Cyber Attacks Tailored to Individuals

Individuals face rising threats to their cybersecurity, particularly as telework during and after the COVID-19 pandemic has blurred the commercial and personal worlds and as the scope and sophistication of attacks increase.

While commercial cyber insurance is already a growing, multibillion-dollar business, insurers are increasingly offering cyber coverage aimed directly at individuals and their families, most often as homeowners policy endorsements. Some businesses have also begun providing it as an employee benefit.

“Currently, about 20% of employers around the country offer some sort of identity theft protection to their employees,” says Danny Talley, Hub International senior vice president of voluntary benefits, citing a study from consulting firm Mercer. “I think people are becoming more and more aware of the need for coverage with all of our lives becoming more digital, especially with new AI technology. Everything we do seems to be digital and smart technology—from our cell phones, laptops, refrigerators, home security systems, and so on—which has helped the awareness.”

The percentage is expected “to grow by double digits in the next couple years to where 30% to 40% will eventually purchase coverage to protect their digital lives,” Talley says. “It’s becoming one of those necessary voluntary benefits.”

Beyond anecdotal cases, sources interviewed for this article say they do not know of industrywide figures regarding the size of the market for the full scope of personal cyber insurance services, which range from security audits to data and system restoration. Given that this coverage is rarely offered as a stand-alone policy, the uptake rate is hard to track.

In its “Fifth Annual Study on Personal Cyber Risk,” published in 2022, Chubb found that 39% of 1,605 individuals surveyed had “personal cyber insurance policies.” However, only 11% of middle-class respondents reported having such policies, compared to 83% of high-net-worth (HNW) individuals. Chubb also found that 39% of those surveyed were “unfamiliar with personal cyber insurance.” Broken down by generations, 65% of baby boomers were not familiar with the product, followed by 40% of Generation X, 32% of millennials, and 19% of Generation Z.

The Chubb study found that, “compared to other income groups, wealthy respondents are twice as likely to have had their personal income breached in the last 12 months and four times more likely than the middle class.” For the purposes of the survey, the insurer cited middle class as incomes of $50,000 to less than $100,000; upper-middle class as incomes of $100,000 to less than $500,000; “mass affluent” as $500,000 to less than $1 million; and HNW as $1 million or greater.

Nonetheless, industry representatives say now is the time to more aggressively and effectively market personal cyber coverage beyond the HNW market.

“While cyber endorsements cover some risks, as cybercriminals continue to evolve their schemes, these measures may not protect the family from uninsured or underinsured risks,” Marsh McLennan Agency (MMA) said in its 2024 “Family Office Benchmarking Study.”

“Exploring additional stand-alone cyber coverage could minimize the financial impact of a cyberattack on the family,” according to the study.

An Exploding, Undercovered Risk

The scope of cyber crime continues to grow. The FBI says its Internet Crime Complaint Center (IC3) in 2023 received “a record number of complaints from the American public: 880,418 complaints were registered,” encompassing commercial and non-business, personal victims. That represented more than $12.5 billion in potential losses, the FBI says—a nearly 10% increase in complaints received and a 22% increase from 2022 in financial losses suffered. The number of complaints filed annually nearly doubled over the five-year period from 2019 to 2023, and annual losses nearly tripled, according to the FBI Internet Crime Report 2023.

The FBI cites investment fraud as the most expensive form of cyber crime monitored by IC3, with losses spiking by 38%, from $3.31 billion in 2022 to $4.57 billion in 2023. A total of 29,096 investment fraud complaints were filed in 2023. That was followed by 21,489 complaints of business e-mail compromise connected to reported losses of $2.9 billion. The number-three crime was tech support scams, with 51,750 complaints associated with $1.3 billion in losses.

Victims of investment fraud tended to be 30 to 49 years old. Forty percent of the complainants for call center fraud were older than 60; they experienced 58% of the losses (more than $770 million).

“In 2023, ransomware incidents continued to be impactful and costly. After a brief downturn in 2022, ransomware incidents were again on the rise with over 2,825 complaints,” the FBI report says. “This represents an increase of 18% from 2022. Reported losses rose 74%, from $34.3 million to $59.6 million. Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.”

