, but the low additional premium can makethem quite appealing to insureds. Whether theyshould buy these products or should considerstand-alone cyber-policies requires carefulanalysis and consideration of exposure, risktolerance, and client/customer requirements.

We provided a much deeper discussion in“Cyber Endorsements for Traditional InsurancePolicies” in our May 2013 report for The RiskReport, also published by IRMI. These are stillcurrent and worth reading.

State of the Market

The market continues to broaden, especially inhealth care and the small to midsized insuredsegments. Healthcare systems and their vendors, inparticular, are buying cyber-risk insurance (and, inthe case of vendors, often buying it as a part of atechnology E&O policy; these premiums are notincluded in our growth or premium estimatesbelow) at a rapid clip. Insurers are offeringspecialized products to these insureds.

In addition to health care, insurers reportmuch of their growth coming from small tomidsized companies newly aware of thepossibilities of liability, and especially a breach

https://www.irmi.com/online/rr/cyber-privacy/cyber-endorsements-for-traditional-insurance-policies.aspx



Page 6


and resulting response costs arising out of thepossession of private data. This is leading to alarge increase in policy count, but far less in newpremium written.

Annual premium volume information about theUS cyber-risk market is hard to come by, but inreviewing the market, we have concluded that theannual gross written premium may be as much as$4 billion (up from $3.25 billion in last year’sreport). Despite lower rates … amazing.

The industry is divided by size (gross writtenpremium) as follows.

■ A limited number of very large writers, withpremiums in excess of $100 million

■ Several insurers in the $50–$100 million range

■ Several more in the $25–$50 million range

■ Numerous insurers and managing general un-derwriters writing $10–$25 million

■ Several writing in the $5–$10 million and $1–$5 million ranges

This year we had fairly good reporting byinsurers, with 14 providing sufficient detail toallow us to provide reliable insight into markettrends.

The insureds are clearly divided into thoseorganizations troubled by lots of breaches (largerorganizations as well as retail, health care, andeducational institutions) and the rest, who so farhave not experienced frequent breaches. Weexpect the public sector to join the “troubled”group shortly if it has not already. As has been thecase for years, financial institutions constitute aseparate group that is underwritten separately.

The following are some of the comments fromthe reporting insurers, primarily commenting on

the market in general (few comment on their ownplans).

■ A very large established insurer writing a widerange of risks sees decreasing rates for someinsureds with flat deductibles.

■ A new entrant reports rates dropping 10 per-cent or so, declining deductibles.

■ A midsized insurer in the middle market seesdecreasing rates with flat deductibles.

■ Another midsized source indicates decreasingrates with flat deductibles.

■ A large insurer expects slight rate decreases of5–10 percent with flat deductibles.

■ Another large insurer forecasts rates down 15percent, deductibles possibly decreasing.

■ A midsized insurer focused on smaller in-sureds sees very slight decreases and flat de-ductibles.

■ Another midsized insurer writing smaller in-sureds sees slight decreases, but no change indeductibles.

■ A very large insurer expects large insureds toobtain lower rates in the excess layers, higherrates in primary layers, and the middle marketflat with deductibles decreasing a bit.

■ A smaller underwriter with a large book of cy-ber sees rates down 20 percent and decreasingdeductibles.

■ A very large insurer writing large accountssees flat rates and deductibles.

■ A small underwriter with a good-sized bookexpects rates to decline 15 percent with declin-ing deductibles as well.



Page 7


■ A midsized insurer writing smaller accountssees rates down depending on the size of theinsured, especially on excess business. De-ductibles are down as well.

■ A very large insurer writing across all sizessuggests flat deductibles and did not commenton rates.

Large rates of growth seemed to be found in allsizes of insurers (by size, we are referring to theamount of cyber-premium that insurer is writing).This is really impressive, considering that manyinsurers report a surprisingly vigorous ratecompetition.

