Despite barriers, cyber insurance catches on in key sectors
Manufacturing, hospitality, energy companies seek to account for liabilities stemming from data theft
By Edward Iwata, ThirdCertainty
A handful of industries recognized early on that the valuable data they held made them prime hacking targets.
(Editor’s note: This is part two of a three-part series on the emerging cyber insurance market.)
Companies in the financial services, health care, retail and tech sectors created the initial demand for cyber liability insurance coverage.
Meanwhile businesses in other fields felt that cyber insurance was not needed.
As the threat and costs of cyber attacks continues to rise, companies in many more industries are looking more deeply at cyber coverage and purchasing insurance policies.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
“Without question, companies in a variety of sectors recognize that they have significant cyber and privacy risks, and they are looking to transfer that risk,” says Jason Straight, chief privacy officer at UnitedLex, a legal services outsourcing firm.
Among the new converts:
- The hospitality sector. Prestige Cruises International, the Miami-based operator of Seven Seas Cruises, disclosed in a recent U.S. Securities and Exchange Commission filing that cyber attacks could hurt its operations and financial results with the same devastating impact as hurricanes and other natural disasters. Prestige carries network-security and privacy-liability insurance to help offset potential costs for data-breach response, notification, forensics, legal and regulatory actions, credit identity monitoring and fraud alert and other expenses.
- Gaming and sports entertainment. Churchill Downs, home of the Kentucky Derby, disclosed in an SEC filing that it carries wide-ranging cyber insurance to guard against the potential fallout from cyber attacks. Risks covered include “network security, first-party extortion threats and business interruptions.” The Louisville, Ky.-based company concedes “there are certain exclusions to this coverage, and the insurance limits may not be sufficient to fully mitigate all financial damage to the Company.”
- Energy industry. RGC Resources, a natural-gas company based in Roanoke, Va., with 58,000 residential and commercial customers, notes in its 2014 annual report that it carries cyber-insurance coverage “to mitigate financial implications” and a security-response plan “to reduce the impact of cyber attacks and data breaches.”
Several factors are driving cyber insurance into the risk management spotlight. For one, the hacking of marquee companies and agencies continue to grab headlines, stirring regulators at the federal and state levels to impose tighter rules on handling sensitive data. Case in point: the fallout of the U.S. Office of Personnel Management breach.
Meanwhile, the commercial leveraging of the Internet shows no sign of slowing down. Storage of sensitive business and personal data has shifted to hosted cloud services. And consumers and workers increasingly access business data via web-connected mobile devices. This trend is multiplying exposure to insider theft, social engineering, clever hacking—and various combinations of these data-stealing techniques.
Industry responds as exposure risks grow
What’s more, the insurance industry is highly motivated to develop this new market for all it’s worth. Carriers introduced 38 new cyber-insurance products in 2013, up from 32 new cyber coverages in 2012, says insurance consultancy Advisen Ltd. The insurance industry’s innovative blood is flowing as carriers scramble to tap what’s viewed as a rich vein of fresh revenue and profits.
“No doubt,” Straight says, “what’s driving all of this is everyone’s increasing reliance on technology to operate.”
According to insurance brokerage giant Marsh, the 2014 growth rates for clients buying cyber-insurance policies soared in hospitality and gaming (69 percent), education (58 percent), power and utilities (47 percent), retail/wholesale (43 percent), manufacturing (35 percent) and professional services (27 percent.)
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Marsh says that its clients buying cyber policies rose 32 percent in 2014 from 2013, and the pace is quickening in 2015. And a wide range of reports show that 31 percent to 52 percent of companies have some type of cyber insurance, according to research by the Insurance Information Institute.
In the meantime, the demand for cyber insurance keeps growing in the traditionally strong sectors of retail, health care and financial services.
An Advisen report compiled for reinsurer PartnerRe concludes that “the continued increase in demand suggests that rather than being saturated, there is still plenty of scope for growth in these highly exposed sectors.”
These heady growth rates, of course, are off of a comparatively small base. The $2 billion U.S. cyber-insurance market is a tiny chunk of the multibillion-dollar insurance industry. At this nascent stage, ignorance about the viability and scope of cyber-insurance coverages remains the rule. A common perception is that cyber policies are fringe products reserved for companies with deep pockets.
Reality of threats starts to sink in
Slowly, however, more businesses in diverse sectors are beginning to realize that virtually all of their operations use technology that is vulnerable to cyber attacks, says Robert Parisi, managing director at Marsh FINPRO.
Such wide-ranging “operational cyber risk” includes manufacturing, distribution, supply chains, inventory, point-of-sale systems—virtually all aspects of a company, Parisi points out.
And in an Internet-centric economy, where partnerships routinely involve companies of all sizes collaborating remotely, risks can swiftly migrate to all of the partners. A small business blind to cyber exposures can prove to be the weak link through which hackers navigate to larger partner organizations.
To address these emerging exposures, security vendors and insurance carriers alike are innovating and marketing new products and services to both large enterprises and small and mid-size businesses.
Less than 3 percent of businesses with revenue of less than $1 million carry cyber insurance, according to Advisen. That notion is not lost on carriers eager to sell cyber policies to small companies.
Nate Spurrier, director of business development for IDT911, which sponsors ThirdCertainty, says that cyber insurance will become “a standard solution in the market” when small businesses see other small businesses having breaches—“instead of only the Targets and Sonys and Home Depots of the world.”
ThirdCertainty Editor-in-Chief Byron Acohido contributed to this report.
Part 3: Cyber insurance due diligence tips for small, mid-size and large companies. Coming July 28.