Michael A. Rossi, Esq. details the first 25 years of cyber insurance.
18
MINUTE READ
An Abbreviated History of Cyber Insurance – The First Twenty Five Years
By Michael A. Rossi, Esq. - Winter 2024 Introduction
I graduated with a B.A. in History in 1988 before going to law school. I continue to this day to read History books. I love “Abbreviated Histories of X”, typically about a particular country or region of the world. So I thought I would take a stab at doing such an “abbreviated History” for Cyber insurance. This article is the result.
To prepare this article, I reviewed my files on the policy reviews, conference presentations and articles I have produced during the past 25+ years, to piece together my experiences with Cyber insurance. I was struck in many ways by what I found, and was excited to put pen to paper to discuss my thoughts. My hope is that insurance professionals who currently work in the space get some value from this article.
A few caveats at the outset, like I see in all History books I read. First, this summary is one person’s view, and is skewed to my personal experiences. I am an insurance coverage lawyer who represents Fortune 500 companies, FTSE 100 companies, and large private companies on various insurance matters, as well as insurance brokers who service Fortune 1,000 companies and middle market companies, both public and private. So this article is limited to the world of Cyber insurance from my perspective – what I witnessed as a coverage lawyer the past 25+ years: (a) advising and working with my risk manager clients with regard to a variety of risks, including cyber risks, (b) brainstorming with insurance brokers and underwriters on how to develop Cyber insurance coverages and wordings that companies want in order to make the insurance product viable for their perception of their risks, (c) speaking at conferences in the US, Europe and Australia, with risk managers, insurance underwriters and insurance brokers, (d) negotiating Cyber insurance policy wordings for my corporate and broker clients, and (e) reviewing and negotiating Cyber insurance requirements in contracts for my corporate clients. The foregoing I think provides a type of window into the History of Cyber insurance, but a skewed window for sure.
Second, the dates I use for the major developments that I chose to discuss for this article are somewhat of an artificial construct, in order to give some frame of reference and to allow me to discuss issues in a particular order. For some insurance professionals, their views on key dates of some of the developments I describe are going to be different. This dynamic is true of most histories, where there are not necessarily abrupt time changes, but rather issues and subjects blend into the various of the date categories used by the author of the history.
Third, I have intentionally omitted the specific names of insurance companies, underwriters, brokers, etc. who pioneered this line of coverage in the late 1990s and early 2000s. There were only a few of us doing this at a really high level, and we all know who we are. But, if I added such detail, I am sure I would unintentionally offend those insurance companies and natural persons I did not name, so I would rather avoid that risk, and let everyone focus on the substance of what I am describing, rather than the names of the insurance companies and persons I list, or do not list.
With these caveats in mind, I provide my perspective of how Cyber insurance began 25+ years ago and key aspects of its development for the past quarter of a century.
Initial Market Reaction to Cyber Risks – Late 1990s
Insureds started having cyber losses in the late 1990s. One of the most high-profile losses was the loss sustained by Ingram Micro in the late 1990s. Ingram Micro’s computer network had proprietary-programmed software on it that was key to making it work. That software got corrupted, and the computer system was essentially shut down. It took several days to restore the custom programming. As a result, Ingram Micro sustained business interruption losses and extra expenses. Ingram Micro submitted a business interruption claim to is commercial property insurer. The insurer denied coverage. The insurer sued, and Ingram Micro prevailed. See American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., 200 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000). This is just one example of actual cyber losses that were being sustained, and thought of as cyber risks, in the late 1990s.
As a result of the reality of this new risk, a few insurers introduced stand-alone cyber insurance policies into the market. The below discusses my initial views and experiences with this brand-new product.
If you were to look at my early writings on Cyber insurance coverage issues, I was saying very loudly that stand-alone Cyber insurance was not needed, that at the time I could amend various insurance policies to address all of the risks I was seeing in the stand-alone Cyber insurance policies. I was writing articles, and giving speeches, promoting that view, perhaps, and admittedly, in a somewhat controversial manner.
And the few times my clients looked at these new stand-alone Cyber insurance policies, many hurdles got in the way of pursuing an initial placement, including, but not limited to, the following.
First, the underwriting requirements, for the most part, were impossible to satisfy. The insurers wanted too much information that the insureds could not provide.
Second, potential buyers were very skeptical, asking brokers to prove that the insurance would actually pay out. That standard was impossible to meet in the late 1990s, because at that time no claims or losses had been adjusted yet under stand-alone Cyber insurance policies.