The above information is from confidentialsources and is intentionally generalized.

We think that this market has nowhere to go butup—as long as insurers can still write at a profit.The proliferation of data breaches and theincreasing sensitivity of the public to protection oftheir private data surely means increasing levels ofclaims.

Perhaps offsetting this increase in claims willbe the opportunity to respond to breaches morecost effectively as insurers negotiate lowerresponse costs and law firms get more competitivein their pricing. Higher retentions will definitelyhelp, and, in some cases, so will reduced breachresponse limits, as we see both increasingly beingforced on retail and healthcare insureds.

Insurers are responding to the staggeringlylarge number of breaches by using more preciseunderwriting tools, offering improved riskmanagement services and, in a few cases,apparently laying off more risk to the reinsurancemarket. Several of our responding insurers haveindicated more interest by reinsurers in supportingcyber-insurance products, a welcoming trend.

An exception to the ready availability of thevarious cyber-coverages is the portion of thepolicy that covers Payment Card Industry (PCI)fines and penalties. For insureds that are notcompliant with PCI standards, coverage isbecoming increasingly hard to find. Even wheninsureds have a project underway to becomecompliant, insurers are reluctant to offer coveragepending completion.

In the past, insurers would allow an insured awindow of time during which they couldimplement their compliance effort. Now, it ismuch more likely that the insurer will refuse toprovide coverage until that effort is complete andtested.

Privacy coverage is clearly driving the market;cyber-risk seminars and conferences are packedwith prospective customers, insurers, brokers, andattorneys interested in privacy risk, coverage, andservices. Interest is translating into purchases,which we (and many others) have been predicting.Management may still be thinking “it can’t happenhere,” but as more events occur that would becovered, more cyber-risk insurance is beingbought.

Data breaches continue at a disturbinglyfrequent rate. We are unsure if this is a result ofincreased reporting (breaches happened before butwere not disclosed) or increased activity by, andeffectiveness of, hackers, but it is having an impacton the insurance market.

What might those effects be? Possibly higherinterest in coverage as more potential insureds seethe frequency of breaches, but also higherpremium rates and/or retentions, as the increasingfrequency of claims are paid for (and as insurancecompany leadership sees breaches occurring evenat “good” risks).



Page 8


We also think that insurers will take anincreasing interest in helping insureds select andimplement improved risk avoidance and mitigationtechniques. This approach is similar to theproperty insurance approach of aiding highlyprotected risks through rate incentives, education,broader coverage offerings, and the developmentand installation of protective devices.

We think that a strong influence on thepurchase of cyber-risk insurance is the increasingawareness of the value of postbreach responsecoverage. We have spoken with many chieffinancial officers, treasurers, and risk managerswho are not so sure that the case for liabilityprotection has been made but that can easily seehow postbreach costs would be a burden.

But even this seems to be changing. Thepervasiveness of breaches has made for an angryaffected population and an eager plaintiffs bar.Insureds seem to be more and more concerned thatthis is translating into more litigation and morelikelihood of a major judgment.

Prebreach services in the past were less likelyto be a compelling reason for insureds to buycyber-policies, although excellent information andtools have been available. An exciting new trend toexpand prebreach services may provide additionalreasons to buy the coverage. We think theseservices could alter the competitive landscape forcyber-insurers as well as improve their claimsexperience. As cyber further penetrates the smallerand medium-sized account markets, such serviceswill be increasingly appealing to insureds andvaluable to insurers.

Finally, as noted, there are a number of insurersthat are offering cyber-risk coverages as an optionto another policy, such as a package policy,management liability policy, or some othermainstream product. We did not include theseproducts in this report but have included specific

cyber-related questions in our “Private CompanyManagement Liability Market Survey” (August).

An Overview ofData Privacy Coverage

In the data security business, there is a saying:there are organizations that have breaches andknow it, and there are organizations that havebreaches and do not know it—yet.

