In November, 2014, Mark Synnott of Willis Re addressed our Annual Meeting at the University Club in Chicago. Here's what he had to say.
The State of the Cyber Market
Cyber is one of very few lines that is expanding at the moment and seems to be on everyone’s lips. With this in mind, it’s certainly worth looking into the origins of the coverage, how it has evolved and what the prospects might be for the future.
The meaning of cyber
Cyber is a nebulous term. It means different things to different people. The term is actually a prefix derived from the word “cybernetic” which comes from an ancient Greek word meaning to “skillfully steer” or “govern”.
Cyber was first used in the context of computers in the early 1980’s by the science fiction writer William Gibson, who coined the term “cyber-space”. When asked about what it meant, Gibson said the term was no more than an effective buzzword and was essentially meaningless – it was suggestive of something but had no real semantic meaning.
As cyber-insurance has evolved over the years, plaintiff lawyers (such as those involved in the Sony case) seem to have latched on to Gibson’s words and have been notable in their enthusiasm to test the boundaries of cyber coverage within traditional insurance policies.
Development of cyber insurance
Cyber-insurance began as Tech E&O in the 1990’s, and then expanded as dot-com businesses such as Amazon and eBay started to take off in the early 2000’s and target online sales. These early policies included both liability and property components: liability addressed the legal expenses and liability arising out of a breach of computer systems; property covered business interruption and data loss/damage. The market was small, there were few losses and it was hard to get buyers to understand the need for coverage.
Two things changed the landscape:
First, California passed the first data breach notification law which became effective in 2003 and required companies and other organizations to investigate security breaches and comply with breach notification provisions including customer notification and credit monitoring. This resulted in the incurring of often significant expense. Other states followed suit. As a result, the plaintiff’s bar had notice of security breaches and could file lawsuits. This made the need for cyber protection much more real. It also led to the growth of data breach coverage. In the early days of cyber, the concept of data breach was a vague one, but these rulings changed the game fundamentally. Today, cyber protection is all about data breach coverage.
The second change was organized crime. In the early 2000’s, hacking was more about causing annoyance or garnering bragging rights for activists on the fringes of the computer community. When an attack happened, it was discovered and remediated. But the rise of organized crime saw the potential to steal thousands or millions of records to commit identity theft or credit card fraud. It was also low risk, it could be performed from thousands of miles away in eastern Europe or China with almost no chance of getting caught. And it was high reward.
Many buyers were slow to adapt to the changing landscape and existing property and liability policies were tested in the courts and generally found wanting. Insurers also started to narrow – or “clarify” – coverage to exclude cyber. As a result, potential coverages related to data privacy, remediation costs, data or system damage, business interruption and certain fines and penalties coverage have been largely excluded from general property, casualty and specialty lines policies and covered under specific cyber policies.
The growth of the line has also been promoted by a series of high profile losses such as Target and Home Depot where hundreds of millions of records have been compromised. Cyber premiums have therefore grown rapidly since the mid 2000’s, rising from several hundred million to around $1 billion by 2012. Some think that premiums have doubled over the last couple of years and now total $2 billion. In this regard, a recent commentator quipped that the Target loss in 2013 was the equivalent of 10 free superbowl adds.
Similarities with EPLI
Cyber has a number of similarities with the last big new product line to be developed in the 1990’s – EPLI.
- The need for cover was driven by federal and state legislation.
- Coverage was originally sought under traditional covers such as CGL and D&O.
- Claims were denied and traditional policies were redefined to exclude coverage.
- The product grew in a soft market with multiple carriers, low pricing and a lack of claims history.
- Growth of the product was encouraged by high profile losses, such as CalPERS in the early 2000’s.
Today, overall cyber premiums are very similar to those for EPLI. EPLI has perhaps a premium income of $1.7 billion in the US and $500m ex-US. Some reports put US cyber premiums for 2014 at an estimated $2 billion with non-US premiums around a tenth of this.
However, the difference is in the potential.
EPLI is now a mature market but cyber has a way to go. Market penetration in many industry sectors is still only 20-30%. Breaches are continuing to increase and awareness is growing, so take-up is on the rise. Limits bought by buyers are also increasing which is adding to premiums. The analyst VJ Dowling recently estimated the potential for the US cyber market at a premium income of $5-10 billion, which would put it around the size of the D&O market. Increased data privacy legislation in the EU and other jurisdictions mean that non-US premiums are also likely to grow substantially, with the EU market perhaps increasing to around $1 billion in the next 4-5 years.
