What Cyber Insurance Limits Should Your Firm Carry?

What Cyber Insurance Limits Should Your Firm Carry?

A material threat to design firms’ operations and liability comes from exposures created by the connectivity of a company’s computer network and devices to the outside world, possession of confidential or valuable documents, and the vulnerabilities caused by human errors and missteps in the electronic realm. Those firms who fail to appreciate these increasing cyber dangers can (a) just look to the recent experience of others in the industry to see the potentially damaging results and (b) expect to suffer losses. Cyber insurance serves as a mechanism to transfer these risks to the commercial insurance marketplace, but many firms ask:  what coverages and limits do we really need?  In this article, we’ll outline considerations and provide comparisons to help your firm make reasonable and prudent decisions in purchasing cyber insurance.

1. Overview of Cyber Insurance Products and Market

Cyber insurance products encompass a variety of coverages to transfer the risk of various network security and privacy threats and exposures. Those various coverages fall under two distinct pillars of cyber insurance: first-party protection and third-party protection. A well-structured cyber insurance solution will provide broad reach under both pillars. Third-party liability coverages include protection for damages a firm may face because a cyber actor infiltrates the firm’s system in a manner that causes losses to a third-party, such as a client whose computer system is electronically networked with the insured firm’s. Other common third-party liability cyber coverages include loss, destruction, or corruption of a third-party’s electronic data (which may comprise loss or theft of physical documents in violation of a confidentiality agreement, depending on the language of the insuring agreement). Policies typically cover a firm’s liability for credit monitoring, breach responses costs, and other damages (including fines) created by statute when those expenses are borne by a third party (or the insured in the case of regulatory penalties).

Cyber insurance can also provide protection for a firm’s first-party losses, such as the costs of investigating and restoring a computer system outage, engaging legal counsel, notifying impacted individuals and instituting monitoring required by law, recovering or repairing damaged data owned or possessed by the insured firm, satisfying ransom demands from cyber terrorists, and covering lost income when networks and systems are hijacked pursuant to a ransomware attack. Many policies also contain a level of cover for money lost through “social engineering” of a firm’s employees (i.e., a bad actor tricking someone through electronic means to give up money or information) – though this coverage is often sub-limited. Purchasing both first-party and third-party coverages is not required to buy cyber insurance, but it is highly recommended from a risk management and transfer standpoint. In Greyling’s experience representing design firms, the majority of claims covered by cyber insurance are first-party losses to the insured design firm caused by ransomware (described further below in Section 2.A). Still, many firms purchase only third-party cyber liability coverages and forego the additional premium of including first-party coverage.

The cyber insurance market is still relatively young. The first cyber policies were issued around 15 years ago.  The market has matured in the sense that (1) many insurers now offer cyber insurance and (2) claims are common, so brokers and insureds have more data available today regarding the prevalence and magnitude of different cyber claim scenarios, as well as claim handling experience with different cyber insurers.

The cyber insurance market has considerably hardened in the past 18 months as the COVID-19 pandemic necessitated more remote working and an increase in cyber threats.  With the heightened vulnerabilities caused by remote workers – many of whom are on unsecured networks and devices without the most updated cyber security measures implemented – claims have followed.  Ransomware events, which have been the primary driver of large losses in cyber insurance, are up over 300% since Q1 2020.  Greyling has seen a marked uptick in the frequency of reported cyber claims since the beginning of the pandemic and a dramatic increase in the magnitude of paid claims, with several exceeding $1 million.  Not surprisingly, the cyber insurance market, which is now bearing the weight of those large claims compared with relatively low premiums for many years, is reacting with more careful scrutiny of underwriting information, limitations on coverage terms, and substantial rate changes. 

These hardening conditions have intensified since July 1, 2021, with several cyber insurers significantly limiting the amount of insurance, or capacity, they are willing to provide to a single insured or across their entire client book.  Rate increases, which were hovering in the low double digit range for firms without material claims activity, have jumped into the mid double digit and even triple digit range, as many cyber insurers have sought to reset their programs with new minimum premiums of $5,000 per million of coverage for smaller firms and higher minimums as firms increase across tranches of firms size (i.e., $10M - $20M, $20M - $50M, etc.).  It is not unusual right now for a smaller firm who has historically paid just a few thousand dollars in cyber premium to now see renewal premiums in the $5,000 to $15,000 range depending on limits purchased.  Larger firms are also seeing higher premiums but not at the same rate change percentages.  Some insurers are also limiting coverage by adding sublimits or decreasing the levels of existing ones, including a new but very problematic sublimit from a few insurers for ransomware events, which is the biggest threat Greyling is seeing for its design firm clients.

1. Considerations for Amount of Cyber Insurance Limits to Purchase

While the majority of design firms now recognize that cyber insurance is necessary as a part of holistic risk management and transfer, many still may not purchase cyber insurance with limits that are reasoned and appropriate for the rapidly evolving risk landscape. Many firms begin purchasing cyber with a “starter” policy of $1 million. The policy should have third-party and first-party coverage, though many neglect the latter. As a firm grows and becomes more comfortable with the coverage and risk, firms often move up in limit in $1 million increments in the $2 million to $5 million range. Smaller firms (under $5 million in gross revenue) sometimes begin with $500,000, or even $250,000, in cyber coverage.  These limit choices are often predicated on feel and premium cost rather than a specific analysis.