We find that most prospective insureds (andtheir agents and brokers) are most interested incoverage for data breaches. This coverage is found(or is available) in almost all cyber-policies.

Based on our research into privacy exposuresand coverage, we have identified the following sixkey areas that should be considered.

■ Types of coverage and limits available

■ Coverage provided

■ Coverage triggers

■ Types of data covered

■ Remediation costs covered

■ Remediation coverage services

The Types of Coverageand Limits Available

There are three fundamental coverage types:liability for loss or breach of the data, remediationcosts to respond to the breach, and coverage forfines and/or penalties imposed by law orregulation.

Liability coverage is pretty self-explanatory—protection for the insured should it be sued fornegligence leading to a security breach. Often, thecoverage does not explicitly list data breach ascovered. Instead, coverage is provided as a part ofa more general coverage grant for, as an example,



Page 9


failing to prevent unauthorized access to itscomputer system.

Some insurers offer more explicit coverage,such as an act, error, or omission that results in atheft of data from a computer system. Bothmethods can work, but it is very comforting to seea term such as theft of data included in thecoverage grant.

Coverage Provided

Coverages fall into the following fourcategories.

■ Liability—defense and settlement costs for theliability of the insured arising out of its failureto properly care for private data

■ Remediation—response costs following a databreach, including investigation, public rela-tions, customer notification, and credit moni-toring

■ Regulatory Fines and/or Penalties—the coststo investigate, defend, and settle fines andpenalties that may be assessed by a regulator;most insurers do not provide this coverage,although there can be coverage for defensecosts

■ PCI (Credit Card) Fines and Penalties—in-cludes forensic services and card reissuancecosts

Coverage Triggers

Coverage can be triggered by the following.

■ Failure to secure data

■ Loss caused by an employee

■ Acts by persons other than insureds

■ Loss resulting from the theft or disappearanceof private property (such as data that resideson a stolen laptop or missing data storage me-dia)

Types of Data Covered

Some insurers specify the types of datacovered, others do not. Specific types covered caninclude the following.

■ An individual’s personally identifiable infor-mation

■ Nonpublic data, such as corporate information

■ Nonelectronic data, such as paper records andprintouts

Remediation Costs Covered

Remediation is an area that is no longer newfor cyber-risk insurance (in fact, we believe thatit is the primary reason why many insureds buycyber-risk insurance). This coverage is for thecosts of responding to a data breach.Organizations that suffer a data loss may berequired to notify their customers with notice ofthe data loss, which can be expensive. Typically,they may also want to mitigate the negativeimpact on their reputation by providing creditmonitoring services for those same customers.This cost can also be significant.

Remediation cost coverage is now offered bymost insurers. It can include the following.

■ Crisis management services

■ Notification of potentially affected customers

■ Credit monitoring



Page 10


■ Costs to resecure (that is, make secure again)data

Remediation Coverage Services

There can be great benefit to the insured if theremediation services are prenegotiated andprepackaged—much like kidnap and ransomcoverage. Knowing how to respond to a loss canbe daunting.

Insurers often offer prepackaged andprenegotiated services provided by third-partyvendors. In some cases, the insured is required touse designated vendors. In addition, some policiesrequire the written consent of the insurer to use theservices. Finally, a few of these services have a timelimit for use, especially credit monitoring.

Security Assessment RequirementsInsurer-required assessments of the prospective

insured’s security policies are rare now; the detailsare shown in the accompanying table. Typically,but not always, any required assessment is free tothe applicant.

Such an assessment can be very useful to theapplicant, even if they do not buy the coverage.But, if they do, a favorable assessment may helplower the insured’s premium.

Requirements often differ depending onwhether it is first-party or third-party coverage,and can also vary depending on the type ofbusiness the insured is in. Some assessments are assimple (and easy on the applicant) as a review ofits website, while others require an onsite reviewby third-party firms. Of course, the scale andintensity of the assessment are dependent not onlyon the insurer’s underwriting philosophy but alsothe nature and role of the applicant’s businessbeing considered.

