|
 High profile cases of hackers seizing sensitive customer data from
companies, such as U.S. retailer Target Corp or e-commerce company
eBay Inc, have executives checking their insurance policies.
Increasingly, corporate risk managers are seeing insurance against
cyber crime as necessary budget spending rather than just nice to
have.
The insurance broking arm of Marsh & McLennan Companies estimates
the U.S cyber insurance market was worth $1 billion last year in
gross written premiums and could reach as much as $2 billion this
year. The European market is currently a fraction of that, at around
$150 million, but is growing by 50 to 100 percent annually,
according to Marsh.
Those numbers represent a sliver of the overall insurance market,
which is growing at a far more sluggish rate. Premiums are set to
grow only 2.8 percent this year in inflation-adjusted terms,
according to Munich Re, the world's biggest reinsurer.
The European cyber coverage market could get a big boost from draft
EU data protection rules in the works that would force companies to
disclose breaches of customer data to them.
"Companies have become aware that the risk of being hacked is
unavoidable," said Andreas Schlayer, responsible for cyber risk
insurance at Munich Re. "People are now more aware that hackers can
attack and do great damage to central infrastructure, for example in
the energy sector."
Insurers, which have more experience handling risks like hurricanes
and fires, are now rushing to gain expertise in cyber technology.
"It is a difficult risk to price by traditional insurance methods as
there currently is not statistically significant actuarial data
available," said Robert Parisi, head of cyber products at insurance
brokers Marsh.
Andrew Braunbergon, research director at U.S. cybersecurity advisory
company NSS Labs, said that some energy companies have trouble
persuading insurers to provide them with cyber coverage as the
industry is vulnerable to hacking attacks that could trigger
disasters like an explosion in a worst-case scenario.
Pricing on policies for retailers has climbed in the wake of recent
high-profile breaches at Target, Neiman Marcus, and other merchants,
he added.
A NECESSARY COST
Though still very much in its infancy, the market's potential is
vast with cyber crime costing the global economy about $445 billion
every year, according to an estimate last month from the
Washington-based Center for Strategic and International Studies.
While many companies have in the past counted on their general
commercial liability policies for coverage, they are increasingly
taking out standalone contracts.
One reason for the change in attitude is a New York state court
ruling in February against Sony Corp. The company, which has
appealed the decision, had sought to force providers of its general
commercial liability insurance to foot the bill for class action
lawsuits following a major 2011 cyber attack on Sony PlayStation
Network.
"This issue with Sony is that it did not have a standalone cyber
product," said Peter Beshar, general counsel at the Marsh & McLennan
Companies.
Target was better protected when some 40 million payment card
numbers were stolen last year. It had $100 million in cyber
insurance, according to the trade publication Business Insurance.
[to top of second column] |
With low interest rates limiting revenues from insurers' vast bond
portfolios, the extra underwriting income from the fast growing new
market is all the more welcome.
The cost of cyber insurance varies depending, but on average $1
million in protection ranges from about $20,000 to $25,000,
according to Beshar.
German insurance giant Allianz says its premiums for 10-50 million
euros in protection run about 50,000-90,000 euros in annual
premiums. For protection of over 50 million euros, companies can get
coverage up to 300 million euros through co-insurance policies
involving multiple underwriters.
Whether insurers are offering coverage at prices commensurate with
the risks is anyone's guess as long as underwriters have scant
experience with hackers.
GROWING PAINS
AXA, Europe's second biggest insurer, is making a big push into the
cyber insurance market, but has so far not paid out a single
business claim.
"I would like to see a successful claim, because that would be an
experience," said Philippe Derieux, deputy CEO of AXA's global
property and causality business.
AXA is hiring computer experts and engineers to build up a
centralized cyber team, but Derieux said there is a shortage of
qualified talent.
"It is hard for insurers and brokers to find people able to handle
the product," Munich Re's Schlayer said.
That lack of expertise means insurers are failing to identify
high-risk clients, because they are not undertaking sufficiently
rigorous security evaluations before writing cyber policies, said
Bryan Rose, managing director with Stroz Friedberg, a firm that
investigates cyber attacks.
This leaves the insurers vulnerable to underpricing their policies.
They often simply ask clients to fill out limited questionnaires
that asking whether they have proper security procedures in place,
rather than conducting thorough security audits, Rose said.
"There's a real risk that insurance companies are not appropriately
pricing the risk," Rose said.
(Additional reporting by Jonathan Gould in Frankfurt and Chris
Vellacot in London; Editing by Frances Kerry)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
