“I’ll Show You Mine If You Show Me Your (Policy Limits)”

The struggle to identify appropriate policy limits continues to frustrate many in the market for cyberinsurance.  So does the difficulty involved with comparing premiums across policies offering coverage terms with a lot of variation.  But publicly available data continues to improve, and this piece from the folks at Cyber Data Risk Managers is particularly interesting.  CDRM shared data on 34 actual clients’ premiums and limits based on industry and annual revenue.  Among the highlights:

Highest Revenue: A pharmaceutical benefits management company with annual revenues of $4B bought a policy with a $5M limit for a premium of $84,000.

Highest Limits:  A data storage center with annual revenues of $15M bought a policy with a $20M limit for a premium of $120,000.

The $1M Phenomenon: 18 of 34 clients bought $1M policies.  Even more interesting, those clients’ annual revenues ranged from $100,000 to $100M.

Some takeaways:

  1.  What makes sense varies greatly by industry, and industry sometimes drives decision-making more than annual revenue.  This makes sense, as the type of data and the way it’s maintained vary by industry, and these are key drivers of risk.  Look for peer data.  It is out there.
  2. $1M policies for companies grossing $25M, $50M and especially $100M would only make sense in limited circumstances. This high number of “million dollar players” probably reflects budgetary concerns more than anything else.  In some industries, more coverage is prohibitively expensive.  And at some companies, there simply isn’t a budget for more than minimum coverage, regardless of the cost of higher limits.