Third, IT Departments were hostile to this subject matter, and hostile to risk managers asking for underwriting information. No way were they going to permit “penetration testing”. They also believed that insurance was a waste of time, for a number of reasons. I have never witnessed such a dynamic in my 30 years of being a coverage lawyer. My risk manager clients, faced with unreasonable underwriting requirements, and IT Departments that had no interest in sharing information, were stuck in the position of taking a wait and see approach. Indeed, one of the subjects I went into in detail during my presentations and articles in the early 2000s after I had changed my views on stand-alone Cyber insurance was “best practices”, based on what I had seen by some of my risk manager clients, regarding how a risk manager should “partner” with their IT Departments to get them to cooperate with underwriting requirements for Cyber insurance.
Fourth, many of the carriers would not cover so-called “wild virus”, but rather would cover only direct attacks. Ironically, this same issue came up again in the past couple of years, under a different name, and rather than seek to exclude this risk, insurers seek to impose limitations in coverage for such risk.
For all of the above reasons, many insurance professionals, including me, had doubts in the late 1990s that stand-alone Cyber insurance was a viable product.
Stand-Alone Cyber Insurance Viability Established – Early 2000s
The views held by many insurance professionals, including me, changed just after 2000. Below are some of the reasons for the change.
First, in 2001 ISO amended the CGL form, by either an endorsement or revised form, to expressly state that computer data is not tangible property. That was a big “oof” moment.
Second, it was becoming clear to many insurance professionals, including me, that the patch-work approach we relied upon in the late 1990s by amending existing types of insurance was not optimal compared to what was available in the evolving stand-alone Cyber insurance market. We were seeing the major gaps and deficiencies even with enhanced Commercial Property insurance, Commercial Crime insurance, K&R insurance, etc. The coverage was narrow, the waiting periods were unreasonably long, the sublimits were too low, etc. And relying on CGL and Umbrella policies had now become problematic given the ISO change noted above.
Third, underwriting requirements relaxed, greatly. Now it was much easier to satisfy underwriting requirements, especially given the IT Department development described below.
Fourth, IT Departments started changing their views on cyber risk. They started recognizing the value of cyber insurance, at least for third-party liability claims risk. Most IT Departments still had strong views on the lack of the need for coverage for loss of or corruption of data, business interruption and extra expense. Why? I heard the same argument every time, “We don’t have that risk, because we have mirroring systems, back-ups, redundancies, etc.” I am not a computer expert, but rather an insurance coverage expert, so I was not able to challenge such positions. My risk manager clients also were not able to challenge such positions. But the key point here is that IT Departments’ views on the value of Cyber insurance for at least liability risks, and their new willingness to cooperate with insurers and risk managers to satisfy underwriting requirements, changed enough to help get the product going.
So Cyber insurance became viable. This was an exciting time to see this development. It was still limited though, as explained below. But it was viable.
Early Days in the Cyber Insurance Market – Early 2000s up until Just before 2010
In the early 2000s, for all of my Cyber insurance engagements, not a single one was for a brick and mortar manufacturer. It was all Tech companies, Media companies, Financial Institutions and the like. And by Cyber insurance, I mean both endorsements that were added to Tech E&O, Media Lability and other types of E&O policies, as well as stand-alone Cyber insurance policies.
Also, all of the policies I negotiated in the early 2000s for my corporate clients were with one of three carriers. Yes, only three carriers were doing all of the primary Cyber insurance placements for my clients. And the underwriters at these three carriers were very limited in number, and the insurance brokers around the US who were servicing my corporate clients at this time were the same small group of people at just a few of the brokerage firms in the country. Compare that very small number to the many insurers today, and thousands of insurance professionals who dedicate their careers to Cyber insurance today, and that is a truly staggering statistic. Wow!
At this time in the market, the brokers with whom I was working and I were coming up with 50+ items of wording changes in “wish lists”. The underwriters worked through all of the issues. We did not get 50+ changes. But we got a lot. Endorsements were crafted, and a lot of manuscript policies were written. It was a great time to be negotiating policy wordings for Cyber insurance coverages, either in stand-alone policies or endorsements to Tech E&O, Media Liability and other E&O policies.
Also at this time, the vast majority of coverages that we were negotiating changes to off-the-shelf policy wording focused on liability coverages for third-party claims, and so-called “first-party costs” like credit monitoring and other expenses incurred to deal with third-party claimants or natural persons affected by a security breach of their personally identifiable information.
Yes, we also negotiated coverage wordings dealing with loss or corruption of data, in terms of expenses incurred to restore or replace lost or corrupted data, the costs to reengineer lost or corrupted data, and costs incurred to determine that the lost or corrupted data could not actually be restored. There were wordings/coverages that some carriers did not have in their off-the-shelf forms, and we would negotiate into the policy the better wording, either by endorsement or in manuscript policies.
