Insurers are eagerly eyeing exponential growth in the tiny cyber coverage market, but their lack of experience and skills handling hackers and data breaches may keep their ambitions in check.
High-profile cases of hackers seizing sensitive customer data from companies such as U.S. retailer Target Corp. or e-commerce company eBay Inc. have executives checking their insurance policies.
Increasingly, corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have.
The insurance broking arm of Marsh & McLennan Cos. estimates the U.S cyber insurance market was worth $1 billion last year in gross written premiums and could reach as much as $2 billion this year. The European market is currently a fraction of that, at around $150 million, but is growing by 50-100 percent annually, according to Marsh.
Those numbers represent a sliver of the overall insurance market, which is growing at a far more sluggish rate. Premiums are set to grow only 2.8 percent this year in inflation-adjusted terms, according to Munich Re, the world’s biggest reinsurer.
The European cyber coverage market could get a big boost from draft EU data protection rules in the works that would force companies to disclose breaches of customer data to them.
“Companies have become aware that the risk of being hacked is unavoidable,” said Andreas Schlayer, responsible for cyber risk insurance at Munich Re. “People are now more aware that hackers can attack and do great damage to central infrastructure, for example, in the energy sector.”
Insurers, which have more experience handling risks like hurricanes and fires, are now rushing to gain expertise in cyber technology.
“It is a difficult risk to price by traditional insurance methods as there currently is not statistically significant actuarial data available,” said Robert Parisi, head of cyber products at Marsh.
Andrew Braunbergon, research director at U.S. cybersecurity advisory company NSS Labs, said that some energy companies have trouble persuading insurers to provide them with cyber coverage as the industry is vulnerable to hacking attacks that could trigger disasters like an explosion in a worst-case scenario.
Pricing on policies for retailers has climbed in the wake of recent high-profile breaches at Target, Neiman Marcus and other merchants, he added.
A Necessary Cost
Though still very much in its infancy, the market’s potential is vast, with cyber crime costing the global economy about $445 billion every year, according to an estimate last month from the Washington-based Center for Strategic and International Studies.
While many companies have in the past counted on their general commercial liability policies for coverage, they are increasingly taking out standalone contracts.
One reason for the change in attitude is a New York state court ruling in February against Sony Corp. The company, which has appealed the decision, had sought to force providers of its general commercial liability insurance to foot the bill for class action lawsuits following a major 2011 cyber attack on Sony PlayStation Network.
The Sony ruling prompted some companies to get specialized insurance policies to protect them against cyber breaches, said Dave Kennedy, CEO of TrustedSec LLC, which helps businesses conduct security assessments before they obtain insurance. “There has been a huge uptick in cyber insurance,” he said.
Target was better protected when some 40 million payment card numbers were stolen last year. It reportedly had $100 million in cyber insurance, according to the trade publication Business Insurance.
With low interest rates limiting revenues from insurers’ vast bond portfolios, the extra underwriting income from the fast-growing new market is all the more welcome.
The cost of cyber insurance varies, but on average $1 million in protection ranges from about $20,000 to $25,000, according to Beshar.
German insurance giant Allianz says its premiums for 10-50 million euros in protection run about 50,000-90,000 euros in annual premiums. For protection of over 50 million euros, companies can get coverage up to 300 million euros through co-insurance policies involving multiple underwriters.
Whether insurers are offering coverage at prices commensurate with risk is anyone’s guess as long as underwriters have scant experience with hackers.
AXA, Europe’s second biggest insurer, is making a big push into the cyber insurance market but has so far not paid out a single business claim.
“I would like to see a successful claim, because that would be an experience,” said Philippe Derieux, deputy CEO of AXA’s global property/casualty business.
AXA is hiring computer experts and engineers to build up a centralized cyber team, but Derieux said there is a shortage of qualified talent.
“It is hard for insurers and brokers to find people able to handle the product,” Munich Re’s Schlayer said.
That lack of expertise means insurers are failing to identify high-risk clients, because they are not undertaking sufficiently rigorous security evaluations before writing cyber policies, said Bryan Rose, managing director with Stroz Friedberg, a firm that investigates cyber attacks.
This leaves the insurers vulnerable to underpricing their policies.
They often simply ask clients to fill out limited questionnaires asking whether they have proper security procedures in place, rather than conducting thorough security audits, Rose said.
“There’s a real risk that insurance companies are not appropriately pricing the risk,” Rose said.