Big Year for Hackers, Capped By Sony, Delivers Strong Sales to Insurers by Leslie Scism
After years of hype about how cyberinsurance was poised to become an important product for property-casualty companies, 2014 appears to be the year the coverage finally, firmly caught hold, according to leading brokerage firms.
The year started with headlines about the 2013 holiday hacker attack on retailer Target Corp. and is ending with the big story of the cyberattack on Sony Corp.’s Sony Pictures studio. There, hackers allegedly affiliated with North Korea stole hundreds of thousands of documents, contracts and emails.
Along the way were cyberattacks at Home Depot Inc. and J.P. Morgan Chase & Co., among many others.
Insurance brokers say that sales of the policies are expected to roughly double this year, from about $1 billion in 2013. They also note a broadening of the type of companies buying the specialized coverage, beyond the retailers, financial firms and health-care companies that had been among the biggest purchasers.
“It’s gone mainstream,” said Kevin Kalinich, global practice leader of network risk and cyber insurance at Aon PLC’s Aon Risk Solutions. Many types of companies are concluding “there are assets other than credit-card information that the bad guys are going after,” he said.
Data collected by Aon show that 86% of big retailers and 58% of big health-care firms—those with revenue above $1 billion a year–carried some form of cyber coverage as of Dec. 15, up from 64% and 42%, respectively, in 2013.
The pharmaceutical, energy, manufacturing and professional-services industries also bought more coverage compared with 2013, among other industries where sales are up.
Through Dec. 15, for example, 14% of utilities/energy/power firms with annual revenue greater than $1 billion were buyers, up from 4.5% in 2013, according to Aon’s data. Nearly 16% of large pharmaceutical firms were buyers, up from 2.7% in 2013.
“In the wake of various high-profile breaches, we’ve seen a continuing acceleration of demand,” said Robert Parisi, managing director of Marsh & McLennan Cos.’ cyber-risk brokerage.
Among metrics he watches is the size of policies companies are buying. “Clients that have previously bought the coverage are coming to us at the renewal and buying increased limits,” Mr. Parisi said. Some companies that had policies with limits of $15 million renewed this year with $30 million limits, for example.
For retailers, hospitals and other businesses that have consumers’ personal data in their computers, one appeal of the policies is that they typically cover the costs of investigations, customer notifications and credit-monitoring services, as well as legal expenses and damages from consumer lawsuits.
Policies also can cover reimbursement for loss of income and extra expenses resulting from suspension of computer systems, and provide payments to cover recreation of databases, software and other assets that were corrupted or destroyed by a computer attack.
The biggest health-care, financial, retail and technology businesses buy policies that can top $300 million in coverage in arrangements involving 10 to 12 different insurers, brokers said.
About 60 insurers sell the coverage. They include American International Group Inc., Chubb Corp. and syndicates at Lloyd’s.
Industry brokers and lawyers say the coverage is continuing to evolve.
Lawyer Lon Berk of Hunton & Williams LLP noted that, while brokers and underwriters are aggressively marketing cyberinsurance products, the policies being sold don’t always protect against the main risks faced by a particular company. So companies “need to carefully scrutinize their security needs and the proposed insurance product before purchasing,” he said.
Aon’s Mr. Kalinich said: “One area where there remains quite a bit of work to do is protection to insure the value of trade secrets and intellectual property. [Insurers] have not yet become comfortable that they can adequately value trade secrets or intellectual property” except for small limits–up to $5 million or so.
“There is great interest to insure trade secrets and intellectual property, but no great solution for large organizations,” he said.