But we spent very little, if any, time trying to negotiate the other “first-party loss” coverages, like business interruption and extra expense. Why? Two reasons. First, at this time, a lot IT Departments saw no need for business interruption and extra expense coverage. The arguments we heard were the same as before. “There is no risk here, because we have back-ups, redundancies, mirroring, etc.” Second, many risk managers had one or both of the following views: (a) because my IT Department sees no value, I’m not going to fight that fight, and will just focus on Cyber insurance coverage/wordings for liability for third-party claims, and other items like credit monitoring costs; and (b) business interruption and extra expense insurance is the wrong way to address this issue, because the risk is damage to our reputation, which you can’t insure.
Let me focus on this point (b) a bit. I distinctly remember participating in a roundtable discussion for an insurance magazine article on the emergence of Cyber insurance in the early 2000s in Paris. I was the only lawyer at the table. Everyone else was a risk manager of a UK-based or Europe-based multinational company. The reporter was asking questions. The risk managers all had the same view – insurance is useless to deal with the real risk of damage to brand reputation. So talking about Cyber insurance to address business interruption and extra expense loss was a waste of time. In their mind, risk control, business continuity planning, etc. were the only meaningful risk management techniques that had any value for certain types of cyber risks (those involving business interruption and extra expense). But they all agreed that Cyber insurance was meaningful for insuring against third-party claims.
The views I saw expressed at that Paris roundtable discussion were echoed at industry conferences I was attending all throughout the US, and also in the UK, Europe and Australia.
And speaking of industry conferences, at this time, I saw all the same people at these conferences – they were all just the speakers. The same underwriters, brokers, lawyers and consultants.
I kept asking the question. Why are there no buyers attending these conferences? When are a lot of companies, rather than just the few we all new about, going to start buying Cyber insurance? The answer given to that question stuck in my mind, and proved prescient. A well-known Cyber insurance underwriter provided the answer, which is explained below.
Two Huge Developments Occurred Just Before and/or Just After 2010 - Cyber Insurance Purchase Explodes
One of the questions I was asking at all the industry conferences I was attending was, “What has to happen for companies to start buying this insurance in meaningful numbers?” That question was answered by a particular well-known underwriter at an industry conference. His views were shared by others. The answer? He said that Cyber insurance uptake by companies would explode once companies started requiring in their contracts that the other party to the contract maintain Cyber insurance.
That is exactly what happened a couple of years before 2010. I remember this because my corporate clients were asking me to draft Cyber insurance requirements in contracts, where they were requiring the other party to the contract to maintain Cyber insurance. I also was being asked to review and revise Cyber insurance requirements for my clients in contracts where the other party was requiring my client to maintain Cyber insurance. It cannot, in my view, be overstated how much this helped the Cyber insurance market grow into what it is today.
Another major development happened just after 2010 – Cyber insurance became a Board Room issue for corporate America. How do I know? Several of my brick and mortar clients reached out to me to ask for my assistance on their “initial placements” of stand-alone Cyber insurance. I asked what prompted their query. The answer was the same, “The Board is requiring me to buy Cyber insurance.” But what was fascinating was the sort of disconnect between why the Board wanted the risk manager to buy Cyber insurance, and what the risk manager, legal and IT Departments concluded after conducting risk assessment to prepare for the purchase of Cyber insurance. For that, see below.
Major Shift in Companies’ Risk Perception and IT Departments’ Views on Cyber Insurance – Period Between 2010 and 2015
Right around 2010 and 2011, I was doing two-day long Cyber insurance presentations sponsored by International Risk Management Institute (“IRMI”). IRMI would pick three cities in the US, one on the West Coast, one in the mid-West and one on the East Coast, and I would discuss Cyber risks, Cyber insurance, and how to manage Cyber risk transfer issues in contracts (via Indemnity, Limitation of Liability, Consequential Damages Waiver and Insurance provisions) over a 1 and a half day agenda. The insurance potion of my presentation was highly weighted to liability insurance issues for third-party claims risk, and regulatory proceedings risk. That was about 75% of my insurance presentation. And only 25% of my insurance presentation was spent on coverage for lost data, business interruption and extra expense coverage issues. That is because, up to that point, all of my corporate clients were not interested in business interruption and extra expense coverage, for the reasons explained above.
