Despite barriers, cyber insurance catches on in key sectors

Manufacturing, hospitality, energy companies seek to account for liabilities stemming from data theft

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A hand­ful of indus­tries rec­og­nized ear­ly on that the valu­able data they held made them prime hack­ing targets.

(Editor’s note: This is part two of a three-part series on the emerg­ing cyber insur­ance market.)

Com­pa­nies in the finan­cial ser­vices, health care, retail and tech sec­tors cre­at­ed the ini­tial demand for cyber lia­bil­i­ty insur­ance cov­er­age.

Mean­while busi­ness­es in oth­er fields felt that cyber insur­ance was not needed.

No more.

As the threat and costs of cyber attacks con­tin­ues to rise, com­pa­nies in many more indus­tries are look­ing more deeply at cyber cov­er­age and pur­chas­ing insur­ance policies.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

Jason Straight, UnitedLex chief privacy officer
Jason Straight,
Unit­edLex chief pri­va­cy officer

With­out ques­tion, com­pa­nies in a vari­ety of sec­tors rec­og­nize that they have sig­nif­i­cant cyber and pri­va­cy risks, and they are look­ing to trans­fer that risk,” says Jason Straight, chief pri­va­cy offi­cer at Unit­edLex, a legal ser­vices out­sourc­ing firm.

Among the new converts:

  • The hos­pi­tal­i­ty sec­tor. Pres­tige Cruis­es Inter­na­tion­al, the Mia­mi-based oper­a­tor of Sev­en Seas Cruis­es, dis­closed in a recent U.S. Secu­ri­ties and Exchange Com­mis­sion fil­ing that cyber attacks could hurt its oper­a­tions and finan­cial results with the same dev­as­tat­ing impact as hur­ri­canes and oth­er nat­ur­al dis­as­ters. Pres­tige car­ries net­work-secu­ri­ty and pri­va­cy-lia­bil­i­ty insur­ance to help off­set poten­tial costs for data-breach response, noti­fi­ca­tion, foren­sics, legal and reg­u­la­to­ry actions, cred­it iden­ti­ty mon­i­tor­ing and fraud alert and oth­er expenses.
  • Gam­ing and sports enter­tain­ment. Churchill Downs, home of the Ken­tucky Der­by, dis­closed in an SEC fil­ing that it car­ries wide-rang­ing cyber insur­ance to guard against the poten­tial fall­out from cyber attacks. Risks cov­ered include “net­work secu­ri­ty, first-par­ty extor­tion threats and busi­ness inter­rup­tions.” The Louisville, Ky.-based com­pa­ny con­cedes “there are cer­tain exclu­sions to this cov­er­age, and the insur­ance lim­its may not be suf­fi­cient to ful­ly mit­i­gate all finan­cial dam­age to the Company.”
  • Ener­gy indus­try. RGC Resources, a nat­ur­al-gas com­pa­ny based in Roanoke, Va., with 58,000 res­i­den­tial and com­mer­cial cus­tomers, notes in its 2014 annu­al report that it car­ries cyber-insur­ance cov­er­age “to mit­i­gate finan­cial impli­ca­tions” and a secu­ri­ty-response plan “to reduce the impact of cyber attacks and data breaches.”

Sev­er­al fac­tors are dri­ving cyber insur­ance into the risk man­age­ment spot­light. For one, the hack­ing of mar­quee com­pa­nies and agen­cies con­tin­ue to grab head­lines, stir­ring reg­u­la­tors at the fed­er­al and state lev­els to impose tighter rules on han­dling sen­si­tive data. Case in point: the fall­out of the U.S. Office of Per­son­nel Man­age­ment breach.

Mean­while, the com­mer­cial lever­ag­ing of the Inter­net shows no sign of slow­ing down. Stor­age of sen­si­tive busi­ness and per­son­al data has shift­ed to host­ed cloud ser­vices. And con­sumers and work­ers increas­ing­ly access busi­ness data via web-con­nect­ed mobile devices. This trend is mul­ti­ply­ing expo­sure to insid­er theft, social engi­neer­ing, clever hacking—and var­i­ous com­bi­na­tions of these data-steal­ing techniques.

