It’s not a big slice of the market yet, but cyber-risk insurance is growing as more businesses realize that it’s really not optional these days.
The question isn’t if, but when a company’s data will be hacked. Much like identity theft, it’s become an inevitability of working with computers.
The Center for Strategic and International Studies (CSIS) said in a June report sponsored by software security firm McAfee that cybercrime comes with a very high cost: more than $445 billion a year, with individuals losing about $160 billion and businesses eating the rest. However, the study also said that global losses could actually be as high as $575 billion.
Companies are beginning to take seriously the need for insurance coverage. According to a Munich Re survey, 77% of mid-size to large companies in the United States will have cyberinsurance in the next year, while 42% of U.S. risk managers will either up their companies’ protection or buy coverage for the first time.
There’s still a sizeable group—23%—that doesn’t plan to buy such coverage, with five out of six saying currently available policies aren’t what they need or that coverage isn’t relevant to their line of business. Folks in the latter group, however, may be kidding themselves, particularly if they think they’re covered with standard insurance.
Companies that think they don’t need coverage because of their type of business may not have realized just where cyber-risk lies. According to Robert Parisi, head of Marsh & McLennan’s network security and privacy practice, “Everyone understands the privacy risk. That’s gotten a ton of press from high-profile breaches [around] lost credit card data. […] What we haven’t seen come to the same level of awareness is the operational risk portion. By that, I’m talking about the structural or operational dependence companies have on their own technology and the technology provided by vendors like cloud services.”
The insurance industry has even “stepped back on traditional property and liability policies and said, ‘We didn’t mean to cover that kind of loss; you have to look elsewhere for that risk [coverage],’” Parisi said.
Advisors should be talking with their clients about cyber-risk coverage, said Parisi, because they’re “protecting assets—protecting the balance sheet, the flow of revenue.” They need to get clients to “look at where their risk points are and where they are susceptible.”
That’s not to say that companies with coverage can just sit back and relax. Parisi said many companies assume that “we spent all this money on technology; we’re fine.” Marsh pointed out that in some jurisdictions, it is against public policy “to allow companies to be indemnified for losses arising from their improper, intentional or fraudulent behavior.” In such cases, even policies that carry “express grants of coverage for punitive damages, privacy fines and penalties” may have to rely on “enhanced cyberprotection” provided by an alternate insurer. Still, a pragmatic company will take action to beef up its security measures.
Firms also need to be prepared for when their defense against cybercrime doesn’t work, Parisi said. He pointed to one of the simplest and relatively low-tech methods of getting past a company’s defenses, security guards and software: a key ring complete with keys and thumb drive dropped in a company parking lot for a well-meaning employee to pick up and take inside, there to plug the thumb drive into his computer in an attempt to learn the owner’s identity and thus return his keys. “Human foible” has thus given the bad guys entrée to the company’s computer system.
Even insurance companies are a bit behind the curve because they don’t have the depth of underwriting for cyber-risk that they do for, say, earthquakes or hurricanes. According to Parisi, a lack of statistically significant actuarial data is one barrier to accurately pricing cyber-risk coverage. However, as claims come in, the data will emerge. Prices on policies for retailers have already increased with such headline grabbers as Nieman Marcus acknowledging that its customer databases were hacked.
Parisi cited a saying in the industry: “There are three types of companies: companies that had a cyber issue, companies that are going to and companies that are in the middle of one and haven’t figured it out yet.” With those odds, it would seem that cyber-risk coverage is insurance whose time has come.