But my perception changed dramatically in 2012, when I gave a one-hour long presentation at a major industry conference attended by more than fifty risk managers of large US corporations. My presentation was modeled off of my IRMI seminar presentation, 75% of my time spent on liability insurance, and 25% of my time spent on business interruption and extra expense. After my presentation, several of the risk managers asked why only 25% of my presentation was allocated to discussing business interruption and extra expense risk. I explained that it was because my clients were not interested in those coverages, just the liability insurance coverages. The reaction stunned me. It was almost like, “Um, where have you been the past few years.” The majority of risk managers in the room all had the same view – that for large brick and mortar manufacturers, they were way more concerned about business interruption an extra expense risk than privacy risk related to personally identifiable information. That was eye opening!
This observation was reinforced by two client engagements a few months after I did that presentation. In the same year I had two different Fortune 500 manufactures ask me to help them with their initial placement of a Cyber insurance program. Each story I heard was the same – the Board asked if we had Cyber insurance, we said no, the Board said “get it now”. The Boards of both companies were responding to the perceived need for Cyber liability insurance due to high-profile cyber incidents that were giving rise to class action privacy lawsuits. But risk assessment done by a team of company personnel consisting of in-house legal, risk management and IT department personnel came to the conclusion that privacy liability risk was minimal, and instead business interruption and extra expense risk was material. So I was instructed to put most of my efforts into expanding the coverage for lost or corrupted data, business interruption and extra expense.
At the same time I was hearing this from risk manager clients and friends, I also saw another “sea change” development. It was at this time that IT departments’ views shifted. Gone was the sense of “We are impervious to business interruption and extra expense risk because we have back-ups, redundancies and mirroring systems”. That sentiment was replaced with, “Okay, we can see the value in buying insurance for lost or corrupted data, business interruption losses and extra expenses, how can we help?” When you compare that view to the view just 10 years earlier, the difference was staggering.
Bifurcation of the Market Regarding Policy Wording Negotiations – After 2015 to the Present
I cannot put a specific date on the development I describe here, and it was a gradual evolution of the market. But after 2010, and slowly increasing pace every year thereafter, several carriers started limiting wording changes they would make to their policies based on the retention and premium for the policy.
This dynamic increased to the point where, for the most part, the policies became somewhat “commoditized” once the premium and retention for the policy reached a certain relatively low amount.
And I am not talking about the Cyber insurance platforms that were intentionally developed on a commoditized basis for extremely small premiums. I am talking about the approach to policy wording negotiations adopted by the three carriers I described above as the only three carriers writing all the Primary Cyber insurance policies for my corporate clients in the early 2000s, and all other carriers that by now had entered the Cyber insurance market.
To put this point into perspective. I work on Cyber insurance policies that have SIRs of $20 million or more, but also on Cyber insurance policies that have SIRs as low as $250,000. As I am sure is not surprising, I can negotiate broader wording in a policy that has a $20 million retention, versus a policy that has a $250,000 retention. And policies with SIRs below a certain point are just commoditized on policy wording. The point I am trying to make is that in the early 2000s, I did not see such a bifurcation. I was able to negotiate the same amount of policy wording changes regardless of the retention at issue.
The Hard Market that Began in 2021
Beginning in the last quarter of 2019, the D&O market entered its latest hard market cycle. Something we had seen before, in the mid-1980s, then 2002-3 and 2008-9. That D&O hard market was in full tilt in 2020.
It was about a year after the D&O market started getting crushed that the Cyber insurance market entered a truly remarkable hard market. Some of the things I experienced on Cyber insurance renewals in 2021 and 2022 I had never experienced in any D&O hard market.
First, the underwriting requirements increased dramatically. Not to the point of what I describe above with respect to underwriting requirements in the late 1990s. But to the extent that it revealed something that I thought was fascinating. It became clear to me that some Fortune 1,000 companies were really up to date on cyber security processes and protocols, to protect against and respond to cyber risks, whereas some Fortune 1,0000 companies were far, far behind the times. And for the companies in this latter category, it was hard for them to even maintain their cyber insurance programs. One of the interesting side-effects of this phenomenon is that the increased underwriting requirements for those companies that had to maintain their Cyber insurance to meet contractual requirements caused several companies to greatly beef up their cyber security processes and protocols. I know because I saw how their responses to underwriting questions changed year-over-year.
Second, because of the above dynamic, I could not negotiate policy wordings on the majority of my clients’ cyber insurance programs during this hard market. The vast majority of time spent on the renewal was to satisfy underwriting requirements. I would participate in the renewal discussion calls, and it would become clear to all on the call that there was no use in asking for coverage enhancements at renewal. All efforts had to be put into satisfying underwriting requirements, and minimizing year-over-year premium increases.
