Companies looking to cover large losses from hacking will have to pay much more.
Retail giant Target has reported costs totaling $252 million that have stemmed from its 2013 cyber breach exposing 70 million customers’ personal information, with only $90 million covered by insurance. Good luck to large retailers finding coverage to match even that amount today, although other business sectors may fare better.
Massive data breaches at retail box store chains like Target and Home Depot have besmirched the sector in the eyes of insurers, fairly or not, and the Anthem and Premera Blue Cross breaches earlier this year, impacting tens of millions of customers, have put healthcare players under similar underwriting cross hairs. As a result, even companies in those sectors that have diligently determined their cyber risk and developed sophisticated defense frameworks are finding less coverage available at higher prices.
Until recently, multinationals have been able to find coverage in the $200 million to $300 million range.
“In the retail industry, that capacity has contracted; if you’re a retailer, you’re likely going to struggle to get more than $125 million,” said Ben Beeson, senior vice president of cyber security at global insurance broker Lockton Companies, adding that health care organizations are unlikely to find more than $200 million.
Mr. Beeson said some insurers are actually declining to take on clients whose policies they would have probably underwritten a year ago. Unsurprisingly, as supply of cyber coverage has dropped, premiums have jumped.
Matt Donovan, global practice leader, technology and privacy, at global specialist insurer Hiscox, said that cyber insurance costs have been “extraordinarily affordable” for a number of years, given the growing number of insurers competing for that business.
“That said, certain industry segments are experiencing massive pricing increases, especially retail after recent payment card breaches,” Mr. Donovan said, adding that since some of those breaches, such as Target’s, occurred over the last year or two, the insurance industry’s annual renewal schedule has resulted in premium hikes only recently.
Whether insurers will underwrite at all the cyber risk of companies in the big-box retail sector largely depends on the defense framework they have put in place. Mr. Beeson said that existing clients will have a better chance at keeping premiums down than new buyers, but even retailers taking precautionary measures such as encrypting data and deploying multi-factor authentication will nevertheless be viewed as high risk in today’s market.
“Insurers have raised the security baseline or floor that retailers must meet in order to acquire cyber insurance today. If you are not encrypting payment card data or using alternative tools such as tokenization, many insurers will now decline to offer coverage at all. If you want to buy cyber insurance as a retailer now, most of the insurance industry is saying that, as a baseline, you have to encrypt payment card data where the card is swiped on the payment card machine,” Mr. Beeson said. “If you’re not doing that, you’ll now have a really hard time even getting cyber insurance.”
He added that premiums for certain industries have not increased but have generally gone up by 10 percent over last year, and significantly more for the retail and healthcare sectors.
Peter Foster, executive vice president and global resources for cyber risk at insurance broker Willis, said that premiums today, except for retailers’, are typically 1.2 percent to 1.3 percent of the limit for insurance towers up to $300 million.
“Nevertheless,” Mr. Foster said, “we are seeing underwriters pull out or back from underwriting larger cyber accounts” across regulated industries, and especially when the insured wants limits above $100 million, where premiums have been reduced significantly. He added that previously insurers providing a company with $100 million in coverage had little concern that losses would exceed that amount, but that has changed and now they want premiums closer to the primary policy premium for the first $30 million to $40 million limits.
“Building capacity for existing towers without having to take apart the lower layers—below $100 million—has become a major challenge,” Mr. Foster said.
Tom Wakefield, a broker at Aon Benfield specializing in cyber risk, said that outside the big box retailers and healthcare providers, large companies can still find capacity in the range of $200 million to $300 million, and as high as $450 million for the big banks. Likewise, aside from those two sectors, premiums have remained fairly stable for traditional cyber policies as well as more innovative policies from insurers such as AIG, Brit and Hiscox that cover cyber-risk gaps existing property and crime policies miss.
“Price remains a function of capacity required and exposure,” Mr. Wakefield said.
The banking industry has certainly had its cyber knocks; J.P. Morgan, for example, experienced a breach last year that reportedly exposed 83 million accounts. In this instance, however, bankers probably aren’t complaining about being a highly regulated business.
“Banks might appear to be high risk, but interestingly the insurance market looks more favorably on financial institutions, even J.P. Morgan, because they’re heavily regulated and have to make significant investments in cyber security,” Mr. Beeson said, adding that many retailers haven’t made those investments, and their thin margins can result in cyber breaches inflicting much greater damage.
In the case of J.P. Morgan, it had segregated critical information in its database, so key information such as customer credit card numbers remained secure. Other retailer businesses, such as the big hotel chains, have also developed sophisticated defenses to thwart cyber-attacks, Mr. Beeson said, and so haven’t seen same underwriting hurdles.
The Risk Management Society published the results of its Cyber Survey in May and found that 54.81 percent of its members—of which nearly 60 percent have annual revenues over $1 billion—are paying a premium of more than $100,000. The majority of members, 58 percent, had less than $20 million in coverage, and nearly half of those organizations are paying more than $100,000 in premium. Only 51 percent of its members purchase standalone cyber insurance policies.