The cyber security insurance industry is seeing increased demand as more and more high profile cyber-attacks are embroiling companies in controversy and costing them millions of dollars. While take-up and liability limits continue to rise, as well as the kind of insurance products available, premiums are also rising quickly, research by Marsh shows. This is especially the case in the retail and health sectors that have seen a spate of high profile high cost breaches in recent years.
Cyber-attacks have been steadily increasing in severity and scope in recent years. This year so far has seen a number of breaches potentially affecting hundreds of millions, including among others, the 37 million records stolen from AshleyMadison, 76 million records stolen from JP Morgan Chase, and 145 million customer records copied from eBay’s database. The rise in the number of relatively devastating attacks has come with a rise in the costs, and companies are sometimes paying tens and sometimes hundreds of millions of dollars in damages.
In a bid to protect themselves from further damages, companies are increasingly seeking to insure themselves across various domains of cyber security; from insuring against data loss due to network penetration to lost business from system outages from DoS attacks. In a report released by Marsh, titled ‘Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise’, the subsidiary of Marsh Mclennan & Company explores how US businesses are changing their relationship with cyber insurance – covering the years 2013 and 2014.
The take-up of insurance policies across all sectors explored by the consulting firm is up on the previous year. The largest rise in take-up is in the hospitality and gaming industry, jumping 69% from 16% of businesses surveyed to 24%. Education also significantly increases their investment in cyber security coverage, up from 22% in 2013 to 32% in 2014. Healthcare remains the most insured segment, up from 45% in 2013 to 50% in 2014. Communication, media and technology sees the smallest increase of coverage, up from 11% to 12%. The manufacturing industry is the least concerned about cyber security coverage, the sector which saw strong growth of 35%, only increased its coverage from 6% to 8%.
The reasons for increased levels of policy purchases stem from a variety of demands. Some are responding to mandatory requirements from boards for reputation protection, while other fear loss of business following a disruption. In response to increasing demand, insurers have been rolling out more complex products to protect more complex business areas, including for instance, cyber-induced bodily injury and property damages.
The increased take-up of services across the board is also seen in the liability limits purchased by companies with more than a billion in revenues. In all industries, the limit has increased from $27.6 million to $34.1 million. Communication, media and technology (up from $40.3 million to $43.7 million) and services (up from $40.4 million to $41.2 million) have the least liability increase. Healthcare to the contrary, more than doubled its liability limit to $26.4 million, while power and utilities have increased their liability from $35 million to $44.4 million. Liability limits for retail and wholesale increased around a third, up from $20.8 million to $31.4 million.
For companies across all segments, the average limit sits at $12.8 million, up from $11.1 million a year earlier. Companies for the most part have seen increases in their limits, however lower in general than in the above one billion segment. Education providers have seen almost no increase in coverage, while services has even seen a decrease of a million in coverage between 2013 and 2014.
Whereas limits have been increasing, insurers have become considerably more critical of certain segments. Particularly retainers are having difficulties securing coverage in excess of 200 million from aggregate sources. Premiums in some sectors, where the risks are the greatest following high profile breaches, have increased significantly. In healthcare for instance, contracts up for renewal have in some instances been tripled in price, while in the retail sector an average 32% increase has been booked. “Some companies are struggling to find the money to buy the coverage they want,” comments Tom Reagan, a Cyber-insurance Executive with Marsh & McLennan Company’s Marsh Broker Unit.
Insurers are also becoming more active, requiring companies to introduce more than just clear policy directives around cyber security readiness, instead asking companies about their use of encryption technology and whether they have formal incidence response plans for protecting data and vendor networks and whether those systems are functional in real-world-testing.