By DOUGLAS McLEOD who has covered the insurance industry for more than 20 years.
Most U.S. companies are not yet buying cyberliability insurance despite recent waves of hacking and data loss incidents that have cost companies tens of millions of dollars, market observers say.
While network security and privacy liability policies are a growing business for many insurers, the take-up rate is still lagging, with at most about one-third of potential policyholders opting for the coverage, sources report.
"The market penetration is still woefully low given the exposure," said Lori S. Nugent, a partner and cyberrisk expert with Wilson, Elser, Moskowitz, Edelman & Dicker LLP in Chicago.
Experts offer several explanations for this, including the weak economy, uncertainty about how the policies work, lack of awareness about the exposure and an assumption--often mistaken, legal sources say--that existing general liability or errors and omissions policies will provide coverage.
Cyberliability policies have only been around for a decade and have drawn wider interest only in the last few years, said Richard S. Betterley, president of Betterley Risk Consultants Inc. in Sterling, Mass.
The slow take-up rate "is only surprising if you don't understand how long it takes insureds to understand new coverages, get them into the (risk management) budget and buy the coverage," he said.
Cyberliability's development resembles the early years of employment practices liability insurance, a new product only a decade ago and now a staple of management liability programs, Betterley and others said.
Computer security breaches that expose Social Security and credit card numbers, health records and other personal information are in the news more than ever, not only because the threat is growing but also because an array of state consumer notification laws require disclosure, experts say.
"There's more private information out there being shared and used," said Mark Greisiger, president of NetDiligence, a cybersecurity risk management consultant in Philadelphia. Notification laws are the reason "we're reading about this on a weekly basis."
DataLossDB, a not-for-profit foundation that tracks security breaches, recorded 369 incidents through July of this year that exposed personal identification or health information of 126.7 million consumers. They ranged in size from the loss of a few dozen records to the 77 million customers affected when hackers broke into Sony Corp.'s PlayStation network in April.
This year is already worse than 2010, which saw 555 data breach incidents but only 26.9 million lost records. In 2009, 643 breaches led to 190 million lost records, including 130 million from credit card processor Heartland Payment Systems Inc. of Princeton, N.J., the largest breach on record, according to DataLoss.
Losses stem not only from malicious attacks by hackers, rogue contractors and company insiders, but also from accidents like lost laptop computers and storage devices and inadvertent exposure of confidential data on company websites or in email, Greisiger said.
Malicious or criminal attacks are on the rise, accounting for 31 percent of breaches at 51 U.S. companies last year, up from 24 percent in 2009, according to a study by Ponemon Institute of Traverse City, Mich. Negligence accounted for another 41 percent of breaches in 2010 and network system failures for 27 percent, the study found.
Regardless of the cause, data losses are a mounting expense for companies.
Forty-six states and the District of Columbia have laws requiring companies to notify consumers of data losses, and 12 of these also require reporting to a state authority, typically the attorney general. Companies--particularly those in the financial services and health care industries--are also subject to a variety of federal confidentiality laws.
Compliance means that companies incur costs for data breach investigations, legal advice and setting up mass mailings, call centers and credit monitoring services for consumers.
Companies also increasingly face regulatory fines and penalties, and severe breaches can trigger consumer class-action lawsuits. Sony, for example, has been hit with 55 class actions in the United States and Canada over the Playstation breach.
In virtually all data breach cases, companies shoulder response costs, though only one in 10 may result in vastly more expensive class-action litigation and regulatory penalties, said Thomas Srail, senior vice president with Willis Group's executive risks practice in Cleveland.
Still, the costs are rising. The average data breach cost companies $7.2 million last year, up 7.3 percent from $6.8 million in 2009, with lost business representing more than half the totals, according to the Ponemon survey, which does not include litigation costs or fines. Those costs translated to $214 per lost record in 2010, up from $204 the year before.
In a survey of 117 actual claims under cyberliability policies between 2005 and 2010, NetDiligence found that the average breach cost $2.4 million. The survey included litigation costs, which averaged $500,000 for defense and $1 million for settlements. Crisis response expenses averaged $800,000, according to the study, which did not estimate lost business.
A sizable number of risk managers and other executives believe--wrongly in many cases--that these costs will be covered under existing general liability or other policies, experts said.
