Wherever there’s risk, insurers get interested. And few threats are more on the minds of business leaders than cyber attacks and data breaches. The list of companies that have been invaded by cyber-criminals who made off with valuable information ranges from Barnes & Noble to Home Depot to J.P. Morgan to Staples, Sony and Target.
No company is immune. Supposedly tech-savvy Slack had its customers’ messages pilfered. Even secure-password site LastPass was hacked by someone who made off with customer data.
And no litany would be complete without mentioning that hackers were able to break into health insurance companies Anthem and CareFirst.
When such breaches occur, the financial and reputational damage can be devastating. Not only are companies exposed to direct financial loss from things like credit-card theft, but their customers, having lost trust in their ability to safeguard important information, can abandon them.
To address this growing problem, insurers including American International Group (AIG), Liberty Mutual, Travelers, and W. R. Berkley have created policies and services.
This past summer, I talked with Tim Francis, Enterprise Cyber Lead at Travelers Insurance. He was vacationing at some garden spot in North Carolina when we spoke, taking a break from his responsibilities forging underwriting strategies for a suite of cyber-insurance products for the Hartford, Connecticut-based company. He explained some of the fine points.
Even if breached companies succeed in avoiding an onslaught of negative media coverage, they face heavy burdens. They have to notify individual customers, perhaps offering them credit monitoring and other services. Then there’s defending against lawsuits, and taking measures to meet a growing list of regulatory requirements.
According to Francis, the average cost of recent corporate breaches is more than $5 million, weighted heavily by major events like the Target hack. The retailer had $100 million in cyber insurance, but the cost of remediation exceeded that figure.
Something as small as an employee’s loss of a laptop can lead to a disastrous loss, and even well-defended organizations are vulnerable to sophisticated attacks.
Like all insurance activity, it’s all about laying off risk for companies like Travelers. It will carry up to $10 million for a single company. But beyond that, the firm will bring in other insurers. “The largest program I’ve seen is $500 million,” says Francis.
Of course, Travelers has to assess the applicant’s existing risks and cyber-defense measures that are in place. Smaller firms can “just fill out a six-page form,” Francis says.
A $1 million policy, the most common level today, costs about $4,000 per year.
Although the Home Depots and Targets of the world typically work with cyber-crime experts, smaller companies usually don’t have the resources. And once a breach has been discovered, someone has to stop the bleeding. Just because you know some entity has cracked your system doesn’t mean hackers are not still in there stealing valuable information, which only adds to the eventual costs. Thus, it’s in everyone’s best interest — particularly the smaller firms — that the insurers bring in such forensic computer analysts. Insurers have pre-negotiated contracts for these services, so they can be deployed more quickly and economically than most firms could manage.
Travelers has had a cyber practice for more than a decade, but it has taken off recently with customers large and small. Total industry premiums now amount to roughly $2 billion, double what they were just 18 months ago. Experts currently expect that figure to hit $5-6 billion in the next 5 years or so.
Many factors are driving this rapid growth. The steady drumbeat of successful high-profile attacks has rattled executives around the world. Top management is on the hook for negligent behavior that leads to a breach. And on the regulatory side, the Securities Exchange Commission (SEC) now requires companies to disclose breaches.
Travelers also offers insurance for individuals, protecting them against depredations like identity fraud. A victimized individual has access to resources for credit monitoring, identity restoration, expense relief for replacement of a driver’s license and other credentials, and compensation for time off work to take care of all these things. Such policies are usually sold in combination with a homeowners policy or as part of a company’s employee benefit program.
Cyber protection adds around $25 to the cost of a homeowner’s plan and buys up to $25,000 of cost defrayal. As part of a corporate benefit plan, the increment can be as little as 30 cents per employee.
Cyber insurance is still in its early days, and insurance companies don’t yet know whether their risk assessment calculations are accurate. Their actuaries try to price for an expected profit, but they don’t have a lot of data yet. The risk is still unknown. Travelers views cyber insurance as a potentially promising area, but is proceeding with caution. A wide range of outcomes is possible, and history may not be an accurate guide for such a new and fast-evolving problem.
As Francis puts it, “The seas are not only rough, but uncharted.”