“Cyber insurance” is on the rise, and the insurers and brokers cashing in can thank Target.
While the super-retailer’s infamous 2013 data breach created screaming headlines and huge hassles for the company and its customers, it also fueled a surge in security audits and insurance policies against digital attacks. According to some insurers, once-obscure cyber-insurance policies are now among the nation’s fastest-growing insurance products, and it’s all because of Minneapolis-based Target.
“Target was the poster child of hacking,” said Marc Schein, an adviser at Uniondale-based benefits consulting firm Chernoff Diamond & Co. “This is the new hot topic: companies’ data getting compromised.”
Although Target suffered the most high-profile breach, it isn’t the only national retailer to feel the virtual sting. Irving, Texas-based Michaels Stores in April announced that credit card data for 2.6 million customers had been compromised, and last month, Maryland-based Goodwill Industries International announced a similar breach. Hundreds of smaller breaches have also been reported, further fueling concerns.
To that end, Schein said about 20 percent of his customers now buy cyber-insurance policies.
“Two years ago, nobody wanted to buy this,” he noted. “Now it’s an exposure they realize they don’t have coverage for.”
Known unofficially as “cyber liability coverage,” the policies are designed to shield companies from liability in case hackers tap into customers’ private data, including credit card and bank account numbers, social security numbers and sensitive healthcare information. Policies typically cover potential costs associated with litigation, regulatory compliance, data recovery, forensic auditing and, in the worst cases, reputation management. “Your business was just hacked and everybody knows you’re not as secure as your competitor,” Schein noted. “How do you get your reputation going again?”
Retailers, attorneys, accountants, banks, title companies, healthcare providers and even rival insurers are among the prime cyber-insurance customers, insiders note, because of their access to personal data.
The XL Group, a Dublin-based insurer with U.S. operations in Manhattan, is seeing double-digit growth in cyber insurance sales, primarily to mid-sized and large firms, according to John Coletti, XL Group’s chief underwriting officer for cyber and technology. Adding to the impressive growth rate, Coletti noted, is a slowly developing trend toward requiring such insurance in many business contracts.
“A lot of companies must purchase the coverage to do business with third parties that make it a contractual requirement,” Coletti noted.
While the growth is there, not every company is boarding the cyber-insurance train. Some smaller companies, even those knee-deep in customer data, are balking at the notion of additional insurance premiums; Leslie Tayne, managing director of Melville-based Tayne Law Group, said she and many other small businesses instead “do the best we can to keep the computers as safe as possible with firewalls.”
Some small companies have also been able to roll limited cyber coverage into larger general-liability policies. That’s actually helping lower the costs for cyber-insurance premiums, Schein noted.
“Prices are going down, because more companies are getting into this marketplace,” he said.
But even as those prices slowly fall, market capacity is slowly increasing, according to Coletti, as more insurers look to capitalize on the cyber-insurance trend.
“This is the only insurance line in a growth mode,” Coletti said. “Supply and demand tells you the rates will go down, because more carriers are competing for the same business.”
Rates can also fluctuate based on a company’s specific cyber-security protocols. Yalkin Demirkaya, president of Syosset-based cyber security investigation firm Cyber Diligence, said companies can “mitigate the risk” that hackers will be able to access customer data, thereby reducing their insurance costs.
“If you have a risk of being hacked, you can spend money on detection systems,” Demirkaya said.
Coletti agreed that companies can receive “vastly different quotes” based on different coverage specifications, but Tayne noted that no matter what security protocols are in effect or what kind of cyber-insurance coverage a company may have, breaches both big and small are always a possibility.
“There’s only so much you can do,” the attorney said. “There are people out there who can beat any system. You do the best you can.”