Third, several of my clients pondered whether they should simply non-renew their Cyber insurance. They would say, straight up, during the renewal strategy meetings, “Let’s just non-renew, this product is becoming non-viable.” That was probably just an emotional expression of frustration. Because the insurance broker and I would remind the client that for years the company had entered into contracts that required them to maintain Cyber insurance, so non-renewing the coverage was not an option. What was an option, and what I did see happen, is this. For some clients, they did an audit of their contracts to determine the highest amount of Cyber insurance they were required to maintain by contract, and then they renewed only that limit, which was lower than the limits of Cyber insurance they had been buying. I had seen one of my technology clients do that once before in the mid-1990s with their Tech E&O insurance, so I could understand why I was seeing that during this hard Cyber insurance market.
Fourth, and finally, in my view, the hard market did not last too, too long, and we got through it. And, in comparison, my experiences with the D&O market from the last quarter of 2019 to mid-2022 was in some respects much worse. But the hard market is over, the clouds have parted, and the cycle of insurance continues.
Where Are We Today in 2024?
What are some of the things I am thinking about now, in 2024, for this line of coverage?
First, the Cyber insurance market is, and has been for several years now, a mature and dynamic market that is here to stay. Indeed, as noted above, we already are witnessing hard market and softening market cycles, just like we observe in other mature lines of coverage.
Second, some old concepts have resurfaced, albeit, rebranded with different names. The “wild virus” risk has been re-named into “widespread event” – same issue, different name, different treatment. Now, rather than exclude the risk altogether, like some carriers were doing in the late 1990s, some carriers are trying to move the market to limit their exposure, to manage risk aggregation issues. Again, same concerns as 25+ years ago, just a different approach for carriers to manage their exposure to such risk.
Third, the role of IT Departments in connection with Cyber insurance has changed dramatically over the last 25 years. If you look at several of the passages in this article, I talk about the views of IT Departments in the late 1990s, then the early 2000s, then after 2010. Their views, and their role, had a huge impact on the development of Cyber insurance. And now, something I never thought would happen, on some of my Cyber insurance renewals, senior IT Department personnel participate in the renewal strategy meeting, discussion of policy wording changes, discussion of different insurance coverage options, and renewal results meetings. What an incredible change in the past 25 years!
Fourth, market disrupters are negotiating terms/conditions for smaller companies with relatively low retentions. This is important, because after years of policies becoming more or less “commoditized” for programs that have relatively low premium and relatively low retentions, there is now at least one carrier that is willing to negotiate policy wordings for such policies like I saw in the early 2000s. Competition begets competition, and I am seeing some of the veteran insurers having to respond to this market disrupter by removing sublimits and lowering retentions but not, as of yet, negotiating policy wording like they used to prior to the “commoditization” I witnessed.
Fifth, new issues will always arise, and the market will react. I already am seeing problems created by SEC reporting requirements, and companies attempting to comply with Item 1.05 of Form 8-K. This includes inter-company debate on when to report under Item 1.05 (“Material Impact Incident”) vs. Item 8.01 (“Other Events”). I am seeing some carriers over-react when a company files under Item 1.05 but just as easily could have reported under Item 8.01 because the company had not yet made a determination that the cyber incident would materially impact the company. We are in the very early days of this issue, but I foresee a lot of attention being paid to it in the coming months.
Sixth, and finally, Cyber insurance, as a product, will continue to evolve as new types of risks arise, court decisions interpret policy language, etc. Look at the growth in risks in just the past few years, all of which have caused, or are currently causing, Cyber insurance policy wording to evolve – GDPR and compliance risk; bricking risk; full supply chain contingent business interruption risk; and cybersecurity risk, like NIS2. These are concepts that were not even thought about 20 years ago, let alone addressed with express language. And, as more coverage disputes result in coverage litigation, court decisions will cause further refinement of policy language. It is the same dynamic seen on all lines of insurance once they get past a certain age, and Cyber insurance has past that time barrier.
Concluding Remarks
I wanted to conclude with some final remarks. What I witnessed the past 25+ years for Cyber insurance, is similar to what I witnessed the past 30+ years with Pollution insurance, Employment Practices Liability insurance, and “entity coverage” for D&O insurance. An abbreviated History of those insurance product developments would, I am sure, also be fascinating.
Insurance developments like these and others just go to show that insurance is an exciting and dynamic industry that can provide a very fulfilling career to anyone who is willing to put some time and effort into their work.
But with regard to the History of Cyber insurance, I hope that anyone who has read this article gets at least some enjoyment from it, if not also some useful information from it that actually helps them in their own Cyber insurance practice.
Michael Rossi is the author of this article and can be reached at mrossi@inslawgroup.com
Related Industries
Related Articles