Coverage

Property and Theft

The cyber-insurance industry offers propertyand theft (first-party) coverage and liability (third-party) coverage; some insurers offer liability only,while others offer all. We expect that moreinsurers will be offering combined property andliability programs as the demand for businessinterruption and extra expense coverage grows.

First-party coverage protection against denialof Web services (hacker attacks) is still a hot topicdue to continuing attacks on leading Internet sites.Most property products cover this risk, althoughthey are subject to negotiation and individualunderwriting.

Theft exposures are sometimes not wellunderstood in cyber-risk risk assessments. Thepotential for traditional theft of money or goodsvia the Internet is often recognized, but theft ordestruction of data, extortion, and theft ofcomputing resources sometimes are not.

We find that insureds are still concerned aboutthe theft of the economic value of intellectualproperty. This comes from reports, we believe, ofincreasing levels of industrial espionage bycompetitors and by governments acting in supportof their economic and defense interests.

We have continued our new column to the“Theft (first-party) Coverage” table as well as tothe “Exclusions” table to capture the insurer’scoverage position regarding theft of intellectualproperty (IP). In asking the insurers about thiscoverage, we emphasized that it references theeconomic value of IP. Unfortunately, we don’tthink that the responses are always accurate andwill continue to refine them in our reports. Theft ofthe economic value of IP is a major breach



Page 11


exposure, and insureds need coverage. For thoseinterested, further investigation is recommended.

“Theft (first-party) Deceptive Funds Transferor Social Engineering” coverage offerings of eachinsurer for losses suffered by the insured becausethey were deceived into executing a funds transferare provided in this year’s Report. These are ofteninitiated by an email that purports to be from anauthorized executive telling the recipient totransfer funds to a fraudulent account (forexample, a “vendor” that turns out to be controlledby the thief).

These coverages are sometimes called socialengineering coverage, but we prefer the term“deceptive funds transfer,” as not all coverages arelimited to social engineering.

The table includes the following information.

■ The maximum limit available

■ The nature of the electronic missive covered(i.e., email, text, instant message, phone, etc.)

■ Whether electronic funds transfer fraud of theinsured’s funds is covered

■ Whether coverage is offered for a customer’sloss of funds if they were deceived via a fraud-ulent communication purporting to be fromthe insured

■ Whether coverage is offered for a customer’sloss of funds having bought from a websitepurporting to be yours

Liability

Traditionally, bodily injury and propertydamage losses were not covered by cyber-policies,but insurers should be changing their attitudestoward this.

AIG’s CyberEdge PC product introducedcoverage that provides bodily injury and propertydamage protection that may result from a cyber-attack. The coverage is provided on an excess anddifference-in-conditions basis (meaning theinsured’s other liability policies will pay first, withCyberEdge stepping in where those policies do notcover, subject, of course, to its own coverageterms).

Why might this be important?

■ Core commercial policies are more and moreoften excluding cyber-related claims.

■ It adds clarity in coverage for both the insuredand the insured’s advisers.

We think this coverage can be important andappealing to insureds and, in 2015, added a table inthis report asking the insurers to indicate theirposition for both direct and contingent bodilyinjury and property damage coverage available inthe cyber-policies. See the “Third-Party Coverage:Bodily Injury and Property Damage” table.

The definition of “insured” differs on manypolicies, but special requirements can usually bemet. Many insurers do not automatically includesubcontractors as insureds, although many canprovide coverage by endorsement.

The definition of a claim also variessignificantly, with some insurers going to greatlengths to define a claim and others using wordingsuch as “a demand seeking damages.”

Coverage for liability arising out of allegedmedia offenses has become a popular addition tocyber-policies. As many insureds and their brokerstake cyber-activities to mean “Internet” activities,accompanied by buzz about social networking,questions about coverage for libel, slander, and



Page 12


intellectual property are increasing. “Where is thecoverage?” asks many an insured.

