Capacity has grown rapidly in the marketplace to accommodate demand. “There are more than 50 market competitors, including MGAs, all with very aggressive terms and conditions,” says Ken Goldstein, vice president and worldwide cyber security and media liability manager at Chubb Insurance.

Competition is so fierce that some carriers seem to be abandoning underwriting discipline to claim a stake in the market. “Even with the high-profile retail events that have gone on, and concerns over PCI [Payment Card Industry] assessments related to data security, we see carriers offering coverage for assessments and fines even if their customers aren't PCI compliant,” says Goldstein.

Some carriers are willing to be aggressive because, despite headline-making breaches, experience to date has been profitable. “Most insurers haven't seen a lot of third-party class-action lawsuits thus far,” says Coray. “Historically, this business has been desirable, and a package writer will often offer Cyber to stay competitive.”

Coverage Converges

Cyber is characterized by some as the “Wild West” of insurance, with each carrier offering its own policy forms and coverage details. “The challenge for producers is that no two insurers' policies have evolved the same way—it's not an ISO product with a little bit of modification that is filed easily with regulators,” Coray says.

Brokers should never assume two companies' forms are the same. “There is some standardization, but nowhere near what it would be in typical lines of coverage. Even when two carriers try to do the same thing, terminology is often different enough that it's difficult for an agent or broker to do a policy comparison,” Francis says. “With more and more carriers in the market, the agents' jobs haven't become easier,” he adds. “They need to look at each form individually and talk to carriers and underwriters.”

At a minimum, Cyber forms should provide liability for damages caused by a breach and first-party coverage for notification and mitigation costs. Companies also should consider purchasing a form that includes both business interruption and contingent business interruption, particularly as cloud computing vendors are used more frequently to host applications or provide infrastructure capacity.

Other coverages available include extortion and coverage for cryptolocking/ransomware. Some specialty carriers offer criminal rewards coverage, which provides first-party reimbursement for rewards paid by the insured that lead to the arrest and conviction of those responsible for cybercrime.

Companies should assess the extent of services an insurer provides beyond coverage. “Crisis management carries a high value with this insurance,” says Coray.

“It's not just hard-dollar losses that a business risks—it's soft-dollar losses, it's reputational risk,” Francis says. “Those soft-dollar losses happen not simply because a breach occurred, but because the response was bungled. Having access to a competent breach coach, forensic specialists and a law firm that specializes in that world is important.”

An increasing number of buyers are considering standalone forms, rather than endorsements to General Liability policies. “Early adopters bought Cyber as extension of coverage under GL, Property, or sometimes E&O, but now they are looking at the robust coverage grants of monoline Cyber policies that go beyond merely an extension of coverage,” Coray says.

Even with the increase in breach activity and growth in the Cyber market, only about one-third of companies have Cyber coverage in place, according to the Ponemon Institute. That presents a huge opportunity for brokers who take time to understand the market.

“There is a lot of capacity that exists, and there is a market to suit any company's particular needs,” Goldstein adds. “Getting your arms around the coverage and services a particular carrier offers to differentiate itself is the challenge. It's important that companies and agents do their due diligence when selecting a carrier.”