More than half of US businesses now carry some form of cyber insurance coverage – and a new report from Wells Fargo suggests they’re using it.
According to a study of 100 middle market companies and large corporations, 85% of respondents carry cyber and data privacy policies and nearly half (44%) have already filed a claim as a result of a breach. Unfortunately, that influx of probable payouts is likely to push coverage costs even higher.
Already, the recent rash of high-profile hacking events and data breaches has triggered significant premium increases and heightened deductibles among cyber insurers. Average rates for retailers jumped 32% during the first half of 2015 alone, and many healthcare companies are seeing their premiums triple at renewal time. Deductibles, meanwhile, are now reaching into the $25 million territory for coveted $100 million policies.
This is a problem for insurance agents, who already struggle to sell large cyber policies to businesses wary of the price tag. In fact, the Wells Fargo survey reveals that among midsize corporations, a full 42% say their biggest challenge when purchasing coverage is cost.
Equally problematic is the effect that expensive data breaches and high claims activity are having on insurer appetite.
Tracie Grella, the global head of professional liability at American International Group, told Reuters that the insurer reserves its high-limits policies for companies with proven network security. ACE Group, meanwhile, offers up to $100 million in coverage, but seriously reviews cyber security policies and procedures of its insureds before granting such limits.
Berkshire Hathaway also said it will be “very selective” when it comes to selling its cyber policies.
That leaves
insurance brokers with a new charge – help clients secure their data first, and then shop for a policy. Newer technologies like tokenization and end-to-end encryption are particularly important, as they secure payment card transactions, said
Lockton Companies partner Ben Beeson.
“Retailers that don’t do that today are going to struggle to get insurance,” he said.
The Wells Fargo report also shares common gaps in companies’ cyber defense, which agents can check up on with their clients. These include:
- Not having a data breach response plan in place. While 35% of companies say they are concerned about data leaks and 25% are concerned about hackers, one in 10 said they do not have an existing response plan in place.
- Not testing their plans. One in 10 companies that had to implement their post-data breach response plan did so without testing it beforehand, and a full 74% said they needed to revise their plan following the incident.
- Not training their employees. Around 27% of companies do not have an employee awareness training program for cybersecurity and data privacy, and 20% of companies with fewer than 2,000 employees do.
“While companies recognize the need for cyber security and data privacy insurance, purchasing coverage is not a complete solution,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice. “It’s also important to recognize that other factors, including testing incident response plans, employee awareness training and following established privacy policies, are all critical components of an overall risk management program.”