On top of rate hikes, insurers are raising deductibles and in some
cases limiting the amount of coverage to $100 million, leaving many
potentially exposed to big losses from hacks that can cost more than
twice that.
"Some companies are struggling to find the money to buy the coverage
they want," said Tom Reagan, a cyber insurance executive with Marsh
& McLennan Co's <MMC.N> Marsh broker unit.
The price of cyber coverage - which helps cover costs like forensic
investigations, credit monitoring, legal fees and settlements -
varies widely, depending on the strength of a company's security.
But the overall trend is sharply up.
Retailers and health insurers have been especially hard hit by the
squeeze after high-profile breaches at Home Depot Inc, Target Corp,
Anthem Inc and Premera Blue Cross.
Health insurers who suffered hacks are facing the most extreme
increases, with some premiums tripling at renewal time, said Bob
Wice, a leader of Beazley Plc's cyber insurance practice.
Average rates for retailers surged 32 percent in the first half of
this year, after staying flat in 2014, according to previously
unreported figures from Marsh.
Higher deductibles are also now common for retailers and health
insurers. And even the biggest insurers will not write policies for
more than $100 million for risky customers. That leave companies
like Target, which says its big 2013 data breach has cost $264
million, paying out of pocket.
No. 2 U.S. health insurer Anthem ran into difficulties renewing its
coverage after an attack early this year that compromised some 79
million customer records, according to testimony from Anthem General
Counsel Thomas Zielinski at an August hearing of the National
Association of Insurance Commissioners.
Renewal rates were "prohibitively expensive," according to minutes
of that session seen by Reuters. The company managed to get $100
million in coverage, Zielinski said, but only after agreeing to pay
the first $25 million in costs for any future attacks. The company
would not say what that figure was before, but it was likely much
smaller.
OPPORTUNITY FOR INSURERS
The spate of hacks is potentially good and bad for insurers. It
means they have to pay out more in claims, but it also highlights
the importance of buying insurance and gives them a reason to jack
rates up.
As more companies realize the importance of having coverage, and
insurers move in to meet that demand, the cyber insurance market is
set to triple to about $7.5 billion over the next five years,
according to a recent study by consulting firm PwC.
But insurers are wary of the hard-to-predict risks they are taking
on.
"We have turned clients away," said Tracie Grella, the global head
of professional liability at insurance giant American International
Group Inc <AIG.N>.
AIG offers cyber policies that cover up to $75 million for a cyber
attack, but only for companies like top global banks that have are
the most adept at securing networks and mitigating cyber risk.
Another insurer, Ace Group, recently started offering up to $100
million in coverage, but only after an intensive review of potential
clients' cyber security policies and procedures.
Warren Buffett’s Berkshire Hathaway this month also launched
its first cyber policies through its specialty insurance division.
"We will be very selective," said Danielle Librizzi, an executive
with the insurer.
[to top of second column] |
RETAIL HIKES
Target and Home Depot declined to comment on whether insurers had
hiked rates or reduced coverage after massive breaches that exposed
tens of millions of credit cards.
Target said in a filing that it expects insurance to cover just $90
million of the $264 million of costs related to its 2013 attack.
Home Depot said it expects $100 million in payments toward $232
million in expenses from its 2014 breach.
"A lot of the carriers have gotten burned. They are coming back with
harsher and more challenging penalties," said Bob Shaker, a manager
at Symantec Corp’s breach response team.
Insurance buyers may be able to get more than $100 million in
coverage by using a syndicate of insurers organized by a broker.
Even so, some have warned they may not have adequate cover.
In the wake of last year's attack on Sony Pictures Entertainment,
parent Sony Corp <6758.T> said its financial condition could suffer
if it were attacked again, since current policies "might not cover
all expenses and losses."
Sony spokesman Mack Araki said the company expects to recover "a
significant portion" of the film studio attack's costs from
insurers. He declined to elaborate or say if insurers had raised
pricing or reduced the limits on its cyber coverage.
OFFERING ADVICE
Retailers shopping for cyber insurance are coming under pressure to
secure their payment systems, just as homeowners are encouraged to
install locks on doors and windows.
Insurers are promoting newer technologies for securing payment card
transactions that exceed credit card companies' requirements, such
as tokenization and end-to-end encryption, said Ben Beeson, a
partner with broker Lockton Companies.
"Retailers that don’t do that today are going to struggle to get
insurance," Beeson said.
But the stringent conditions on coverage could lead to the next
chapter of the cyber drama: courtroom battles.
"The restrictions and terms that we are seeing in the underwriting
process now will become the claim disputes we see in two or three
years," said Lynda Bennett, partner with Lowenstein Sandler. "We
definitely expect more litigation."
(Reporting by Jim Finkle; Editing by Jonathan Weber, Richard
Valdmanis and Bill Rigby)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |