EXCLUSIVE - Hacking blitz drives cyberinsurance demand

NEW YORK Wed Jun 15, 2011 1:29am IST

A man surfs a site at an Internet cafe in Seoul February 25, 2006. REUTERS/You Sung-Ho/Files

A man surfs a site at an Internet cafe in Seoul February 25, 2006.

Credit: Reuters/You Sung-Ho/Files

Related Topics

Border Security Force (BSF) soldiers ride their camels as they rehearse for the "Beating the Retreat" ceremony in New Delhi January 27, 2015. REUTERS/Ahmad Masood

"Beating The Retreat" Rehearsals

Rehearsals are on for "Beating the Retreat" ceremony which symbolises retreat after a day on the battlefield, and marks the official end of the Republic Day celebrations.  Slideshow 

NEW YORK (Reuters) - The recent string of sensational hacker attacks is driving companies to seek "cyberinsurance" worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.

Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion -- and in some cases, they are also accepting deductibles in the tens of millions of dollars.

Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like "sorry letters" to customers.

"When you have a catastrophic type of data breach then yes ... the phones ring off the hook," said Kevin Kalinich, co-national managing director of the professional risk group at insurance broker Aon Corp.

In the past few weeks, the U.S. Senate, the International Monetary Fund, defense contractor Lockheed Martin Corp., banking concern Citigroup Inc, technology giant Google and consumer electronics group Sony Corp are among those who have disclosed hacker attacks of various kinds.

In the days after Sony disclosed it had more than 100 million customer accounts compromised, the company said its insurance would help cover the costs of fixing its systems and providing identity theft services to account holders.

That helped drum up business for the still-growing segment of the industry, and the demand has only intensified since a more recent breach at Citigroup, which security experts said was the largest direct attack on a U.S. bank to date.

Some insurers say this is the moment the industry has been waiting for as the tide of bad news becomes so overwhelming that customers have no choice but to seek coverage. On Tuesday, Travelers became the latest insurer to launch a package of policies covering various fraud and expense liabilities.

Aon's Kalinich said fewer than five percent of data breaches lead to costs of more than $20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk.

Large customers are going to extremes, taking out coverage for data breach liabilities of as much as $200 million, while also taking $25 million deductibles to keep their premiums down.

GOOD RISK

As with any kind of insurance, data breach policies carry all sorts of exclusions that put the onus on the company. Some, for example, exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded or if employees do not change their passwords periodically.

"Insurers are all looking for good risks, whether it is a fire insurance company that wants a building that is sprinklered and doesn't have oily rags laying around - this is the equivalent in the IT area. They want good systems, they want good protection, they want good risk," said Don Glazier, a principal at Integro Insurance Brokers in Chicago.

Given that the average data breach cost $7.2 million last year, according to a March study from the Ponemon Institute, hundreds of millions of dollars of cover may seem extreme. But with the scale and scope of hacking attacks growing daily, some companies can not be cautious enough.

Of course, the risk they face is a moving target, both for them and for the insurance companies. After 10 years of writing policies, industry experts say a consensus is building on what "cyberinsurance" covers.

Generally, such policies now cover third-party liability, like suits filed by customers whose accounts have been hacked; direct costs like notification letters sent to affected customers; and, increasingly, fines and penalties associated with data breaches.

What is missing from the equation, however, is standards. Insurers can try to standardize the risk from hacking attacks, but cyberinsurance is still not auto insurance, where carriers can make their customers wear seat belts as a condition of a policy.

"One day the industry will actually be so robust that ... we'll have the leverage to actually create standards," said Tracey Vispoli, a senior vice president at insurer Chubb. "We're not there yet but that to me is a win to the industry."

CONSUMER BURDEN

Consumers are increasingly finding themselves less protected and more liable as well. Courts are siding with vendors and not their customers in some cases when it comes to the misuse of data.

In late May, a U.S. magistrate judge in Maine recommended the district court throw out a lawsuit filed against a bank by one of its customers, a construction company.

The customer had suffered a series of unauthorized withdrawals from its account after some employees' computers were infected with a virus that captured their banking information. The company sued the bank on the grounds that the bank's systems should have caught the clearly unusual pattern.

Lawyers who litigate cyberrisk say in the current environment, many companies are only looking out for themselves, not for their customers or suppliers.

"Most companies are looking more for first party (coverage), they're worried more about their own systems," said Richard Bortnick, an attorney with Cozen O'Connor and the publisher of the digital law blog CyberInquirer.

"Not all companies deem it necessary to provide notification of a cyberbreach or incident for reasons of reputation and other marketing-related bases," he said.

(Reporting by Ben Berkowitz, Editing by Martin Howell)

FILED UNDER:
Photo

After wave of QE, onus shifts to leaders to boost economy

DAVOS, Switzerland - Central banks have done their best to rescue the world economy by printing money and politicians must now act fast to enact structural reforms and pro-investment policies to boost growth, central bankers said on Saturday.

Apple Earnings

Reuters Showcase

ONGC Share Sale

ONGC Share Sale

ONGC share sale scheduled for this fiscal - oil minister  Full Article 

The Apple logo is pictured inside the newly opened Omotesando Apple store at a shopping district in Tokyo June 26, 2014. REUTERS/Yuya Shino/Files

Record Earnings

Apple iPhone sales trample expectations as profit sets global record  Full Article 

'Umrika' At Sundance

'Umrika' At Sundance

From Oscars to Sundance, Sharma and Revolori discuss India's 'Umrika'  Full Article 

Australian Open

Australian Open

Smooth Wawrinka, ill Serena through to Melbourne semis   Full Article 

India's Male Tenor

India's Male Tenor

India's lone male tenor aims to sing opera in local key  Full Article 

Japan Hostages

Japan Hostages

Mother of Japanese captive begs PM to save son held by Islamic State  Full Article 

Tripoli Attack

Tripoli Attack

Frenchman, American among those killed in Tripoli hotel attack - Libyan official.  Full Article 

U.S. Blizzard

U.S. Blizzard

Blizzard hits Boston and New England, spares New York despite forecasts.  Full Article 

Spying Row

Spying Row

Spying program leaked by Snowden is tied to campaign in many countries.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device  Full Coverage