Cybersecurity insuranceGrowing cyberthreats lead to growing interest in cybersecurity insurance

Published 4 September 2014

The increasing sophistication and scope of cyberattacks on businesses – and the increasing damage such attacks are causing – have led to growing interest in cybersecurity insurance. The industry is urging the government to treat cyberattacks as acts of terrorism which should be covered under the Terrorism Risk Insurance Act(TRIA), while also looking into how the Stafford Actcould help companies after a cyberterror attack. At the same time, more private insurers are offering limited cyber-coverage, but many say they would discontinue selling cyber policies if TRIA is not renewed. As the term “cyber-coverage” continues to be defined by large insurers, the insurance product lines continue to change.

Following last week’s news of a cyberattack on JP Morgan, in which hackers stole gigabytes of data from the bank’s network, U.S. regulators are stressing the importance of better cybersecurity measures, while bankers are calling for an improved federally backed cybersecurity insurance plan for the financial industry.

Former DHS chief Janet Napolitano said in her valedictory speech that the country will someday suffer a cyber 9/11 “that will have a serious effect on our lives, our economy, and the everyday functioning of our society.” Since then, banks have hired security consultants and invested in top cybersecurity initiatives, but even the most secured institutions are vulnerable to hacking, so banks are requesting the federal government to play a larger role.

The Terrorism Risk Insurance Act (TRIA), enacted after 9/11, authorizes the government to cover up to $100 billion in losses due to a terrorist attack after insurers cover a fixed amount of losses. As recently as last year, insurers were asking Congress to include cyberattack coverage in the reauthorization bill.

The law, which is up for renewal in the House, would treat cyberterror as a physical attack, according to people involved in the renewal talks. Representative Jeb Hensarling (R-Texas), chairman of the House Financial Services Committee, which is holding discussions on TRIA, wants to limit and eventually do away with TRIA, so for now insurers have dropped their request of adding cybersecurity language to the law. “The industry doesn’t want to open that fight up,” said Mark Calabria, director of financial regulation studies at the Cato Institute. “It would jeopardize renewal altogether.”

TheInsurance Journal reports that industry consultants are also looking into how the Stafford Act could help companies after a cyberterror attack. Under the act, the Federal Emergency Management Agency would help cover losses from physical damage resulting from a cyberattack, such as broken electric grid systems. “In these big disasters, everyone is looking at the Stafford Act because there is money there,” said Monica Giovachino, a managing director at CNA Corp. The National Emergency Management Association, a group representing states, reports that federal and state officials are meeting in October to discuss recovery plans following a cyber-terror attack.

Private insurers offer limited cyber-coverage, but many are refusing to sell cyber policies if TRIA is not renewed. “The limited market for cyber terrorism that does exist is reliant on TRIA’s continuation beyond 2014,” London-based insurer Aon Plc wrote in a paper sent to the Treasury last September.

American International Group (AIG) is one of the few insurers offering cyber coverage policies. Premiums paid to AIG on cyber policies increased by 25 percent a year in 2012 and 2013, and premiums have so far increased by 30 percent this year. Large financial institutions make up a significant portion of policyholders, with smaller firms expected to purchase coverage after pressure from regulators.

As the term “cyber-coverage” continues to be defined by large insurers, the product lines are ever-changing. “Nobody has really been able to define what cyber- terrorism risk is,” said Lawrence Mirel, a former insurance commissioner for the District of Columbia, now a partner at Nelson Brown Hamilton & Krekstein. “So even the companies that are offering these policies don’t entirely know what they are covering.”