Employee Cyber Benefits

In its 2022 “National Survey of Employer-Sponsored Health Plans,” Mercer found that 19% of employers surveyed with 50 or more workers offered an ID theft protection as an employee benefit, as did 40% of employers with 500 or more personnel.

A growing number of employers are paying for ID theft protection for employees, both because it is necessary and because individuals often spend work hours dealing with a ransomware or other cyber breach, Talley says. In addition, many individuals are using personal and work devices in combination—another reason for employers to step in. The Internal Revenue Service also allows premiums that employers pay for employee ID theft protection to be fully tax-deductible, he notes.

An average policy for a single employee costs an employer between $6 and $10 per month, depending on the level of coverage, Talley says. That increases to $18 to $20 per month to cover an entire family. Some employers pay for a base level of coverage for employees and allow them to purchase more extensive coverage for themselves or their families.

Products offered through independent brokers are more competitively priced than those bought through direct marketing providers, Talley emphasizes.

Coverage under such policies encompasses monitoring of credit and bank accounts, credit scores, 401(k) plans, and medical records. “The theory behind all of that monitoring is the quicker you can catch something suspicious, the easier it is to fix,” Talley adds. The other component is identity theft recovery and compensation for harm after an incident.

LifeLock, a product of cybersecurity giant Gen Digital (formerly Norton LifeLock), has one of the most generous policies aligned with traditional insurance policy coverage, Talley says.

The product provides millions of customers with protection against losses from identify theft, says Ian Bednowitz, general manager for identity and privacy at Gen Digital. It includes some insurance-like components, such as reimbursement for money stolen and out-of-pocket expenses as a result of identity theft, he says. LifeLock also provides indemnification for the negative effects of identity theft and cyber fraud.

“We offer LifeLock directly as well as to employees via employee benefit brokers,” Bednowitz says. “We distribute through national brokerage and consultant partners as well as independent brokers.”

Since 2021, Node International has offered a personal cyber product, Cyberman365, aimed at the retail market. That year, the digital risk MGA also made the product available to 1,600 U.S. employees of parent company H.W. Kaufman Group. Kaufman subsidizes 57% of the cost for the single-person plan and 69% for the household plan. The final cost to a Kaufman associate is, for example, $104 per year ($4 per pay period) for one adult/household and $130 per year ($5 per pay period) for two adults and a household with up to 10 minors, notes Kaufman’s director of corporate communications, Anne Hein.

Node International CEO Neil Gurnhill says, “Our decision to offer personal cyber insurance stemmed from a desire for Kaufman to protect their employees and their families from the financial and emotional repercussions of cyber incidents. We understand that cyber threats extend beyond the workplace and can impact individuals’ personal lives, including their finances, identity, and privacy. That’s why we expanded the product to be distributed via broker channels.”

Personal cyber insurance is featured on the menu of benefit options that new Kaufman employees can select. The company subsidizes the cost, with the rest deducted from paychecks. About 25% to 30% of employees request the service, Gurnhill says—“not necessarily as strong as we’d hoped, though it continues to build momentum and we get new ones coming through as new people join the company. So it’s definitely here to stay.”

Tokio Marine HCC’s Cyber & Professional Lines Group in 2023 began discussing its personal cyber product with existing HNW clients who could potentially bring it to their business colleagues and employees. The product has been successful, says Kareen Boyadjian, vice president of cyber and tech E&O underwriting.

“We are popular for board members or shareholders of a private equity firm, law firms, CPA, and similar organizations interested in a group offering,” Boyadjian says. “They love the fact that our application is short and easy to complete. Additionally, we have a broker portal where brokers can self-serve by quoting and binding directly through our website. It’s very quick and easy. We’ve found that when board members of one major law firm pursue coverage, then their counterparts at other firms pick it up pretty quickly.” Financial advisors and wealth managers have also demonstrated interest in the product, she adds.

The products provide coverage against a range of threats (see sidebar). Tokio Marine HCC highlights insurance for extortion, ransomware, cyber bullying, and identity theft, among other risks, with NetGuard Select. Node’s Cyberman365 plans cover ID restoration, social media monitoring, Social Security number tracing, vulnerability evaluations of connected devices, and a host of other services.