Coverage disputes, which first emerged in the 1990s, continue to this day: Sony and its general liability insurers, Zurich Insurance Co., Mitsui Sumitomo Insurance Co. of America, National Union Fire Insurance Co. of Pittsburgh, Pa., and ACE American Insurance Co., are now suing each other in separate federal courts over coverage of the Playstation attack under the general liability policies' advertising injury provisions.
While some vaguely worded policies may open the door to coverage in some situations, standard property and liability policies often exclude cyberrisks and courts have found that data loss does not constitute tangible property damage, experts said.
"There is little to no hope that in a normal factual situation you will be able to get first-party or third-party data (loss) coverage from a commercial general liability policy," said John F. Mullen, a partner and cyberrisk specialist with Nelson, Levine, de Luca & Horst in Philadelphia.
"If you have to assume coverage or no coverage, assume no coverage," Willis' Srail said.
Wilson Elser's Nugent pointed out that general liability policies are designed to respond to lawsuits, and that data breaches can produce heavy costs well before any legal action begins.
"The cash flow drain before those things is really significant," she said.
Cyberliability policies, on the other hand, are tailored to respond to such incidents. While provisions vary widely among the 30 or more insurers in the market, the policies generally cover consumer notification and other response costs along with defense and indemnity in privacy liability suits and coverage of regulatory fines and penalties. Several offer breach response services that bring in outside professionals to handle computer forensics, legal advice, consumer mailings, crisis communications and credit monitoring.
Also available is cyberproperty insurance covering damage by viruses or other malware to a company's systems, along with resulting business interruption costs.
Despite the growing exposure and the softness of the cyberrisk market--a function of a rush of new insurers into the line--companies have been slow to take up the coverage so far.
The business is growing, "but not to the degree you'd expect based on what you see in the news," said Jim Whetstone, senior vice president and U.S. technology and privacy manager with Hiscox Inc. in Chicago.
A Betterley survey of 51 middle-market companies with annual sales of $10 million to $500 million found that 35 percent had bought cyberrisk coverage, while 25 percent said they were considering it and 40 percent said they did not plan to buy it.
Only 27 percent of the 164 North American companies responding to a Towers Watson survey earlier this year said they have purchased cyberliability protection.
Others say that even these take-up rates sound high: Nugent said the overall rate may be under 20 percent.
Along with the belief that existing policies cover the risk, many companies don't see themselves as being exposed.
"There's a fair amount of, 'It won't happen to us, we're not big enough,' " Mullen said.
"Current economic conditions are a large contributing factor," said Toby Merrill, vice president with ACE Professional Risk in Philadelphia, noting that the squeeze on risk management budgets may stall buying decisions.
At some companies, information technology departments have pushed back against cyberrisk insurance, seeing it as a criticism of their work and arguing that the money would be better spent on upgrading security technology, said Robert Parisi, senior vice president with Marsh Inc. in New York.
Even companies with the money to buy the coverage are delaying purchases because they don't yet understand how the policies work, an educational process that can take up to a year, said Adam Cottini, vice president with Arthur J. Gallagher & Co. Inc. in New York.
"These are not quick decisions," he said.
Buying habits have varied dramatically by industry, Parisi said.
Financial services and healthcare companies--heavily regulated and frequent targets of cyberattacks--are also the biggest buyers of cybercoverage, followed by retailers, educational institutions and government entities, market sources say.
Cyberinsurance purchasing is generally on the upswing, though, and the take-up rate is likely to rise in the near future.
"We are definitely seeing boards (of directors) starting to focus on this and senior management starting to focus on this as part of a broader enterprise risk management strategy," Nugent said.
Marketwide gross premiums for cyberrisk products totaled about $800 million last year, a 2011 Betterley market survey estimated, a big jump from $600 million the previous year.
Several insurers said they are seeing year-over-year premium volume rise 20 percent to 30 percent or more.
"We are seeing dramatic growth," with buyers expanding beyond the largest corporations to middle-market Main Street companies, said Parisi of Marsh.
ACE's cyberpolicy count is growing faster than its premium volume, indicating that smaller companies are now buyers, Merrill said. Companies with sales between $5 million and $1 billion are the fastest growing buyer group, he said.
Overall, the widespread public concern over data breaches, the difficulty of containing the risk and the political support for regulatory action are combining to make cyberrisk coverages potentially "the biggest new product opportunity" for insurers to date, a Betterley report last year concluded.
October 15, 2011
Copyright 2011© LRP Publications