Cyberattack insuranceDemand for cyberattack insurance grows, but challenges remain

The surge in cyberattacks against the private sector and critical infrastructure has led to a growth in demand for cyber insurance; yet most insurers are unable properly to assess their clients’ cyber risk, let alone issue the appropriate pricing for their cyber coverage. Corporate risk managers have noted that insurance against cybercrime is now a necessary budget spending. While many companies have relied on their general commercial liability policies for cyber insurance, they are now seeking stand-alone policies for coverage. When Sony Corporation tried to force its general commercial liability insurance provider to foot the bill for class action lawsuits following a 2011 cyberattack on its PlayStation Network, a New York state court ruled in February 2014 against Sony. Target, in contrast, had $100 million in cyber insurance when forty million payment card numbers were stolen in 2013, according to Business Insurance.

The Sony ruling prompted some firms to get cyber-specific insurance policies, said Dave Kennedy, CEO of TrustedSec LLC, which helps companies conduct security assessments before they obtain insurance. “There has been a huge uptick in cyber insurance,” he said.

The insurance broking division of Marsh & McLennan Companies predicts the U.S. cyber insurance market will reach $2 billion in gross written premiums in 2014, up from $1 billion in 2013. The European market is currently a fraction of that amount at $150 million, but it is growing by 50 to 100 percent annually, according to Marsh. “Companies have become aware that the risk of being hacked is unavoidable,” said Andreas Schlayer, responsible for cyber risk insurance at Munich Re, the world’s biggest reinsurer. “People are now more aware that hackers can attack and do great damage to central infrastructure, for example in the energy sector.”

The market for cyber insurance is growing, but not without its challenges. With cybercrime costing the global economy as much as $445 billion every year, according to a recent estimate from the Center for Strategic and International Studies; insurers who traditionally handle risks like weather disasters and fires, are now rushing to gain expertise in cyber technology, Insurance Journal reports. “It is a difficult risk to price by traditional insurance methods as there currently is not statistically significant actuarial data available,” said Robert Parisi, head of cyber products at Marsh.

On average, a $1 million cyber coverage could cost $20,000 to $25,000, according to IJ, and German insurance giant Allianz charges 50,000 to 90,000 euros in annual premiums for 10 to 50 million euros in coverage. AXA, Europe’s second biggest insurer, notes that despite the firm’s push into the cyber insurance market, it has not paid out a single business claim. “I would like to see a successful claim, because that would be an experience,” said Philippe Derieux, deputy CEO of AXA’s global property and casualty business.

As insurers look to offer their cyber coverage, they are finding it difficult to assess risks. AXA is seeking cybersecurity professionals to build a centralized cyber team, but there is a shortage of qualified talent. “It is hard for insurers and brokers to find people able to handle the product,” Munich Re’s Schlayer said. The lack of expertise means insurers are unable to appropriately identify clients’ vulnerability to cybercrime. Some insurers simply ask clients to submit limited questionnaires that ask whether proper security procedures are in place, rather than conducting thorough security audits. “There’s a real risk that insurance companies are not appropriately pricing the risk,” said Bryan Rose, managing director with Stroz Friedberg, a firm that investigates cyberattacks.