This section will provide some considerations for firms to reflect on when making the critical decision on how much cyber insurance to buy. The good news for all firms is that cyber insurance is relatively inexpensive, with cyber insurance premiums for Greyling clients averaging no more than 3% of the premium that design firms pay for professional liability, workers’ compensation, commercial general liability, business auto, and umbrella/excess liability coverages combined. Even after rate increases dictated by the market noted above, cyber premiums are a small portion of a firm’s annual insurance budget. Increased limits, though more in premium, also generally represent small expenditures on a raw dollar and percentage basis.  Below are the factors firms should consider in purchasing cyber insurance limits.

1. Business Interruption Exposure for a Catastrophic Cyber Event

The most common “severe” claim Greyling has seen with our professional services clients involves a complete firm computer lockout caused by ransomware followed by a period of network restoration and data collection or repair. The ransomware portion of such an event is material with initial demands typically in the 1% to 3% of gross revenue range and, in Greyling’s experience, final ransom payments after negotiation of approximately 1% of gross revenue. Even if a firm and its cyber insurer elect to pay an extortion demand and rely on the “honor among thieves” to unlock an encrypted system, the restoration period often takes days, if not weeks. Assuming a worst-case scenario of approximately three weeks from start to finish of the ransomware event, one might approximate a realistic catastrophic business interruption event — where no work can be performed on computers for three weeks — as equating to something like 6% of annual gross revenue, plus the cost of the ransom itself and the expense of professionals working to restore, test, and secure the network and data.  Many IT professionals are confident that network restoration can occur in two weeks or less – equating to a figure in the 4-5% of gross revenue range with ransom, restoration, and forensic expenses.  These general rules-of-thumb should be considered when buying first-party cyber limits.

1. Cyber Limits as a Percent of Gross Revenue and Compared with Professional Liability Limits

Building on the calculations presented above, many firms are also curious as to what their peers are choosing with respect to cyber insurance purchasing. Below is a rough analysis of Greyling clients and their cyber insurance decisions. Over 95% of Greyling clients above $10 million in gross revenue buy cyber insurance, while roughly half of smaller firm clients currently choose to insure against cyber exposures.

Given the recognized multiplication of exposures and claims since March 2020, many firms are increasing limits, or taking Greyling’s long-standing recommendation to buy cyber insurance with first-party parts included if the firm currently does not procure the coverage. That said, many firms in the A/E industry are likely underinsured for severe first-party losses if the firm only buys $1 million in coverage, as many firms still do.

The liability to third parties insured by a cyber insurance policy is similar to and often related to the third-party liability coverage provided a design firm under its professional liability policy. In fact, many professional liability insurance policy forms contain some form of third-party cyber coverage in recognition that modern day professional services often contain computer-based work that implicates cyber exposures into professional exposures. This third-party exposure is particularly difficult to quantify because there is a lack of historical third-party losses in the design industry that are properly considered cyber losses. Nonetheless, the exposure is present and, at some point, we’ll see a significant third-party claim demanding reproduction of corrupted or loss data, re-design of sensitive leaked design, economic damages from release of confidential information, or breach response and notification for the client of an insured design firm. Greyling’s belief is that this exposure will one day approach that of professional liability with respect to quantum and limits, though as long as many professional liability insurers provide “excess” third-party cyber coverage, the standalone cyber placement will not need to factor in the third-party exposure and can remain focused on a firm’s first-party exposure. 

One interesting, yet relevant, way of assessing cyber limits is to compare those limits to a firm’s per claim professional liability limits. Smaller firms (under $20 million) in Greyling’s client base purchase, on average, 30-40% of their professional liability limits in cyber limits (e.g., a firm buying $5 million in professional liability would average $1.5 million to $2 million in cyber limits within this size grouping).  Larger firms tend to buy between 20% and 30% of professional liability limits in cyber limits.

1. Breach Notification and Social Engineering Limits Compared with Records and Funds

Another aspect of cyber exposure involves the statutorily mandated breach notification, fines, penalties, and credit monitoring expenses associated with a breach. To determine a realistic damages expectation for these cost buckets, one must understand a firm’s possession of protected information, which generally falls into three categories – personally identifiable information, protected health information, and credit card payment information. Fortunately, few design firms have many records in its possession that constitute this information (for many, a firm has only personally identifiable information of employees). Thus, these potential damages are relatively small compared with the other exposures discussed above. That said, if a firm has network connections to certain types of clients (e.g., hospitals and other healthcare providers, consumer products companies, banks, or retailers), the firm may have latent third-party exposure for these types of damages.

Finally, the prospective loss of funds due to a social engineering loss must be weighed in the context of average cash balances, typical electronic transfer sizes, and protocols in place related to the same.  Cyber insurance often provides a small sub-limit for lost money resulting from social engineering or fraud – commonly in the $100,000 to $250,000 range. If a firm regularly undertakes electronic transactions in excess of these sublimits without robust verification protocols and without a commercial crime insurance policy in place with adequate limits, then the typical cyber insurance social engineering sublimits are inadequate and need to be adjusted.

1. Conclusion

The experience of firms, and their largely remote work forces, during the COVID-19 pandemic has demonstrated the reality of cyber threats and the significant first-party exposure all firms face.  Fortunately, proper cyber insurance effectively transfers the risk of first-party cyber claims to an insurer and positions a firm to respond with forensic resources, legal counsel, and breach response, notification, and restoration. The calculus for assessing cyber insurance limit needs is challenging to specifically define, but the claims history and purchasing decisions of peers are instructive. After a reasoned analysis, many firms may find it is time to purchase more cyber insurance limit in today’s environment, despite the rising premium rates in the market.

Kent Collier is a Senior Vice President with Greyling Insurance Brokerage & Risk Consulting, a division of EPIC