Cyber insurance premiums rocket after high-profile attacks

Boston, October 12

A rash of hacking attacks on US companies over the past two years has prompted insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover.

On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.

“Some companies are struggling to find the money to buy the coverage they want,” said Tom Reagan, a cyber insurance executive with Marsh & McLennan Co’s Marsh broker unit.

The price of cyber coverage — which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements — varies widely, depending on the strength of a company’s security. But the overall trend is sharply up.

Retailers and health insurers have been especially hard hit by the squeeze after high-profile breaches at Home Depot Inc, Target Corp, Anthem Inc and Premera Blue Cross.

Health insurers who suffered hacks are facing most extreme increases, with some premiums tripling at renewal time, said Bob Wice, a leader of Beazley Plc’s cyber insurance practice.

Average rates for retailers surged 32 per cent in the first half of this year, after staying flat in 2014, according to previously unreported figures from Marsh.

Higher deductibles are also now common for retailers and health insurers. And even the biggest insurers will not write policies for more than $100 million for risky customers. That leave companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.

Number two US health insurer Anthem ran into difficulties renewing its coverage after an attack early this year that compromised some 79 million customer records, as per testimony from Anthem General Counsel Thomas Zielinski at an August hearing of the National Association of Insurance Commissioners.

Renewal rates were ‘prohibitively expensive’, according to minutes of that session seen by Reuters. The company managed to get $100 million in coverage, Zielinski said, but only after agreeing to pay the first $25 million in costs for any future attacks. The company would not say what that figure was before, but it was likely much smaller.

The spate of hacks is potentially good and bad for insurers. It means they have to pay out more in claims, but it also highlights the importance of buying insurance and gives them a reason to jack rates up.

As more firms realise importance of having coverage, and insurers move in to meet that demand, cyber insurance market is set to triple to about $7.5 billion over next five years, as per a recent study by PwC.

But insurers are wary of the hard-to-predict risks they are taking on.

“We have turned clients away,” said Tracie Grella, global head of professional liability at American International Group (AIG). AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.

Another insurer, Ace Group, recently started offering up to $100 million in coverage, but only after an intensive review of potential clients’ cyber security policies and procedures.

Warren Buffett’s Berkshire Hathaway this month also launched its first cyber policies through its speciality insurance division. “We will be very selective,” said Danielle Librizzi, an executive with the insurer.