It appears we have reached the point where Corporate America’s response to an increasing risk of cyber attacks is – if you can’t beat ‘em, at least be insured.
These days, it seems, the reality and likelihood of data breaches is now just another cost of doing business, which, as the New York Times noted earlier this week, has made the niche of cyber insurance the industry’s fastest-growing segment.1
Specialized policies to protect against online attacks are now offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. Demand increased 21% last year from 2012, according to Marsh, a risk management company and insurance broker.
Total cyber insurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses, the Times said.1
Unfortunately, the most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars’ worth of coverage available in property insurance.
The problems companies face in getting insurance are illustrated by the situation Target faced last year.
At the time of its breach amid last year’s holiday season, the Times said that the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings.
However, that coverage will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover only $52 million of that.1
And it goes without saying the loss to Target’s brand has perhaps been even more damaging.
To regain consumer confidence, Target said it would speed the adoption of more secure chip-and-PIN technology in its stores and for its branded debit and credit cards, a step it estimates will cost $100 million. That expense, sadly, is not covered by its insurance policies.
Interestingly, cyber insurance has existed since the 1990s, but companies were effectively shaken into considering coverage when a New York court ruled in February that Sony’s general liability policy would not cover the $2 billion in costs the company incurred from its huge data breach in 2011 involving the online network for its PlayStation game console.
Of course, the growth in demand for cyber insurance doesn’t mean companies aren’t also ramping up their efforts to fight online attacks. PwC’s Annual Global CEO Survey 2014 found 69% of US respondents reported they were worried about the impact of cyber threats to their growth prospects.2
For some investors, that has also meant an opportunity to experience similar demand – and higher prices — for certain cyber security stocks. The Cyber Security motif, a portfolio of stocks of companies that provide security software, has gained 7.2% in the past month. During that same time period, the S&P 500 is up 2.0%.
Over the last 12 months, the motif has risen 15.1%; the S&P 500 has increased 20.4%.
1Nicole Perlroth and Elizabeth A. Harris, “Cyberattack Insurance a Challenge for Business,” nytimes.com, June 8, 2014, http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html?module=Search&mabReward=relbias%3As&_r=0, (accessed June 11, 2014).
2John Ginovsky, “8 reasons why cybercrime is soaring,” ababj.com, June 11, 2014, http://www.ababj.com/component/k2/item/4688-8-reasons-why-cybercrime-is-soaring.