The other wild card is the claims environment. A recent study by the Washington-based Center for Strategic and International Studies estimated that cyber crime is now costing the global economy about $450 billion annually. In recent years, there have been a number of high profile cyber insurance losses that while sporadic seem to be on the increase, although with multiple carriers in the market, premium rates remain broadly flat. However, if the claims environment worsens significantly or market conditions change, this could lead to a major rethinking on pricing. In the case of EPLI, rates rose by up to 400% in 2002-3 driven by increased loss activity and a hardening in market conditions.
The current market
The current market is a broad one with perhaps more than 50-60 carriers offering cyber coverage in the US alone. Market penetration continues to expand into all sectors including small-to-medium sized business which are starting to respond to increasing media coverage about the potential for loss.
The market is divided into several large writers that have over $50-100m in premium, a number in the $25-50m range and many carriers below this. Although the majority of limit needs are small, market capacity is in the several hundred million USD range for larger risks. At all levels, privacy coverage and the expenses associated with a breach are driving the market.
The need for tailored products to cover different industry grouping and a wide range of services to address the impact of a data breach requires flexibility and ingenuity and is ideally suited to the creativity of the Lloyd’s market.
Beazley and other syndicates are prominent players in the cyber market in their own right and are also working with MGA’s to broaden their product reach worldwide. In an increasingly competitive environment, cyber offers one of the few areas for growth in the market. As has historically been the case when it comes to new lines of business, Lloyd’s is at the forefront of product development.
Issues in the current market
Perhaps the most significant issue currently is the difficulty in pricing the product. For the majority of carriers, there is little claims history to work with and therefore it is very difficult to determine adequate pricing. Exposures are also very different between industry sectors and with more and more electronic devices being controlled via the internet, hackers have an increasing set of crime opportunities. In the case of the Target loss, for example, hackers were able to get into the retailer’s point of sale software through a connection with a heating and air contactor.
The problem of pricing is exacerbated by fact that cyber represents an amalgam of property and liability coverages but tends to be written in E&O departments of most insurers. In essence, cyber is sold as a liability product whereas most of the losses are first party-related.
Another issue is uncertainty about coverage for war or terrorism. Most insurance policies contain war exclusions but in the case of cyber it is unclear where state-sponsored activity might begin and a war exclusion is triggered.
This leads on to the potential for aggregation and catastrophic loss. A conflict between, say, China and the US might disrupt the internet globally; however, there are many other examples that might trigger a large aggregation of losses. To name a few: a major cloud security provider could be breached compromising multiple insureds; an earthquake in the Silicon valley area which runs along the San Andreas fault could cause massive downstream internet and IT disruption; or an attack could happen on one of the protocols on which the internet itself depends.
The industry needs to work on both the pricing and risk selection issues: which industries are breached most often, how quickly are breaches increasing, what are the costs of breaches by component: expense costs to consider include credit monitoring and customer notifications, liability costs such as defense costs and damages, and the costs of fines and penalties.
Catastrophic protection also needs to be developed to assist reinsurance clients protect against aggregation issues as their books grow and the market evolves.
The cyber market offers industry participants a huge opportunity to distinguish themselves in an environment where most other sectors are mature and there is limited scope for product differentiation – in an increasingly competitive environment, it offers one of the few areas for growth.
Looking ahead, with the increasing use of the internet in almost every facet of daily life, it is entirely possible that buying cyber will be seen as mainstream as buying a property, liability or auto coverage.
As the market evolves though, the lack of claims experience as well as increasing and unpredictable exposures present challenges to the insurance market. This may be overlooked in the current soft market where everyone is looking for growth but the challenges remain very real.
The likely winners in this environment are those that adopt a prudent approach to growth by taking time to fully understand the often very different exposures in the industry sectors they are serving, or who otherwise hedge against the unknown potential for downside risk.
Mark P. Synnott is an Executive Vice President at Willis Re. He has over 30 years of broking and underwriting experience in reinsurance and ran Willis Re North America’s London office before relocating to the company’s Chicago office in 2013.
Prior to joining Willis in 2009, Mark held various broking and management positions at Guy Carpenter, Aon, and Carvill and was joint deputy underwriter at the Jago syndicate at Lloyd’s. He received his B.A. from Oxford University.