BOSTON Oct 12 A rash of hacking attacks on U.S.
companies over the past two years has prompted insurers to
massively increase cyber premiums for some companies, leaving
firms that are perceived to be a high risk scrambling for
cover.
On top of rate hikes, insurers are raising deductibles and
in some cases limiting the amount of coverage to $100 million,
leaving many potentially exposed to big losses from hacks that
can cost more than twice that.
"Some companies are struggling to find the money to buy the
coverage they want," said Tom Reagan, a cyber insurance
executive with Marsh & McLennan Co's Marsh broker unit.
The price of cyber coverage - which helps cover costs like
forensic investigations, credit monitoring, legal fees and
settlements - varies widely, depending on the strength of a
company's security. But the overall trend is sharply up.
Retailers and health insurers have been especially hard hit
by the squeeze after high-profile breaches at Home Depot Inc
, Target Corp, Anthem Inc and Premera
Blue Cross.
Health insurers who suffered hacks are facing the most
extreme increases, with some premiums tripling at renewal time,
said Bob Wice, a leader of Beazley Plc's cyber
insurance practice.
Average rates for retailers surged 32 percent in the first
half of this year, after staying flat in 2014, according to
previously unreported figures from Marsh.
Higher deductibles are also now common for retailers and
health insurers. And even the biggest insurers will not write
policies for more than $100 million for risky customers. That
leave companies like Target, which says its big 2013 data breach
has cost $264 million, paying out of pocket.
No. 2 U.S. health insurer Anthem ran into difficulties
renewing its coverage after an attack early this year that
compromised some 79 million customer records, according to
testimony from Anthem General Counsel Thomas Zielinski at an
August hearing of the National Association of Insurance
Commissioners.
Renewal rates were "prohibitively expensive," according to
minutes of that session seen by Reuters. The company managed to
get $100 million in coverage, Zielinski said, but only after
agreeing to pay the first $25 million in costs for any future
attacks. The company would not say what that figure was before,
but it was likely much smaller.
OPPORTUNITY FOR INSURERS
The spate of hacks is potentially good and bad for insurers.
It means they have to pay out more in claims, but it also
highlights the importance of buying insurance and gives them a
reason to jack rates up.
As more companies realize the importance of having coverage,
and insurers move in to meet that demand, the cyber insurance
market is set to triple to about $7.5 billion over the next five
years, according to a recent study by consulting firm PwC.
But insurers are wary of the hard-to-predict risks they are
taking on.
"We have turned clients away," said Tracie Grella, the
global head of professional liability at insurance giant
American International Group Inc.
AIG offers cyber policies that cover up to $75 million for a
cyber attack, but only for companies like top global banks that
have are the most adept at securing networks and mitigating
cyber risk.
Another insurer, Ace Group, recently started
offering up to $100 million in coverage, but only after an
intensive review of potential clients' cyber security policies
and procedures.
Warren Buffett's Berkshire Hathaway this month also
launched its first cyber policies through its specialty
insurance division. "We will be very selective," said Danielle
Librizzi, an executive with the insurer.
RETAIL HIKES
Target and Home Depot declined to comment on whether
insurers had hiked rates or reduced coverage after massive
breaches that exposed tens of millions of credit cards.
Target said in a filing that it expects insurance to cover
just $90 million of the $264 million of costs related to its
2013 attack. Home Depot said it expects $100 million in payments
toward $232 million in expenses from its 2014 breach.
"A lot of the carriers have gotten burned. They are coming
back with harsher and more challenging penalties," said Bob
Shaker, a manager at Symantec Corp's breach response
team.
Insurance buyers may be able to get more than $100 million
in coverage by using a syndicate of insurers organized by a
broker. Even so, some have warned they may not have adequate
cover.
In the wake of last year's attack on Sony Pictures
Entertainment, parent Sony Corp said its financial
condition could suffer if it were attacked again, since current
policies "might not cover all expenses and losses."
Sony spokesman Mack Araki said the company expects to
recover "a significant portion" of the film studio attack's
costs from insurers. He declined to elaborate or say if insurers
had raised pricing or reduced the limits on its cyber coverage.
OFFERING ADVICE
Retailers shopping for cyber insurance are coming under
pressure to secure their payment systems, just as homeowners are
encouraged to install locks on doors and windows.
Insurers are promoting newer technologies for securing
payment card transactions that exceed credit card companies'
requirements, such as tokenization and end-to-end encryption,
said Ben Beeson, a partner with broker Lockton Companies.
"Retailers that don't do that today are going to struggle to
get insurance," Beeson said.
But the stringent conditions on coverage could lead to the
next chapter of the cyber drama: courtroom battles.
"The restrictions and terms that we are seeing in the
underwriting process now will become the claim disputes we see
in two or three years," said Lynda Bennett, partner with
Lowenstein Sandler. "We definitely expect more litigation."
