Cyberattack insurance spending soars as hacks become more common

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.montereyherald.com/business/20150214/cyberattack-insurance-spending-soars-as-hacks-become-more-common

Hackers are wreaking havoc on big organizations, but they're also spurring
a new market -- cyberattack liability insurance.

Once-complacent businesses, stung by debilitating cyberattacks at Target,
JPMorgan Chase and other well-known companies, are on a cyberattack
insurance shopping spree.

"Everyone's swamped with new applications," said Nick Economidis, an
underwriter at cyberattack insurance provider Beazley Group.

The hack of health insurer Anthem's computer system -- a breach disclosed
earlier this month affecting up to 80 million customers -- is bound to
create more demand.

Spending on cyberattack insurance nearly doubled in 2014 from 2013, to
about $2 billion, according to industry analysts.

Insurance offices are struggling to keep pace. Nearly every insurance agent
polled last fall by reinsurer PartnerRe reported growing demand for
cyberattack liability insurance, with 45 percent reporting a "significant"
uptick. Beazley said the number of policies in its book rose 150 percent
from 2012 to 2013 and 100 percent from 2013 to 2014.

Ty Sagalow, an industry consultant and former chief operating officer for
AIG's eBusiness division, said the growing sense that cyberattacks are no
longer unusual events is dialing up the fear factor.

"Think of a massive cyberattack as an intelligent hurricane," he said. "If
it hits a house that doesn't fall down it learns why the house didn't fall
and it changes. "It is a scary thing. ... Scary things sell insurance."

The insurance policies can cover the long lists of costs and losses,
including patching holes in computer networks, locating culprits, notifying
affected consumers and battling lawsuits, as well as foregone business and
public relations campaigns.

As the costs of cyberattacks rise, insurers are limiting their maximum
payouts and requiring high deductibles, said Karl Pedersen, senior vice
president at insurance brokerage and risk adviser Willis.

Target spent $248 million after hackers stole 40 million payment card
accounts and the personal information of up to 70 million customers. The
insurance payout, according to Target, will be $90 million, leaving the
company $158 million in the hole -- plus what it paid for cyberattack
insurance.

Home Depot reported $43 million in expenses related to its September 2014
hack, which affected 56 million credit and debit card holders. Insurance
covered only $15 million.

Last week, Sony announced a $15 million tab from the hack against Sony
Pictures Entertainment a few months ago, but would say only that it
received a "substantial portion" back from insurance.

The cyberattack on Anthem, in which Social Security numbers were stolen,
will be covered by insurance and result in a "minimal" financial hit,
according to financial analysts who follow the company.

Premiums and deductibles vary based on the value of the data at risk, a
company's loss history and the strength of its defenses. Strong
cyberdefenses aren't always a ticket to lower premiums, though, because
most breaches stem from more mundane mishaps, such as an employee losing a
laptop full of sensitive information. Such incidents can be just as costly.

Until recently, the appeal of cyberattack insurance has been limited mostly
to big corporations. But smaller companies are now flooding into the
market, industry watchers say, partly driven by mandates from companies
with which they do business. Target's breach is reported to have been
linked to a vulnerability in a computer system used by one of its heating
and air conditioning contractors. To shield themselves from exposure, large
companies are requiring contractors, including engineers, architects and
others, to buy data loss coverage.

Colleges have been another big buyer. Marsh & McLennan, a risk management
company and insurance broker, saw a 58 percent surge from 2013 to 2014 in
the number of colleges buying cyberattack insurance.

Among the groups sitting out the cyberattack insurance rush are technology
start-ups short on cash and deep into their work, said Linda Kornfeld, an
attorney at Kasowitz Benson Torres & Friedman, who advises companies about
cyberattack insurance.

"Many folks are focused on getting their business up and profitable before
looking at risks," she said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!