“Personal cyber as an employee benefit is not widespread, since this is still a relatively new product,” says Boyadjian. “If it’s offered, it might be Experian, Boxx Insurance, Norton LifeLock, or other ID theft vendors who may have some version of cyber but not the full stand-alone product we offer, which includes cyber crime, data recovery, cyber bullying, and other important covers. We are known as an employee benefit solution for C-suites, execs, and board members and intend to be the solution for EB companies to broaden their offering and be competitive in the market.”

While Cyberman365 is also available as a stand-alone product, Gurnhill questions whether the market is yet ready. “The market hasn’t matured enough for the product to be really sold as a stand-alone solution [to the general public],” he says. “We tried it when we first went live with the product—that was our go-to-market strategy. But we just couldn’t get to the volumes. Everybody kind of wanted it to happen, but unless the insured is in an event or under circumstances for cyber peril, we found it very hard to get them in the current climate to do anything really. I think that will eventually change, however.”

Breaking Through to Consumers

The Marsh McLennan 2024 “Family Office Benchmarking Study” offers clues as to why more people are not obtaining cyber protection. The survey asked more than 100 family office clients why they had opted out of cyber insurance:

• 40% said “does not believe they have cyber exposure”
• 27% said “inadequate coverage available e.g., social engineering”
• 20% said “limited understanding of the coverage”
• 7% said “cost”
• 20% said “other.”

Even for HNW individuals and families that almost certainly need this coverage, acceptance is not a slam dunk.

“Clients sometimes assume they’re not at risk if they aren’t online or on social media very often,” says Tamara Stephens, MMA senior vice president of private client services. “So to some extent there is a lack of understanding of the full scope of protecting against cyber risk—that it’s more than clicking a bad email link. Personal cyber attacks can expose clients and their families to financial, reputational, and security risks. There are also very savvy clients looking for broad personal cyber coverage options and were disappointed that some policies don’t cover widespread events, social engineering, or cyber disruption. In both cases, client education is critical around the very real risks they face and the newer policy options and endorsements available to address the expanding nature of cyber risk.”

Carrier and brokerage sources interviewed say the key challenge to expanding sales of personal cyber is neither the product nor consumer ability or willingness to pay but rather effectively communicating the need. Brokers and agents can lead the way here.

“If you were to tell somebody that for a relatively nominal cost of maybe $50 or so per year they would have protections, that in case somebody impersonated them, stole their identity, hacked into their 401(k) plans, stole $25,000 out of their account, he or she would be protected, I think there’d be very wide adoption,” says James Hajjar, chief product and risk officer for the treaty division at Hartford Steam Boiler, a specialty insurer subsidiary of reinsurer Munich Re that manufacturers and administers personal cyber policies as homeowners policy endorsements offered by 40 carriers. “We’re working through this sort of lack of awareness, sort of unclarity. When you hear the word ‘cyber,’ do you think about fraud and protections? The market is starting to gain a lot of traction with this.”

Optimizing the offering strategy, such as by affirmatively discussing the endorsement or tying it to other endorsements, is important to uptake success, Hajjar says. “For example, if it’s auto-quoted, where at the time you’re buying your homeowners policy agents are systematically or verbally offering that product [as an optional add-in that can be checked off by a consumer], we’ll see about a 20 or 30% take-up rate,” he says. When personal cyber is offered as part of a larger endorsement bundle or “stretch endorsement” that requires buying personal cyber to obtain the other endorsement elements, uptake levels rise to 50%. In contrast to those two scenarios, adoption is much lower when their personal cyber endorsement is merely described in written materials as one of a variety of endorsement options and/or is not discussed unless raised by the agent or client, Hajjar adds.

One hopeful sign, Hajjar notes, is that most HSB-manufactured policies are sold at the $25,000 limit level, suggesting average homeowners are buying coverage at affordable premiums.