Some coverage may already exist in thepersonal injury portion of an existing generalliability policy, but more specific—and broader—coverage may be obtainable in a cyber-policy.

This report includes a table that summarizes the(optional) media liability coverage that they mightoffer a cyber-risk insured. It includes the followinginformation.

■ Coverage that applies to all types of media oris restricted to social media only

■ Intellectual property rights that may be cov-ered

Claims Reporting, ERP Options, and Counsel

Each liability policy reviewed is a claims-madeform, so extended reporting period (ERP) optionsare important; look for bilateral extended reportingperiod wording.

Selection of counsel continues to be a delicateissue with insureds, but, as we frequently see inother new lines of coverage, insurers typicallyreserve the right to select, or at least approve,counsel. However, some insurers offer an optionfor the insured to preselect counsel, while othersallow selection from an existing panel.

As with all questions of counsel choice, werecommend that insureds discuss and agree withtheir insurer beforehand on the counsel they wantto use.

Generally, insurers can impose the infamous“hammer clause” on lawsuits that an insured maynot want to settle. The use of “soft” hammerclauses continues to be prevalent in this productline.

Specific Coverages Included in Policy We have identified 10 specific coverages that

may be, but are not always, included in a cyber-risk policy. They are the following.

■ Virus

■ Unauthorized access

■ Security breach

■ Personal injury

■ Advertising injury

■ Loss of use

■ Resulting business interruption

■ Copyright infringement

■ Trademark or servicemark infringement

■ Patent infringement

Generally, insureds should be careful to reviewtheir exposures to these types of losses and makesure they use insurers that are willing to offer theneeded protections. Coverage for patentinfringement, for example, is rarely (if ever)offered in basic cyber-risk forms but can bepurchased from a limited number of insurers as aseparate intellectual property policy (as discussedin the Intellectual Property and Media LiabilityInsurance Market Survey, April 2016).

ExclusionsExclusions are many and varied, as would be

expected; please read those tables carefully. Thetables have been simplified by removingexclusions primarily related to technology E&O.

Rather than try to recite them here, theinformation for each insurer is found in the“Exclusions” table.



Page 13


Note that we include a question in “Exclusions1” table, which asks whether the policy formincludes an exclusion for failure to maintainsecurity standards. This is an extremely troublingexclusion as it adds an uncertainty to the coverage.

We have spoken with several underwritersabout this; our concern is that, while an insured isbest served by adopting security procedures, andthe insurer should consider those standards (or thefailure to adopt them) in the underwriting process,it is hardly fair to the insured to make the paymentof a claim contingent upon maintaining thosestandards.

At first, the requirement makes sense—it isgood for the insured, it is reasonable for theunderwriter. The problem is, what happens whenthe standards change, or there is a mistake, and theinsured is out of compliance?

For us, the exclusion is hard to accept anddangerous for the insured. An insurer may say thatit would never apply the exclusion, but we wouldnot be confident that it will never be applied in thefuture.

We understand that warranties in theapplication should be enforceable. But thisexclusion goes too far.

Risk Management ServicesCyber-related risk management services are an

important product differentiator—a very positivedevelopment for the insureds, their intermediaries,and for the insurers themselves. Insureds and theiradvisers recognize the value that these services canbring. And insurers are becoming more convincedof their value in controlling losses. But, theseservices have a long way to go before they reachtheir full potential.

We have often commented on the parallels inservices between the cyber-insurance line andother lines, especially employment practices andproperty (highly protected risk particularly).Cyber-related risk management services, whilehelpful, have been relatively weak when comparedwith these other lines. This is certainlyunderstandable for a still relatively new line ofinsurance, especially considering the wide array ofpotential services (and potentially high cost).

