The cyber insurance market is generally buyer-friendly with competitive rates and plentiful capacity as new insurers enter the market.
While companies in the retail, health care, financial and hospitality sectors, still are finding relatively higher rates due to major data breaches that have hit the sectors, experts say rates are increasing at a slower pace than a year to 18 months ago.
“The market remains robust,” said Robert Parisi, managing director and national cyber risk product leader at Marsh L.L.C. in New York. After digesting some large data breaches, insurers have “started to move forward,” and once-aggressive rate increases are “starting to moderate somewhat.”
“We're in an expanding period,” said Lauri L. Floresca, senior vice president and partner at Woodruff-Sawyer & Co. in San Francisco. “We've seen a lot of capacity come in over the last 18 months, and while there was a bit of a hard market for the very large consumer-facing companies ... most of that has played through the market right now.”
Also, there's “a high degree of flexibility,” and insurers are willing to provide broad coverage “as long as applicants were able to provide appropriate underwriting information,” Mr. Parisi said.
Despite the lack of actuarial data and risk aggregation “headwinds,” new players have entered the market and increased its capacity, said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C.
Some experts estimate market capacity has reached $4 billion, with 65 to 70 insurers now offering cyber coverage. About $500 million in capacity is available through towers for stand-alone cyber cover, with $100 million readily available, they say.
Cyber insurers have aggressively targeted midsize companies with less than $1 billion in revenue and those that do not have a great deal of personally identifiable data, said Kevin Kalinich, Chicago-based global practice leader of cyber/network risk at Aon Risk Solutions.
“There's been more of an appetite for getting rid of sublimits, especially in the middle market,” said Bob Wice, an underwriter at Beazley P.L.C. in Farmington, Connecticut. “For the most part, the market, at least the middle market, is pushing for full limits across the board.”
“We've also seen a healthy London market,” with insurers and brokers “working together on the very large, sophisticated programs” on a risks service basis to “put up some larger blocks of limits, so the capacity has opened up a bit more in the last quarter,” said Catherine A. Mulligan, New York-based senior vice president of specialty products at Zurich North America.
On the buyer side, companies are gaining sophistication in controls, protocols and procedures around cyber-related issues as well as recovery plans when there is a data breach, said Shawn Ram, San Francisco-based executive managing director, Western regional manager and national technology practice leader at Crystal & Company. This has given insurers “more comfort” in underwriting the risk, he said.
Underwriting precision also has improved, said Dena Cusick, Charlotte, North Carolina-based national practice adviser at Wells Fargo Insurance Services USA Inc.'s professional risk practice.
“We're seeing more underwriting questions very specific to the technology” used by a particular company, including questions on firewalls and passwords, Ms. Cusick said.
Health care, hospitality and retailers continue to get particular scrutiny, with financial institutions sometimes included.
Health care, financial institutions and retailers “have consistently been industry classes that might experience higher rates than others, based purely on the value of personally identifiable or confidential information that they have,” said Shannon Groeber, Philadelphia-based senior vice president of the cyber and errors and omissions practice at JLT Specialty Insurance Services Inc.
“Over the years, we've been looking at those classes a little bit differently and limiting the amounts of limits” provided, said Tracie Grella, American International Group Inc.'s New York-based global head of cyber. But now in cases where security has been revamped and firms are in a much stronger position than their competitors, AIG “would consider increasing the coverage or limits available to them,” she said.
Companies that put good controls in place are “not getting the huge increases they were getting” previously, said Anthony Dagostino, executive vice president and cyber E&O practice leader at Willis Towers Watson P.L.C. in New York.
Meanwhile, terms and conditions are being refined “depending on the nature of the risk involved,” said Eric Cernak, Hartford, Connecticut-based Munich Reinsurance America Inc. cyber risk practice leader. “There's still a wide variety of variability of both rates and terms in the marketplace. We still haven't coalesced” the coverage into a single form or common language, he said.
Experts say more insurance buyers that already have a captive insurer are exploring putting their cyber coverage into the facilities.
“Customers are keen to see how they can leverage their current captives to address both the security and privacy and some of these other cyber peril exposures, so we think that could be something that could be a good solution,” said Zurich's Ms. Mulligan.