“So for those agents that are out there selling it, I would just try to keep it simple and say, ‘You’re connected, you’re at risk of online scams, and for the value inherent in these policies, this just makes sense,’” Hajjar says. “I would not try to get into the deep weeds of the technical elements of what a computer attack is, what is a malicious code or a virus. I think going down that technical route isn’t the right way. It’s more about what could happen to you if your identity is stolen or if you are defrauded of money.”

The other key challenge is convincing customers of the immediacy of the risk, says Tokio Marine’s Boyadjian. “Statistics show that one out of two individuals have had their personal information compromised, which is a strong indication of the risk of identity theft fraud we’re already faced with as consumers. The quicker we all protect ourselves, the better.”

Nearly all industry representatives interviewed say they expect personal cyber products to mature and claims to rise.

In contrast to commercial policies that are carefully underwritten, most carriers perform only limited underwriting of personal cyber policies, often restricting policy availability if cyber events involving individuals have resulted in losses in recent years.

Serious cyber incidents resulting in losses or even the threat of such an event often act as a barrier to coverage, says Dina Smith, managing director at Gallagher Private Client Services. “A new client came to me with a multimillion recent cyber-related loss, and I cannot get him cyber coverage at this time now. A carrier said that, even with all the mitigation and changes that he made to his system, his protocols and so forth, if there’s nothing happening after three years, ‘come back to us. We’ll see what we can do.’”

For the majority of personal cyber policies that ride on homeowners policies as endorsements, availability is also often tied to geographic availability of the underlying homeowners policy. That in recent years has been limited in high home value, high litigation risk areas of the country that increase risk concentration for insurers, such as New York City, parts of southern Florida, and California.

While most commercial cyber coverage has third-party liability aspects, most personal cyber policies do not, say both Smith and Will Van Den Heuvel, Cincinnati Insurance senior vice president for personal lines. Unlike businesses, most individuals are not party to a host of contractual and regulatory requirements that would subject them to this exposure.

The Business of Cyber Protection

Many personal cyber products cover services designed to harden consumers against attacks and to respond after successful events, including data and document restoration, computer restoration or replacement services, and indemnification for cyber fraud losses. Many personal cyber policies are focused on HNW individuals and families, though others target a more general consumer marketplace.

Proactive measures intended to defend against future cyber attacks vary by policy or endorsement, Smith notes, but can encompass cybersecurity audits, monitoring of electronic systems, and educational programs. “So, for instance, you are given access to an app-based service, you enroll, and then they’re watching things on the dark web, and maybe watching your credit and doing a lot of other services like that. I’ve actually received very positive feedback about those proactive services. People had no idea what they were exposed to and have been grateful for the proactive service monitoring.”

Customers should pay attention to distinctions in policy language and limits that may appear similar, as these can add up to important differences in the actual coverage, Smith says.

“There’s no standard language for these policies—this is not ISO,” she adds. “This is carriers putting together their coverages. You have to scrutinize the fine print because they don’t all use the same terminology, although the same terms are becoming more common.”

One key criterion, for example, is the scope of coverage. Some policies increase pricing rapidly beyond the initially covered individual, while others cover all family members in a household, Smith says.

Also crucial is ensuring that the policy provides indemnification for cyber fraud, which many carriers interviewed for this article cite as the most common source of losses.

Social engineering coverage is sometimes not included in a plan or has sublimits, Smith notes. Sublimits may also be imposed on other types of harm, such as reputational injury and cryptocurrency diversion, reducing coverage if a large loss occurs in one bucket. It is also important to differentiate what services are paid for under the policy and which are just feeders leading to additional charges for customers who want them.

To optimize these policies, customers must shop coverage, but given that most ride on top of homeowners policies, that is not easy. “If you are insured with one insurance company and if your broker is not aware of any other products out there, then you’re only going to get the one cyber product that that carrier provides,” Smith says. “But they’re not all the same. Make sure that you understand what you’re buying, because there’s a lot of good stuff in there. I think a lot of people are paying for it and they don’t even know they have it.”

Stephens says that, if one of her HNW carriers does not offer the most robust cyber protection, sometimes they will instead use a commercial policy that often covers third-party liability. Users should avoid policies or endorsements that cover only identity theft and leave many other threats unprotected, she adds.

