Cyber Insurance Rates Skyrocket

Wednesday, October 14, 2015 @ 12:10 PM gHale

A rash of hacking attacks on U.S. companies over the past two years has prompted insurers to massively increase cyber premiums.

While the issue crosses industry borders, the manufacturing automation sector has been keeping an eye on the topic for years. On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million. While that number may seem large, that actually could leave companies exposed to the huge costs an attack could incur.

FTC Ruling Puts ICS Firms on Alert
FTC Can Sue for Bad Cyber Security
Complexity Halts Security: Report
Cyber Insurance Debate Heating Up

“Some companies are struggling to find the money to buy the coverage they want,” said Tom Reagan, a cyber insurance executive with Marsh & McLennan Co’s Marsh broker unit.

“Insurance is gambling with risk, and insurers need to ensure the house wins,” said Ken Westin, senior security analyst for Tripwire. “They do this with data to stack the deck in their favor. One of the challenges for insurers was identifying the scope of potential financial liabilities when it comes to a data breach. Much of this has been due to the lack of data to understand the potential financial impact of a breach. However, with the rise in high profile breaches, insurers finally have data they need to assess risk and the results are staggering. “Insurers see that the financial risks of a breach to a company go far beyond initial clean up and identity theft protection for customers affected. As customers, banks and even the government file lawsuits against breached companies, the financial impact of a breach is skyrocketing.

The price of cyber coverage, which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements, varies widely, depending on the strength of a company’s security.

Insuring Against Stuxnet
Even as relationships among manufacturers, their IT departments, the federal government and insurers grows ever more complex under the influence of ever-evolving privacy legislation, emerging cyber threats, and case law, insurers worldwide are growing uneasy before the prospect of a new generation of Stuxnet-like super viruses capable of targeting and destroying or, perhaps worse, appropriating, manufacturing control systems.
For more of story

Retailers and health insurers have been especially hard hit by the squeeze after high-profile breaches at Home Depot, Target, Anthem, and Premera Blue Cross.

Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time, said Bob Wice, a leader of Beazley Plc’s cyber insurance practice.

Average rates for retailers surged 32 percent in the first half of this year, after staying flat in 2014, according to previously unreported figures from Marsh.

Higher deductibles are also now common for retailers and health insurers. And even the biggest insurers will not write policies for more than $100 million for risky customers. That leave companies like Target, which said its big 2013 data breach has cost $264 million, paying out of pocket.

“The higher prices and limits on liability are a correction based on actual losses by insurers associated with breaches,” Westin said. “Companies that have been seeking to offset their risk by focusing on investment in insurance will be increasingly better off investing some of those funds into better cyber security initiatives, particularly around controls designed to detect data breaches in progress. We know that eventually prevention will fail and companies that invest in the ability to detect and quickly remediate any attacks will be in a better position to block attackers before major damage occurs.”

The hike in hacks is good and bad for insurers. It means they have to pay out more in claims, but it also highlights the importance of buying insurance and gives them a reason to jack rates up.

As more companies realize the importance of having coverage, and insurers move in to meet that demand, the cyber insurance market is set to triple to about $7.5 billion over the next five years, according to a recent study by consulting firm PwC.

But insurers are wary of the hard-to-predict risks they are taking on.

“We have turned clients away,” said Tracie Grella, the global head of professional liability at insurance giant American International Group.

AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.

Another insurer, Ace Group started offering up to $100 million in coverage, but only after an intensive review of potential clients’ cyber security policies and procedures.

Warren Buffett’s Berkshire Hathaway this month also launched its first cyber policies through its specialty insurance division. “We will be very selective,” said Danielle Librizzi, an executive with the insurer.