To capture more information about the servicesthat are available to insureds via their insurancepurchase (and frankly, to encourage furtherdevelopment of the product), we have an expandedapproach in the “Risk Management Services”table.

This table asks for information on the followingtypes of services.

■ Active Avoidance—This indicates whether theinsurer includes products and/or services thathelp the insured actively protect data frombreach or other covered loss (the propertyanalogy would be sprinklers). It is intended toindicate capabilities that act independently toprotect against activities that lead to breaches.

■ Prebreach Planning—These are services and/or tools that help the insured to prepare a con-tingency plan for use in the event of a breach(think of disaster recovery).

■ Help Line—This is a staffed resource thatfields questions via telephone or email (thinkof an employment practices liability insurancehelpline).

■ Information Portal—This is a source for infor-mation and possibly tools to help in the



Page 14


management and response to data protectionand breach.

■ The column “Other” allows the insurer to de-scribe additional types of services provided.

SummaryCyber/privacy insurance is evolving rapidly in

response to high demand, a high level of claims,and an increasing level of threats. Until now, therewas little litigation over cyber-policies, but that isbeginning to change. Recent court decisions willguide risk managers and their advisers in theselection and negotiation of those policies.

Insurers—especially those with lots of cyber-experience—are refining their underwriting tools,making increasingly valuable risk managementservices available to their insureds, and helpingintermediaries better understand the coverages thatare needed.

The market is clearly maturing, with insurersmore often insisting on higher retentions for largerinsureds and for insureds in retail and healthcaresegments. Coverages that were formerly easy toget now require stronger security standards (PCI isa good example).

We see this as generally a good thing, asinsurers help encourage their insureds to be betterprotected against loss. Better-protected insureds,

through the positive influence of cyber-insurers,will make for better claims experience, a morestable market, and a safer world.

But there is still far to go; the products too oftenfocus on breach of private data. Coverages need tobe broadened to include loss of intellectualproperty, resulting bodily injury and propertydamage, and damage to reputation.

Some of these coverages will become morewidely available, we think, as insureds betterunderstand the actual risk and as they get betteradvice from their advisers.

And more complete value-added riskmanagement services need to be made available toinsureds, scaled to their size and ability to use theservices, and, of course, to the size of the premiumbeing charged.

Insurers will struggle with filtering out thesometimes-optimistic claims of some cyber-security providers, who rightfully see the cyber-insurance business as a huge opportunity to growtheir businesses. But insurers have limited budgetsto provide these services, so getting it right will bevital to both the insurers and to their insureds.

We started researching cyber-insurance in2000; little did we know that the product would beso important, so widely needed, and so fascinating.And there is more to come.



Page 15


About the AuthorRichard S. Betterley, LIA, is the president of Betterley Risk Consultants (BRC),an independent insurance and alternative risk management consulting firm.BRC, founded in 1932, provides independent advice and counsel on insurablerisk, coverage, alternatives to traditional insurance, and related services tocorporations, educational institutions, and other organizations throughout theUnited States. It does not sell insurance or related services.

Mr. Betterley is a frequent speaker, author, and expert witness on specialty insurance products and relatedservices. He is a member of the Professional Liability Underwriting Society. He joined the firm in 1975.

Mr. Betterley created The Betterley Report in 1994 to be the objective source of information aboutspecialty insurance products. Now published six times annually, The Betterley Report is known for its in-depth coverage of management liability, cyber-risk, technology, intellectual property, and media insuranceproducts.

More recently, Mr. Betterley created The Betterley Report Blog on Specialty Insurance Products, whichoffers readers updates on and insight into insurance products such as those covered in The Betterley Report. Itprovides him with a platform to more frequently and informally comment on product updates and newlyannounced products as well as trends in the specialty insurance industry.

http://www.betterley.com/blog

Like What You See in this Executive Summary?

