Credit card payment processors, national retail chains the most ‘hazardous’ cyber insurance clients

Nearly half of insurance professionals recently surveyed said either credit card payment processors or national retail chains are the “most hazardous” classes of business to insure for cyber risk, but only 4% said regulatory or Payment Card Industry compliance was the most important information to consider when underwriting that risk, according to a recent report commissioned by Verisk Analytics Inc.’s ISO unit.

The survey, conducted in August by Hanover Research, initially included 271 respondents who were employees of insurers, but 156 were screened out after they reported their firms did not offer cyber coverage.

“When asked which classes they consider to be the most hazardous to insure, nearly three quarters of respondents are evenly split among credit card payment processors, financial institutions, and national retail chains,” Hanover Research reported.

One in four said credit card payment processors were the most hazardous to insure, while 23% said banking and other financial institutions, 23% said national retail chains, 14% said hospitals and health systems, 7% said colleges and universities, 5% said health information exchanges and 3% said other.

But when asked what information they consider to be the most important when underwriting cyber risks, only 4% of respondents said “regulatory and PCI compliance,” alluding to standards issued by PCI Security Standards Council LLC, a Wakefield, Mass.-based forum representing merchants, banks, processors and vendors.

Nearly two-thirds of respondents to the survey described underwriting as their job function, while 13% were in product development and research and 9% were involved in regulatory filings. The remaining 10% included actuarial, marketing, legal and analytics staff, among others.

One in four respondents said “enterprise risk management philosophy” was the most important factor when underwriting cyber risks, while 23% said it was the nature of records or data stored. About one in six (16%) said security tests or audits were the most important, 15% said updated network security or firewall,  5% said in-house or outsourced IT services, 4% said volume or records stored, 3% said encryption and 4% said other.

Of the respondents whose employers offer cyber coverage, “40% said the greatest challenge in selling cyber insurance is that many companies simply don’t think they need it,” Hanover Research reported.

“Even though data breaches are in the news every week, many companies still don’t recognize that cyber attacks are serious, and that the costs associated with responding to one can be significant and generally not covered under current commercial insurance policies,” Shawn Dougherty, ISO’s assistant vice president of specialty commercial lines, said in a press release Oct. 28.

“That’s why insurers and brokers are working hard to educate businesses and make it easy for them to add cyber coverage to their existing insurance portfolio.”

Of respondents whose employers offer cyber coverage, only 8% said they offer stand-alone cyber coverage, while 63% said they offer the product through roll-on optional endorsements. The remainder (29%) said their firms take both approaches.

ISO’s services include, among others, statistical, underwriting and claims information to insurers, reinsurers, agents and risk managers.