A Primer on Cyber Insurance by Kent McDill

02/04/2015 10:00

Legal firms, health care companies and financial services providers have been major purchasers of cyber insurance.

All public and private businesses put themselves and their bottom line at risk for any number of possible negative events, and they all buy insurance to protect themselves from claims against them.

With the building fear over computer hacking and cyber breaches, companies are now considering whether it behooves them to purchase insurance against such attacks.

Cyber insurance is a new game in the insurance industry.

According to Lynda Bennett, writing for CFO.com, a website aimed at chief financial officers, the questions surrounding cyber-insurance are nowhere near close to being answered.

“We are still in the very early stages of evaluating the claims history associated with cyber insurance policies,’’ Bennett writes. “For the past several years, insurers have been grappling with how to underwrite the risks that will be insured, how to offer the “right” limits, and how to appropriately price the policies, both in terms of premiums and self-insured retentions.”

The question of cyber-insurance thus must be answered from both the point of view of the insured and the point of view of the insurer.

The concern for the insurer is obvious. Cyber-attacks against businesses can cost millions upon millions of dollars in fraudulent charges, lawsuits and lost revenue due to consumer fears. Putting a price on that loss from an insurance standpoint is difficult, and in some cases, cost-prohibitive.

“Cyber insurance is a growth opportunity for the insurance industry that also presents an incalculable threat,’’ said Fitch Ratings Ltd. of London in a report issued in early March.

There are also questions about what is covered in a cyber-insurance policy.

The problem for insurers is that there is very little actuarial evidence from which to draw and develop pricing standards.

From the point of view of the insured, questions of possible liability crop up, and they must balance their fear of a cyber-attack against the potentially host cost of insuring against those attacks.

There are companies that issue cyber insurance, and a firm in Philadelphia, NetDiligence, that monitors such insurance coverages notes that health care and financial services generated almost half of cyber insurance claims in 2014. The median cost for a claim in the professional services industry was $230,000, according to NetDiligence.

According to Business Insurance magazine, cyber insurance became an option seven years ago, and law firms are big purchasers. The magazine says large firms could spend between $40,000 and $75,000 annually for $5 million to $10 million in coverage on cyber-attacks.

The issue has garnered the attention of the U.S. Congress, which has urged the liability insurance industry to consider making cyber-insurance available. In early March, the Senate Commerce Committee Subcommittee on Consumer Protection, Produce Safety, Insurance and Data Security held a hearing on cyber insurance.

The panel chairman, Sen. Jerry Moran, R-Kan., stated cyber insurance “may be a market-led approach to help businesses improve their cyber security posture by tying policy eligibility or lower premiums to better cyber security practices.”