Insurers are eagerly eyeing exponential growth in the tiny cyber coverage market. But their lack of experience and skills handling hackers and data breaches may keep their ambitions in check.
High profile cases of hackers seizing sensitive customer data from companies, such as US retailer Target Corp or e-commerce company eBay Inc, have executives checking their insurance policies.
Increasingly, corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have.
The insurance brokerage arm of Marsh & McLennan Companies estimates that the US cyber insurance market was worth $1 billion (€0.73bn) last year in gross written premiums, and could reach as much as $2 billion (€1.4bn) this year. The European market is currently a fraction of that, at around $150 million (€110mn), but is growing by 50 to 100% annually, according to Marsh.
Those numbers represent a sliver of the overall insurance market, which is growing at a far more sluggish rate. Premiums are set to grow only 2.8% this year in inflation-adjusted terms, according to Munich Re, the world’s biggest reinsurer.
The European cyber coverage market could get a big boost from draft EU data protection rules in the works that would force companies to disclose breaches of customer data to them.
“Companies have become aware that the risk of being hacked is unavoidable,” said Andreas Schlayer, responsible for cyber risk insurance at Munich Re. “People are now more aware that hackers can attack and do great damage to central infrastructure, for example in the energy sector.”
Insurers, which have more experience handling risks like hurricanes and fires, are now rushing to gain expertise in cyber technology.
“It is a difficult risk to price by traditional insurance methods as there currently is not statistically significant actuarial data available,” said Robert Parisi, head of cyber products at insurance brokers Marsh.
Andrew Braunbergon, research director at US cybersecurity advisory company NSS Labs, said that some energy companies have trouble persuading insurers to provide them with cyber coverage as the industry is vulnerable to hacking attacks that could trigger disasters like an explosion in a worst-case scenario.
Pricing on policies for retailers has climbed in the wake of recent high-profile breaches at Target, Neiman Marcus, and other merchants, he added.
A necessary cost
Though still very much in its infancy, the market’s potential is vast, with cyber crime costing the global economy about $445 billion (€326bn) every year, according to an estimate last month from the Washington-based Center for Strategic and International Studies.
While many companies have in the past counted on their general commercial liability policies for coverage, they are increasingly taking out standalone contracts.
One reason for the change in attitude is a New York state court ruling in February against Sony Corp. The company, which has appealed the decision, had sought to force providers of its general commercial liability insurance to foot the bill for class action lawsuits following a major 2011 cyber attack on Sony PlayStation Network.
“This issue with Sony is that it did not have a standalone cyber product,” said Peter Beshar, general counsel at the Marsh & McLennan Companies.
Target was better protected when some 40 million payment card numbers were stolen last year. It had $100 million (€73.4mn) in cyber insurance, according to the trade publication Business Insurance.
With low interest rates limiting revenues from insurers’ vast bond portfolios, the extra underwriting income from the fast growing new market is all the more welcome.
The cost of cyber insurance varies depending, but on average $1 million (€0.734mn) in protection ranges from about $20,000 to $25,000 (€14,683 to €18,354), according to Beshar.
German insurance giant Allianz says its premiums for €10-50 million in protection run about €50,000-90,000 in annual premiums. For protection of over €50 million, companies can get coverage up to €300 million through co-insurance policies involving multiple underwriters.
Whether insurers are offering coverage at prices commensurate with the risks is anyone’s guess, as long as underwriters have scant experience with hackers.
AXA, Europe’s second biggest insurer, is making a big push into the cyber insurance market, but has so far not paid out a single business claim.
“I would like to see a successful claim, because that would be an experience,” said Philippe Derieux, deputy CEO of AXA’s global property and causality business.
AXA is hiring computer experts and engineers to build up a centralised cyber team, but Derieux said there is a shortage of qualified talent.
“It is hard for insurers and brokers to find people able to handle the product,” Munich Re’s Schlayer said.
That lack of expertise means insurers are failing to identify high-risk clients, because they are not undertaking sufficiently rigorous security evaluations before writing cyber policies, said Bryan Rose, managing director with Stroz Friedberg, a firm that investigates cyber attacks.
This leaves the insurers vulnerable to underpricing their policies.
They often simply ask clients to fill out limited questionnaires that asking whether they have proper security procedures in place, rather than conducting thorough security audits, Rose said.
“There’s a real risk that insurance companies are not appropriately pricing the risk,” Rose said.
The European Commission launched an EU-wide cybersecurity strategy, which aims to establish cross-border rules and practices, and coordinated attack response.
Simultaneously, the EU opened a new European Cybercrime Centre (EC3), based in the Hague, in January 2013.
The centre will facilitate research and development, ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings.
>> Read our LinksDossier: Cybersecurity: Protecting the digital economy