Indus­try responds as expo­sure risks grow

What’s more, the insur­ance indus­try is high­ly moti­vat­ed to devel­op this new mar­ket for all it’s worth. Car­ri­ers intro­duced 38 new cyber-insur­ance prod­ucts in 2013, up from 32 new cyber cov­er­ages in 2012, says insur­ance con­sul­tan­cy Advisen Ltd. The insur­ance industry’s inno­v­a­tive blood is flow­ing as car­ri­ers scram­ble to tap what’s viewed as a rich vein of fresh rev­enue and profits.

No doubt,” Straight says, “what’s dri­ving all of this is everyone’s increas­ing reliance on tech­nol­o­gy to operate.”

Accord­ing to insur­ance bro­ker­age giant Marsh, the 2014 growth rates for clients buy­ing cyber-insur­ance poli­cies soared in hos­pi­tal­i­ty and gam­ing (69 per­cent), edu­ca­tion (58 per­cent), pow­er and util­i­ties (47 per­cent), retail/wholesale (43 per­cent), man­u­fac­tur­ing (35 per­cent) and pro­fes­sion­al ser­vices (27 percent.)

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Marsh says that its clients buy­ing cyber poli­cies rose 32 per­cent in 2014 from 2013, and the pace is quick­en­ing in 2015. And a wide range of reports show that 31 per­cent to 52 per­cent of com­pa­nies have some type of cyber insur­ance, accord­ing to research by the Insur­ance Infor­ma­tion Institute.

In the mean­time, the demand for cyber insur­ance keeps grow­ing in the tra­di­tion­al­ly strong sec­tors of retail, health care and finan­cial services.

An Advisen report com­piled for rein­sur­er Part­nerRe con­cludes that “the con­tin­ued increase in demand sug­gests that rather than being sat­u­rat­ed, there is still plen­ty of scope for growth in these high­ly exposed sectors.”

These heady growth rates, of course, are off of a com­par­a­tive­ly small base. The $2 bil­lion U.S. cyber-insur­ance mar­ket is a tiny chunk of the multi­bil­lion-dol­lar insur­ance indus­try. At this nascent stage, igno­rance about the via­bil­i­ty and scope of cyber-insur­ance cov­er­ages remains the rule. A com­mon per­cep­tion is that cyber poli­cies are fringe prod­ucts reserved for com­pa­nies with deep pockets.

Real­i­ty of threats starts to sink in

Slow­ly, how­ev­er, more busi­ness­es in diverse sec­tors are begin­ning to real­ize that vir­tu­al­ly all of their oper­a­tions use tech­nol­o­gy that is vul­ner­a­ble to cyber attacks, says Robert Parisi, man­ag­ing direc­tor at Marsh FINPRO.

Such wide-rang­ing “oper­a­tional cyber risk” includes man­u­fac­tur­ing, dis­tri­b­u­tion, sup­ply chains, inven­to­ry, point-of-sale systems—virtually all aspects of a com­pa­ny, Parisi points out.

And in an Inter­net-cen­tric econ­o­my, where part­ner­ships rou­tine­ly involve com­pa­nies of all sizes col­lab­o­rat­ing remote­ly, risks can swift­ly migrate to all of the part­ners. A small busi­ness blind to cyber expo­sures can prove to be the weak link through which hack­ers nav­i­gate to larg­er part­ner organizations.

To address these emerg­ing expo­sures, secu­ri­ty ven­dors and insur­ance car­ri­ers alike are inno­vat­ing and mar­ket­ing new prod­ucts and ser­vices to both large enter­pris­es and small and mid-size busi­ness­es.

Less than 3 per­cent of busi­ness­es with rev­enue of less than $1 mil­lion car­ry cyber insur­ance, accord­ing to Advisen. That notion is not lost on car­ri­ers eager to sell cyber poli­cies to small companies.

Nate Spurri­er, direc­tor of busi­ness devel­op­ment for IDT911, which spon­sors Third­Cer­tain­ty, says that cyber insur­ance will become “a stan­dard solu­tion in the mar­ket” when small busi­ness­es see oth­er small busi­ness­es hav­ing breaches—“instead of only the Tar­gets and Sonys and Home Depots of the world.”

Third­Cer­tain­ty Edi­tor-in-Chief Byron Aco­hi­do con­tributed to this report.

Part 1: Cyber insur­ance mar­ket aris­es to meet secu­ri­ty, pri­va­cy challenges. 

Part 3: Cyber insur­ance due dili­gence tips for small, mid-size and large com­pa­nies. Com­ing July 28.