Despite protecting an industry with incredible reach and influence, those who work in media insurance find that it’s a subject that tends to go slightly under the radar. It’s a small, close-knit market noted Nicola Marshall, senior underwriter of professional indemnity and TMT at Markel International, but one that has held her interest for many years and allowed her to work with an incredible range of broadcasters and content creators.
Over the last two decades, Marshall has seen for herself how the lay of the land has shifted and how technology has enabled media companies to channel vast amounts of content. Content can now be disseminated in so many forms worldwide, she said, and communication has perhaps never been so important, which has been especially true during COVID-19.
“As we become more aware of inclusivity and diversity, there’s also pressure for companies to keep pace with how they make content inclusive across all their applications, in particular for the visually impaired,” she said. “But one of the most significant issues now facing media companies relates to the amount of data that they retain, which makes them a vulnerable target for hackers. We’ve found that some of the broadcasters, for instance, are very data-heavy.
“[…] For creative companies, their focus is all about creating content, it’s not always about the other parts of the business that go with that. Some of [their] risks are data-heavy - and this is true for publishers as well as broadcasters - and with the ability to read content online, they’re exposed because they’ve got subscribers, they’re always asking for email addresses, home addresses, bank or credit card information. So, they’ve got a number of PII (personal information identifiers) in storage and that is what makes them extremely vulnerable.”
This is leading to a key challenge facing the media insurance space – that media companies are combining media liability policies with cyber policies. This is rooted in how the market shifted when the internet provided a new format for content. Media policies broadened out to pick up third party coverage at a time when there were very few cyber-related claims in the market – and cyber threats did not seem to be exposures for a media company. Therefore, combining both risks seemed a cost-effective solution.
Media wordings were initially focused on the media risks as the cyber market was underdeveloped and there wasn’t the history of losses that there is now. The issue now, Marshall said, is that the cyber market has developed rapidly and exposed a key fact – that cyber and media risks behave very differently. Cyber risks are systemic in a way that media risks are not and they have the potential for significant frequency and severity due to the nature of large data breaches and ransomware payments.
A media risk can be managed well by the insured, she said, and often a loss will fall to the excess, at worse well within the primary layer. Meanwhile, a cyber risk continues to spread after the initial incident. You know what you’re playing with when a copyright claim comes in, for instance, and will only cost a certain amount of money. With a cyber loss, the payout can stretch into the millions especially with credit monitoring for impacted victims and forensic costs to see how the breach occurred.
“They are very different risks,” she said. “Apart from the crossover with content… there’s no commonality to them. And cybersecurity isn’t always at the forefront of media companies’ minds, as they tend to focus on their core business. The threat landscape has changed with increased regulation in the form of GDPR in recent years, and increases in cyberattacks, particularly ransomware. Unfortunately, in some cases, for these media companies technology awareness isn’t always present, or perhaps the investment isn’t quite there where they need it. And I’ve seen that quite a lot recently.
“It seems like some of the media companies are behind, possibly where they’ve made acquisitions and they haven’t pulled everything together in the right way. They’ve got all this data but I don’t think they’re always aware of how much risk there is with that data. By combining the two risks together under a media policy, what should be in place for what is actually ‘the core risk’ is now largely dictated to by the cyber risk because business has become data-heavy.”
Therefore, under virtually all policies, Marshall said, where there is a sharing of the limit for both risks, if a cyber loss occurs, the media part of the risk is generally left exposed. Media policies are being stretched by the nature of cyber losses as, if a policy is exhausted from a cyber loss, there isn’t anything left to provide coverage for the core business activities.
Marshall highlighted how critical it is that businesses understand the difference between these risks and the need for them to be broached separately. You have to have a separate media policy for your core business, which is where you earn your revenue, and another policy that adequately caters for the cyber risk resulting from business activities. It’s up to brokers now to share that message with insureds.
The cyber market has grown significantly in recent years, she said. Cyber insurance is now a much larger market than the media insurance market – as a comparison, only a handful of markets write media, while over 50 markets write cyber. With cyber seen as the next big thing, a lot of brokers have become well-versed in policy coverage and understanding their clients’ risks and exposures - but when it comes to media, they’re unlikely to be experts on areas such as IP or defamation.
“We could not have foreseen the risk insureds are now facing from a cyber perspective,” she said. “There is no doubt that ransomware attacks will continue to be frequent and, with that in mind, insureds need to be made aware of the risk of having a combined policy. We live in an era where the cyber threat landscape is visibly changing. There should be no potential to compromise coverage for media losses arising from the core business of a media company.”