In the market
The headlines about breaches at Target and Neiman Marcus are sending more retail businesses to seek out cyber coverage, say experts. But that is not the only sector where this type of insurance is finding favor, and it's not just popular among the large chains and national players either. Goldstein says Chubb is underwriting policies for a relatively diverse group of organizations, including financial and health care organizations, hotels and restaurant chains, and service providers as well as retail chains. “Of course, any company that collects, stores or transmits private or proprietary information has a cyber security exposure,” Goldstein says, “and should consider whether a cyber insurance policy is right for its needs.”
David Navetta, partner of the InfoLawGroup, Denver, who helped develop cyber insurance products at AIG at the start of last decade, believes we are “only just approaching the upward ramp of the hockey-stick curve of growth in demand for these policies.” He is seeing interest in online coverage moving down-market to small- and midsized companies as they are realizing that they carry risk – often for their own company and information, as well as the larger companies to which they provide services.
Ponemon (left) agrees, saying that in many cases procurement officers at larger companies are starting to demand that their vendor companies have a cyber insurance policy in place to ensure that they are not only covered, but that they have gone through the due diligence that comes with having the policy written. In addition, Ponemon says, he is also seeing marked interest from virtually any concern that deals in high-value intellectual property – such as defense or aerospace contractors and biotech companies.
More companies are buying cyber insurance, and they are also buying more coverage. Cyber insurance limits purchased in 2012 averaged $16.8 million, 20 percent higher than 2011, according to Marsh LLC.
While the metrics for determining risk are improving, they are still a work in progress. Hence, the cost of coverage and amount of coverage still varies widely among the insured. Goldstein says that typically small businesses will pay an average annual premium of between $2,000 to $15,000 for $1 million of cyber liability coverage. For large businesses, the cost for each $1 million of cyber liability coverage would range from about $17,500 to $50,000 or more.
Ponemon agrees that annual premiums in the $12,000 to $15,000 are about on par (62 percent of respondents in the Ponemon survey believe the premiums are fair given the nature of the risk). Navetta says the cost of insurance premiums has gone down over the past five years as the number of insurers offering this type of coverage has grown exponentially, and the business has become more competitive.
Deshuk recommends the purchase of cyber risk insurance from Illinois Union Insurance Company with a coverage of $5 million per occurrence and a $75,000 deductible. The cost of this policy is $37,919.
Policies can also vary in terms of what they specifically cover, but according to Navetta, there are typically three main “insuring agreements” that policies tend to cover. The first insuring agreement relates to data response to the breach where it affects personal information. This typically covers the cost of lawyers or third-party investigators that have to step in, as well as the potential cost of mailing notifications to affected customers and even – sometimes – offering those customers credit or benefits to offset their inconvenience. Sometimes, this part of the policy will extend to cover call-center activities or elements of crisis management. The second insuring agreement covers third-party claims that may arise as a result of the breach – lawsuits by customers, patients or business partners who have suffered costs or compromise by an exposure (say, if a bank sues a retailer for having to reissue credit cards if the retailer is hacked). The third set of insurance agreement can cover so-called cyber extortion scenarios – wherein a hacker breaks in, encrypts a company's database and holds it for ransom.