Data Breaches Prompt Insurers to Boost Cost of Retailers’ Cyber Coverage
By: Judy Greenwald (Business Insurance) September 2014
Major retailers should expect higher rates and retentions and lower coverage limits for their cyber insurance following several major data breaches since spring 2013, but much depends on persuading underwriters about the effectiveness of retailers’ cyber defenses.
At the same time, data breaches affecting The Home Depot Inc. and Target Corp. have increased demand for the coverage, while many retailers are seeking increased coverage limits with mixed success, experts say.
“The capacity has certainly shrunk, and the marketplace is significantly tightening,” said L. Spencer Timmel, network security and privacy liability product leader at brokerage Hylant Group Inc. in Cincinnati. Should there be a significant increase in data breaches, that “will dramatically hurt the market,” he said.
In response, underwriters are asking more in-depth questions before agreeing to bind policies, which generally exclude retroactive coverage. While some insurers have stopped writing the coverage for big retailers, major cyber insurers generally remain in the business, experts say.
Home Depot had $105 million of cyber insurance, when it confirmed on Sept. 8 that cyber thieves hacked its payment cards systems pilfering 56 million credit card numbers. Target said in August it maxed out $90 million of cyber coverage to pay expenses related to its breach of 40 million credit card numbers last December.
Others have stepped in to replace the few insurers that have tightened their cyber coverage for retailers, said Robert Parisi, managing director and national cyber risk practice leader at Marsh L.L.C. in New York.
While insurer scrutiny has increased, “we can place coverage for pretty much anyone out there that’s looking for it,” he said.
Insurers “have decided it is going to be their pricing or they’re not going to do it, so it’s getting very hard, and I would anticipate a real problem of getting the capacity” retailers previously could get, said Peter Taffae, managing director of Los Angeles-based Executive Perils Insurance Services.
“There is hesitancy” to provide coverage to retailers with a large “physical footprint,” said John O’Donnell, New York-based senior broker at FINEX North America, a unit of Willis North America Inc.
“Even primary markets that have large capacity are decreasing their capacity” or are not renewing large accounts, said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions. He said capacity, which was $150 million to $200 million in 2012, increased in 2013 to $300 million before the Target and Home Depot data breaches. Now, capacity is more in the range of $200 million to $250 million, he said.
“You can get beyond $100 million in capacity. I just believe the cost of that capacity on an excess basis, particularly, is not going to be as inexpensive as it used to be now because you’re looking at catastrophic losses,” said Adam Cottini, area senior vice president at Arthur J. Gallagher & Co. in New York.
Early this year, cyber rates for major retailers were increasing 10% to 15%, fell to zero to 5% through the second quarter, but jumped 10% to 20% after the Home Depot breach was announced. Although rates can be negotiated closer to a zero to 5% increase, Mr. O’Donnell said, the price per million in coverage is higher for smaller towers than it is for large ones.
However, “for a risk that is just absolutely pristine, the carriers will compete aggressively” Mr. Parisi said.
Experts say retailers with a self-insured retention of $500,000 to $1 million a year ago may now face retentions of $5 million or more.
Sublimits may be a factor. If a policyholder has a $1 million retention, then an insurer may provide a sublimit of $1 million for event management issues, such as forensic investigations. But if a buyer moves to a $5 million to $10 million retention, it can negotiate full limits for event management, Mr. Kalinich said.
Meanwhile, demand for the coverage has increased.
Retailers that had $3 million in cyber coverage are seeking to increase it to $5 million or $10 million, and those with $5 million are seeking to increase it to $10 million, said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C.
“We’re getting a lot of requests to increase policy limits,” he said.
Those who already have the coverage and are seeking higher limits may encounter difficulties in obtaining additional excess coverage with the same price structure, Mr. O’Donnell said.
Kevin Baughn, cyber/privacy risk senior underwriting manager at San Francisco-based Safehold Special Risks Inc., a unit of Wells Fargo Insurance Services USA Inc., said officials at one drugstore chain told him that, in hindsight, they regret not patenting their effective system for protecting against breaches.
Other firms are “very standoffish” and seek higher limits without committing to improving their data security, he said.
Meanwhile, the demand for cyber insurance coverage “is going to continue to be pretty high until the retailers can at least come up with solutions for the way credit card transactions are being processed in the United States,” Mr. Cottini said.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008