Clients also need to be primed to use the policies effectively and promptly, Smith says. She cites one client who told her at the annual review a hacker had months earlier accessed her email account and engineered a $16,000 wire transfer fraud. “I said, ‘Why didn’t you tell me? Don’t you remember that you have coverage for that?’” Smith says the carrier eventually covered the policyholder’s subsequent claim but the client came close to getting nothing had it not been for one conversation during that annual review.

Some carriers offer products in tiers of service. As an example, Chubb offers coverage as a homeowners policy endorsement. Its baseline Masterpiece homeowners policy covers digital content, unauthorized charge reimbursements, identity fraud management, and document recovery. Customers can add a separate Masterpiece Cyber Protection enhancement that includes coverage for cyber extortion and ransomware; social engineering fraud; cyber financial damage from loss of account funds; cyber bullying protection against harassment that results in harmful school, employment, or personal impacts; cyber disruption; and cyber breach of privacy involving assistance with physical security or defamation of character.

Rising Uptake

Most brokers and carrier executives interviewed for this article say purchases of their personal cyber products are increasing, but they give widely differing descriptions of the growth rate.

Arbella Insurance Group, which sells products manufactured by HSB, began offering personal cyber as a homeowners policy endorsement in Massachusetts in 2018, then expanded that into Connecticut, says Jim Hyatt, Arbella executive vice president and chief underwriting officer. Nearly 28,000 customers in Massachusetts have bought that coverage, comprising roughly 22% of its policy base in the state. Interest in Connecticut is also rising, Hyatt says—roughly 8% of the policy base for the younger product. “So the uptake has actually been pretty good.”

For the average consumer, the pricing is modest. Arbella offers a $25,000 coverage limit for $42 per year and a $50,000 limit for $52 per year to obtain protection against cyber attacks, cyber extortion, online fraud, data breach, and cyber bullying, Hyatt says.

Cincinnati Insurance reports similar success. “Since 2019, we’ve offered incremental coverage limits starting at $25,000, which is our most accepted limit,” says Eric Borg, product director at Cincinnati Insurance, which offers endorsements for HNW individuals and general homeowners, both reinsured by HSB. “Last year we started rolling out limits up to a million. The higher limit is available in 22 states now; we’ve got another 10 scheduled to come out this year. The overall take-up rate is about 21% on new business. This is one of our top optional endorsements for new business; attaching it to renewal business is a bit slower [with a 13% uptake rate on renewals].”

Hajjar says his personal cyber product is his most rapidly growing specialty insurance offering. It grew by more than 10% from 2022 to 2023 and by similar double-digit numbers from 2017 to the present, with expectations for “double-digit growth over the course of the next several years.” HSB is in negotiations with another 10 carriers to offer its personal cyber policies, Hajjar says.

Following Commercial Trends

Commercial cyber has in recent years undergone periods of sharp escalation in price and reduction in availability, though prices have moderated in the past year, according to Marsh’s first-quarter 2024 “U.S. Insurance Market Rates” report.

Will the days of easy underwriting continue, or will commercial cyber’s pattern of price-rise shocks and tight markets transpire for personal cyber, too?

Executives interviewed for this article say it’s too early to tell, but some suggest personal cyber may be at the front end of a similar pattern given the rise in cyber crime and losses, relatively low personal cyber premiums, and light underwriting.

“In talking to agents, brokers, and cyber specialists, it certainly feels like we are at the tip of the iceberg on this exposure,” Arbella’s Hyatt says. “Cyber criminals are only going to get more sophisticated in the future, which is scary. We need, as an industry, to continue to write about this to educate consumers to the risk and the protection available.”

“I think personal cyber is a lot of what commercial cyber was 10 years ago, where the first year was like, ‘Oh, how interesting. I didn’t know cyber is a concern for me,’ but now we see the claims and know the exposures,” Boyadjian says. “This is really an everyone problem, especially when artificial intelligence becomes much more prevalent in our lives. It’s coming for sure.”

Perhaps that is the best point of all to increase dissemination of the product. Many policies are likely a bargain that may not last for long.