Cyber risk spilling over into tech E&O market: Betterley
The US technology errors and omissions (E&O) space is growing more rapidly than excess and surplus lines as a whole, due to rising awareness over cyber risk, according to a market survey by Betterley Risk Consultants.
Cyber risk is spreading beyond the companies traditionally targeted by attacks, such as e-commerce firms and other businesses that store troves of customer data.
Now security contractors who are supposed to help fend off breaches are worried about their own liability – and they’re starting to buy insurance protection for it.
In a report released this month, Betterley Risk Consultants surveyed 21 major insurers that offer tech E&O policies, which provide coverage for data security consultants.
Insurers surveyed include Allied World, Beazley, Chubb, Markel, Tokio Marine, AIG, Axa XL, The Hartford and Travelers.
By the end of 2019, tech E&O is likely to amount to about 13 percent of the entire E&O market, or about $1.6bn in premium, Betterley said, citing figures from ISO MarketStance.
That’s up from 12 percent in 2017, according to the report. However, rates remain largely flat, with survey information from insurers showing that most expect their competitors to reduce prices by 5 percent to 10 percent.
“The tech E&O market is an attractive place for insurers, as economic growth is faster than in other areas,” Betterley said. “However, exposures are more difficult to evaluate, at least compared with more traditional risks.”
While traditional cyber protection provides liability coverage when retailers, online entertainment companies, payment firms and other custodians of data are hit with a breach, tech E&O covers liability associated with a data security contractor failing to provide a service as promised.
Businesses buying tech E&O cover also include systems integrators, application service providers, internet service providers, network electronics manufacturers, medical technology firms and telecommunications companies, according to the report.
“The crush of data breaches affecting the clients of technology service providers is having an effect on the tech E&O line” as data security or forensic services providers are increasingly being considered liable for failing to prevent or remedy cyber attacks or other security threats, Betterley said.
“While most of the news has been about data breaches suffered by site owners, technology service providers have been – or ought to be – concerned about their own exposures.”
That concern has ramped up in recent years after a lawsuit filed in Nevada in 2015 by casino operator Affinity Gaming against Chicago-based Trustwave Holdings, which “represents itself as a firm that is highly experienced and capable in the field of data security”, according to Affinity’s complaint.
Affinity said it experienced a data breach in October 2013, which it reported to its cyber insurance carrier, Ace.
Ace recommended Affinity retain the services of a professional data forensic firm, listing Trustwave as a possible provider, according to the complaint.
After hiring Trustwave to perform a forensic investigation and recommend security fixes, and implementing those changes, Affinity found evidence of continuing hacker intrusion. Another data security firm “determined that Trustwave had failed to identify the entire extent of the breach”, according to the complaint.
Affinity sought more than $100,000 in damages for fraud, breach of contract and negligence, among other claims. The case settled in December 2016 on undisclosed terms.
The lawsuit made it clear to technology service providers that they could be sued for work associated with trying to prevent or implement new security measures in the wake of breaches, according to the Betterley report.
“Cyber exposures of tech companies make demand for this coverage stronger than in the past, and lawsuits by hacked clients will make the purchase even more compelling,” the consultant said. “Lawsuits such as that brought by Affinity Gaming and its cyber-security provider Trustwave will become more common.”