Carrier Q&A: Tokio Marine HCC (NAS)
Bcp tech recently sat down with Ari Giller, Director of the Cyber and Professional Lines Group for Tokio Marine HCC (previously NAS). Ari has worked for TMHCC for eight years, leading product development, managing new business production, and consulting on large scale reinsurance programs. Ari sits in the Chicago office but handles portions of the midwest, including Kansas City.
1. As we’ve all seen in the news, cyber attacks are on the rise, which likely means cyber claims are increasing. What are you seeing in terms of claims?
“We’ve seen a huge uptick in the number of reported ransomware incidents and Cyber Crime attacks. Ransomware is nothing new, but before 2019, these ransom amounts were often small, ranging anywhere between $5,000 to $50,000. Now, however, hackers are starting to realize they can extort a lot more from business owners and are demanding higher amounts. Our most notable ransomware demand totaled over $1,000,000 and it wasn’t even on a large Fortune 500 company! Cyber Crime is problematic as well. While 99% of the businesses we insure are exposed to this type of loss, the loss amounts, and frequency of incidents used to be minor. We’ve experienced a significant increase in reported incidents (up 89% in 2018) with larger loss amounts now. Hackers are also getting away with phishing the same person (usually with accounting responsibilities) multiple times. It’s also difficult to underwrite for our Insured’s clients’ controls to mitigate significant third party crime losses. Aside from ransomware and crime, we’re starting to monitor various state and international laws, and their impact on how our Insureds collect and manage regulated data. The claim trends are difficult to predict in this coverage area, and no one really knows what the next hot button issue will be!”
2. There’s a lot of uncertainty in the market as it relates to pricing. How are you handling the “soft” market, and do you think it’s going to harden anytime soon?
Cyber has always been a soft market for as long as I can remember – with the exception of the retail/hospitality business segment in 2014 when Target and Home Depot were breached and all the major retailers were scrambling to increase their limits with very few insurance carriers willing to take on the risk. The conventional wisdom is to offer more coverage rather than cut premiums to an unsustainable level, and we continue to introduce new coverages to the marketplace. I think the market will eventually harden when a) demand increases, i.e. regulators start to crack down on companies that don’t take network security seriously – as evidenced by the record GDPR fine against British Airways, and b) supply decreases, i.e. some of the smaller, disruptive insurance MGU’s that don’t necessarily have the underwriting expertise or the claims handling ability to deal with the influx of claims exit the market or harden their rates as a response.
3. Brokers and agents are always asking for new coverages. What are you seeing as the hot new coverage requests?
California passed a new law that goes into effect January 1, 2020, called the California Consumer Privacy Act, so we’re getting requests to affirm coverage for this new piece of legislation. Other requests include voluntary shutdown, TCPA, bricking coverage, higher limits of Crime, and extension of dependent business interruption to non-IT service providers. I’ve also seen some requests to cover lawsuits for alleged ADA violations pertaining to an Insured’s website; which I see as more of a Media risk rather than a pure cyber risk.
4. Another topic dominating conversations is the war exclusion and the litigation surrounding coverage declinations on non-cyber policies. How do you view the “war” risk?
It’s complicated. The common trope you hear is that the Zurich policy wasn’t a cyber policy and that every standalone cyber policy would cover a ransomware incident launched by a nation-state. However, some cyber policies contain language where the coverage grant for acts of cyber terrorism and the kinetic war exclusion contradict. Some carriers are revising their language to clarify intent though, and given recent events, it should be a discussion at every insurance meeting. While I am skeptical of nefarious governments claiming responsibility for state-sponsored acts of cyber terrorism right now, I do think it is very possible down the road, and you don’t want any gray area in your policy when an attack does happen.
5. GDPR, CCPA, new state legislation. What should Insureds be concerned about as it relates to the ever-changing regulatory landscape?
With new legislation governing the collection, protection and “use” of personal data, it’s not enough to secure data against attacks these days. Insureds need to educate themselves on what type of information they are collecting, for how long they are storing this information, and with whom they share this information. Furthermore, are they being transparent with their customers on what types of information was collected about them? California has always been one of the most forward-thinking states when it comes to privacy matters, and I expect other states to follow suit in the near future.
5. In closing, tell us why TMHCC is different than other cyber carriers, and why Insureds should be partnering with you.
We’ve been underwriting this coverage for almost a decade now, and our expertise coupled with our innovative spirit allows us to put one of the most comprehensive policies out in the marketplace at an extremely competitive rate. Our in-house claims department is well versed with cyber matters and we’ve handled almost every single type of claim you could think of for all risk sizes; from small mom-and-pop shops to Fortune 100 companies. We’ve also introduced a security risk assessment service that we provide with every quote that scans an Insured’s website for vulnerabilities, which is proving to be a valuable conversation starter for many of the Insureds who still don’t purchase a cyber policy. We’ve partnered with the same company that provides the security assessments to also provide a robust risk management portal accessible for all TMHCC-insureds to brush up on their own security policies and practices. A lot of small business owners don’t have the vendor contacts or legal expertise to deal with cyber incidents and we want to partner with our Insureds for when a breach does happen to make sure the response is appropriate, quick, and efficient
Follow Ari on LinkedIn here
Emily consults on risk management and insurance solutions across a variety of industries, with a particular focus on technology, venture capital, and private equity risks. Emily previously worked as a cyber and technology insurance broker at one of the largest international brokers. Prior to that, Emily was practicing law, focusing on professional liability insurance defense. In addition to her Juris Doctor, Emily completed the Certified Information Privacy Professional (CIPP/US) designation and the Registered Professional Liability Underwriter (RPLU) designation. She is licensed to practice law in Kansas and Missouri and has her Kansas insurance license. Connect with Emily on Linked here