You won’t believe the value in the full reports.Now Available on IRMI® Online and ReferenceConnectTM

Each annual report provides a comprehensive review(50 to 175 pages) with numerous exhibits of the critical differ-ences in insurers’ coverage, market appetite, and capacity.You save valuable time because The Betterley Report has done the groundwork for you, providing practical information in a fully searchable online format. What do you think this dedicated research team and related market analysis is worth to you and your team? Well, you are going to be pleasantly surprised when you see how we’ve priced it for you.

Agents and Brokers—Sell more and grow revenue by pinpointing errors in competitors’ policies/proposals.

Risk Managers and Insurance Buyers—Identify, eliminate, or avoid coverage gaps with coverage comparison charts.

Underwriters—Research competitors with quick policy comparisons.

Attorneys—Keep up with year-to-year trends in policy form development.

Consultants—Identify markets and match them up to your clients’ needs.

See morebenefits and read

Executive Summaries

of each report at

www.IRMI.com/Go/3.

The Betterley Report provides insightful insurer analysis on these six markets and coverage lines:

• Cyber/Privacy Insurance Market Survey

• Technology Errors & Omissions

• Employment Practices Liability Insurance

• Side A D&O Liability Insurance

• Private Company Management Liability Insurance

• Intellectual Property and Media Liability Insurance


Information in this Report includes information provided by participating insurance companies. Professional counsel should be sought before any action or decision is made in the use of this material.

Copyright 2017 Betterley Risk Consultants, Inc. No part of this publication or its contents may be copied, downloaded, stored in a retrieval system, further transmitted or otherwise used in any form other than

with the expressed written permission of Betterley Risk Consultants, Inc.

The Betterley Report, your independent guide to specialty insurance products, is a series of six

comprehensive reports published annually. Each report exhaustively reviews a single hot specialty

insurance product, providing essential information such as:

Who are the leading carriers?

Complete contact information

Target and prohibited markets

Capacity, deductibles, and commission ranges

Sample premiums (where available)

Critical coverage and claims differences

Exclusionary language

Risk management services

The Betterley Reports are produced annually, and range from 50 to 175 pages in length. Current analyses

include:

Cyber and Privacy Risk Policies

Technology Risk Insurance

Employment Practices Liability Insurance

(EPLI)

Private Company Management Liability

Side A D & O Liability

Intellectual Property and Media Liability

The Betterley Reports are a huge timesaver for busy risk management professionals who need to be up-

to-date on insurance products for their clients. Need to identify and evaluate the coverage, capacity and

contacts for your clients? Need the best analysis of leading edge insurance products? We’ve done the

ground work for you!

The Betterley Report is distributed by International Risk Management Institute, Inc. (IRMI) and may be

accessed by subscribers on IRMI Online. To purchase a subscription, call IRMI Client Services at (800)

827-4242 or learn more on IRMI.com.

Betterley Risk Consultants is an independent insurance and alternative risk management consulting firm.

Founded in 1932, it provides independent advice and counsel to corporations, educational institutions,

and other organizations throughout the U.S. It does not sell insurance nor provide insurance-related

services.

Betterley Risk Consultants, Inc.

Thirteen Loring Way • Sterling, Massachusetts 01564-2465

Phone (774) 262-3460

e-mail [email protected]

The editor has attempted to ensure that the information in each issue is accurate at the time it was

obtained. Opinions on insurance, financial, legal, and regulatory matters are those of the editor and

others; professional counsel should be consulted before any action or decision based on this matter is

taken. Note: all product names referred to herein are the properties of their respective owners.

The Betterley Report is published six times yearly by Betterley Risk Consultants, Inc. This material is

copyrighted, with all rights reserved. ISSN 1089-0513

http://www.irmi.com/products/store/betterley-report.aspx

mailto:[email protected]

Documents

CYBER/PRIVACY INSURANCE MARKET … INSURANCE MARKET SURVEY ... The Betterley Report provides insightful insurer analysis on these ... coverage for technology providers that support